Upgrading From Windows XP Before April 8th 2014

The Threat

Security experts have been predicting that malware creators all over the world are finding exploits [in Windows XP] and holding on to them. They know if they unleash an exploit now, it will be fixed. But if they are patient and wait, and hope Microsoft doesn't find the vulnerability, then they can use it for maximum gain come April 9.

The same holds true for Office 2003. Support for it ends on April 15, one week later.

Source: http://www.networkworld.com/community/blog/why-april-9th-might-be-its-worst-day-2014

Upgrade Options: Windows, Mac, Android, or Linux

What kind of computer or operating system you use is determined by what software you need to run.

Office

The first question you should ask yourself is exactly how compatible you need to be with the latest version of Microsoft Office. This is not a yes-or-no question. We are all somewhere on a sliding scale of MS Office compatibility. Very few people require full compatibility with the most obscure features of Microsoft Office. MS Office isn't even compatible with different versions of itself!

100% compatibility with the very latest version of MS Office requires Windows 7 or 8 which probably won't run on your old XP machine. You can purchase the necessary hardware and software from any reputable computer store except a Mac store.

You can run the latest MS Office on Mac, Android, or Linux, but only by installing a virtual machine, then installing Windows, then installing MS Office. This is a pain in the neck, (both the install and the ongoing maintenance) but it can be done and is an expensive but effective way to meet an occasional need for the latest MS Office. If bleeding edge MS Office is the primary reason for having the computer, it's easier and cheaper to buy a Windows computer and be done with it.

Many home users meet their basic office needs with Google Docs which comes free with your home Gmail account. It is compatible only with very basic MS Office documents - no fancy templates, embedded objects, or macros, but it's also much safer from virus threats as a result. It may not be advanced enough for sharing documents with customers and prospects, but for home use it works great with letters, posters, simple spreadsheets, and for sharing them with friends.

LibreOffice is free, runs on any operating system (comes pre-installed on popular Linux flavors), and is roughly equivalent to being one version behind MS Office which is the best you can do natively on the Mac anyway. It's easy to use, powerful, and has Visio-like tools and PDF conversion built-in. This is what I use almost exclusively, even though I have several versions of MS Office installed in virtual Windows machines. Try it out to see if you can use it instead of paying for Microsoft Office:

• Install LibreOffice
• Tools -> Options -> Load/Save -> General
  • Unckeck "Warn when not saving in ODF"
  • Document Type: Text, Always Save As: Word 97...2003 (NOT Template)
  • Document Type: Spreadsheet, Always Save As: Word 97...2003 (NOT Template)
• Tools -> Options -> Load/Save -> General -> Microsoft Office
• Check all the boxes.

Other Software

GoToMeeting/GotoWebinar works on Windows, Mac, Android, and now Linux. I haven't tried the Linux version yet, but it only allows you to attend meetings - not share your screen or use a web-cam. Screen sharing on Linux also works well using Skype (or TeamViewer).

Photoshop is Windows and Mac only, but I have found that a combination of Darktable and GIMP meets 100% of my needs (though Photoshop is more convenient and user-friendly if you can afford it).

Linux

Given the above limitations, Linux is a great way to turbocharge an old computer. I switched to Linux about 5 years ago because of the reliability, ease of use, security, and availability of free software. I hope I never have to go back. The only thing I have used Windows for in the past 6 months is GoToMeeting. I've been using Ubuntu Linux 13.10 which is a more Mac-like experience and a little easier to upgrade. Mint Cinnamon Linux is more like Windows 7.

Try either one out by burning a Live CD and booting from it. That will show you if you need to purchase an nVidia graphics card (on a desktop) or a new wireless card (on a laptop) for compatibility reasons, but these can be acquired very cheaply. If you are buying hardware, a Solid State Drive (SSD) can be a miracle for an aging computer. My 7-year-old Ubuntu laptop with an SSD boots in less than 8 seconds and shuts down in less than 3.

I recommend Mint/Cinnamon Linux or Ubuntu over Xubuntu and Lubuntu. The former are just as lightweight but have more usability features than the latter. Otherwise, this article is pretty good and fills in more details

10 Most Important Password Manager Features

Maybe 1 in 60 of my accounts reports their passwords stolen every year. For every site that reports a break-in, a few others are probably broken into and don't know it or don't report it. I would guess that if you have accounts at 30 different sites, you should probably assume that one of them gets broken into every year. You can't stop people from discovering passwords this way, but if you use a unique, strong password, you can contain the damage so that a hacker cannot leverage the knowledge of one of your passwords to break into your other accounts.

I just watched How to choose a strong password and while that's good advice, most people can neither remember nor type a good password, or at least not more than one or two good passwords. The only practical way to use a unique, strong password for every site is to use a good password manager. As such, I'm proposing a Password Manager Feature Manifesto for people to use to compare password managers and decide which one is best for them.

Password Manager Feature Manifesto

A password manager needs to do certain things to be worthwhile:

1.) Store passwords securely, in one place so you can find them, change them, secure them as a unit. It always seemed to me that storing your passwords in your browser was a little bit like taping your wallet to the outside of your front door - you are putting your valuables in the most vulnerable place. KeePassX (without any plug-ins) is completely separate from your browser. Browser integration is not necessarily bad, but I think it loose some points from a security perspective. In any case, the passwords must be secured by a strong master password and encrypted on disk (and maybe in memory when possible too).

2.) Generate random passwords - people don't manually make strong passwords. Collecting entropy for the randomness is a huge plus. KeePassX and LastPass both generate strong passwords for you.

3.) Make it equally easy to store your credit-card number or license key for Photoshop as to store a password to a web site.

4.) Must be backed up every time you make a change. LastPass has this built-in. KeePassX must be used with something like Dropbox or SpiderOak and set to save automatically after every change.

5.) To be shared between multiple computers, e.g. LastPass or KeyPass/Dropbox

6.) Needs to be relatively easy to use

7.) To work on all major operating systems (Windows, OS-X, Linux). I look for this every time I choose software. I hate being tied to one vendor's operating system or browser.

If a password manager doesn't do all of those things, I'm not really interested in it. One thing that's not important yet, but I bet it will become critical for most people in the next few years:

8.) To work on your phone or other mobile device. Here is where LastPass may move ahead of KeePassX.

9.) Popular OpenSource software is recommended for security

And finally, not critical, but the icing on the cake:

10.) It's free, or at least a reasonable price.

That leaves KeePassX the clear #1 for me and LastPass #2. LastPass could threaten KeePassX if they keep improving on #6 and #8 - specifically, it is very hard to log into sites with LastPass that have the user ID on one screen and password on the next.

Sadly, no password manager can remember your operating-system login when you boot up your computer, so you have to remember that password yourself. Also, the master password for your manager. But for most people that's just 2 passwords to remember and type, and that's fairly do-able.

I have to thank DigitalMan for his contributions to this article by talking about this with me and sending articles about break-ins, security, and passwords for the past few years, and for encouraging me to improve my own password practices.

Update 2012-09-20: DigitalMan added the following excellent insights:

Re: Point 8: the iPhone now has an excellent, completely free, Open Source app which makes your KeePass database fully functional on the iPhone (and presumably the iPad as well): miniKeePass. To me, that further buries the case that Closed Source LastPass is a better option.

Lastly, Point 9 is crucial to me and not second tier. I'll leave you with my favorite Bruce Schneier quote:

As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice.

Disposing of Computers Responsibly

You don't fall for con games, you use a router with WPA2 wireless, store your passwords securely, keep your operating system and applications updated. You're safe, right?

That depends on how you dispose of old hard drives and computers. If you run Windows, Microsoft recommends cleaning the hard drive with the secure delete command-line application, sdelete. Whatever operating system you run, you may prefer to Use an Ubuntu Live CD to securely wipe your PC's hard drive.

The Frontline video, Ghana: Digital Dumping Ground not only exposes the human health and environmental costs of disposing of computers, but about 8 minutes in, shows data recovery on those same computers that should make the hair on the back of your neck stand up.

One of the reasons I got into computer programming is that it eliminates paper, saves trees, and eliminates paper waste. Electronic devices require electricity, but more importantly, they break or become obsolete very quickly and we replace them. The impact of our obsession with newer, faster computers and other electronics is astounding. But even if we think we are recycling, we might be creating new waste problems in far-away lands as the 60 Minutes Electronic Wasteland video shows (also shows data recovery).

Anyone who reads this blog knows that when my computer became unacceptably slow running Microsoft Windows XP about 9 months ago and I switched to Ubuntu Linux and have been delighted with that decision. File operations that took hours on Windows take minutes on Linux. Everything else seems to run about twice as fast. So if you care about the impact of disposing of your computer (of if you want to save money), install Linux and keep your hardware twice as long. My laptop was bought in 1999 and I run Xubuntu on it (a lightweight version of Ubuntu). It's great for email and web browsing and with a little patience, I can even run a database and a web server on it, even though it only has 500MB memory a 500Ghz processor, and an incredibly slow disk drive.

Thanks to my occasional involvement with UCLUG, I learned of Free Linux PC. They are a fantastic organization that takes donations of old computers, installs Linux on them, and gives them to people who don't have a computer! I've given them a laptop and some memory and I've volunteered at a giveaway at the Greenville Public Library which was a great time. The recipients were pinching themselves.

Here's an old-fashioned recipe for improving environmental, human, and security impacts of your computer usage:

Reduce

Buy new computers (cell phones, TVs, etc) less often. Use your old ones longer.

Reuse

Installing Linux can double the useful life of a Windows computer. If that's not for you, then donate any still-working equipment to FreeLinuxPC and they will do it for you.

Recycle

Recycling sometimes works and is probably better than burning your computer on your front lawn (though it might still be burned in Ghana, Taiwan, or China), certainly better than throwing it in the trash. Even if you don't recycle, if you can find recycled gold watches or other products made from recycled computers, you are supporting an industry that badly needs encouragement.

In any case, make sure to wipe the hard drive before disposing of it!

Passwords Don't Matter

Why Passwords Don't Matter

I set out to write an article about tools to easily manage passwords securely, but when I looked for data on computer crime to encourage people to use better passwords, I discovered a very different story. Most "computer crime" (according to the FBI) is various forms of scams and con games that used to be carried out in person, over the phone, or through the mail, but are now done through online auctions or email. Nothing to do with passwords. This 25-page 2008 Internet Crime Report by the FBI only uses the word "password" twice.

At least for corporations, the big problem seems to be people using the access they were given to do bad things. That happens much more often than people hacking into other accounts.

Computer attacks tend to target applications and the operating system. If you don't keep up with patches, your password won't matter. Source: The Top Cyber Security Risks.

Contrary to the title of this posting, good password practices are important. But what's even more important is to:

1.) Keep your wits about you and cultivate a healthy skepticism before downloading a free game, clicking on an advertisement, or buying something from someone you don't know (e.g. eBay).

2.) Keep your operating system and applications updated. Always choose, "Yes, apply updates right now" and "Of course I'll reboot." Manually check for updates periodically just in case.

3.) Use a tool like Revo Uninstaller to remove applications you are no longer using. Especially anything by Adobe, RealPlayer, toolbars (e.g. Yahoo!), and the Microsoft .NET framework.

When Do Passwords Matter?

I got an email today saying that a web application I used a single time eight years ago had suffered a break-in and warning me that if I used that password for multiple accounts, I should change the passwords to all those accounts. I have over 120 personal accounts, and God knows how many at my various jobs over the last 8 years - how many of those applications have been compromised? Kudos to the organization who discovered the break-in AND alerted me. I think it's safe to assume this is not the only break-in among those 120 applications, nor the only one discovered.

Minimum Effort Password Management

I just read a wonderful article in the Boston Globe Online about the time-wasting, annoying, and mostly useless advice security experts have given us about passwords. So if you want to be secure with the minimum amount of effort, what is the most important thing?

I believe using a different unguessable password for every account is the most important password practice because doing so means that all of your other accounts are safe whenever one of them is compromised - and if you use a computer long enough, accounts WILL be compromised. Some have suggested using X9$bFacebook, X9$bTwitter, X9$bMySpace, but schemes that use the application name, even if it's altered in various ways, are still guessable.

To manage different passwords for every account, you need a password manager. Many people use the "remember passwords" feature of their favorite browser. This is a terrible idea because:

• It means you are storing your most secure data (your passwords) in your least secure application (your browser)


• You are going to need to enter activation keys or passwords into software installed on your machine at some point, and you cannot store that in your browser


• When you go to another computer, or try to switch to another brand of browser, you don't have your passwords.


• When your hard drive dies, so do all your passwords


• When you die, so does access to your computer and all your passwords.

So the web browser is not such a good solution. The best I've found (and thanks to a good friend for pointing me to it) is a free, open-source password manager called KeePass which is available for Windows and KeePassX for Linux, Mac, and Windows. I use it with a strong master-password and a tool called DropBox to synch it across my computers. Lifehacker has an article on how to use them together. Once a year, I recommend printing out your KeePass database, writing your master password on it (your Dropbox password will be in your KeePass database), sealing the list in a tamper-evident security envelope, and putting it in your safe deposit box. Then burn last years list (you know, with a match). When your hard drive dies, you have a backup immediately available on your other computers via Dropbox. When you die, there are legal proceedings for your next of kin to access your safe deposit box.

For a less secure, less robust, but easier to use password manager, look at LastPass.