Your Online Shadow

My ghost likes to travel so far in the unknown
My ghost likes to travel so deep into your space
from “Growing Up” by Peter Gabriel

Almost everyone these days has an online persona. A shadow identity or ghost of our physical selves. Not to get too metaphysical, that’s just what happens courtesy of Google when you decide to have a FaceBook, LinkedIn or MySpace page or blog or even Twitter. While allowing us to reach unimaginably large audiences with our self generated content. According to Security Bloggers Network member Martin McKeay’s web page counter his Network Security Blog has received over 24000 hits in a single day. The blog has 3221 subscribers through Feedburner. Certainly the average internet user is not nearly as well known, followed or prolific as Martin (aka “Captain Privacy”), but neither are they invisible. Laura Spencer in this article for the FreelanceFolder has this to say about your online shadow.

A couple of times every month I browse on over to Google and search for my own name to see what the results will bring. After I’ve done that, I type in the name of my website and run the search engine again.
Checking your online reputation like this is something that every freelancer should do on a regular basis. I wouldn’t recommend stopping with Google, either. You should also check on Twitter and on other social media sites.

While it might seem vain to search for yourself online, it’s actually an important step in protecting your online reputation. If you do business online, then you not only be checking on but also working to protect and manage your online reputation.

What You Can Learn From Your Online Reputation
Every time you search for your own name on Google or Twitter, you can learn several important things:

• What people are saying about your business. If you have an unhappy customer, it’s possible they won’t express that dissatisfaction to you. Instead, they may blog about their dissatisfaction or comment negatively about your work on other sites. Sometimes, untruths and misinformation are spread about your company online without your knowledge.
• Whether your work is being used without permission. As a freelance writer, my work is often “scraped” by plagiarists and used on other sites without my permission. Many plagiarists are careless about stealing my work — often my name remains with the piece. A quick search can turn up my articles on sites that I never submitted them to.
• Whether someone else is using your personal or business name. As a freelancer, your name and your business name are important. But, are you the only one using your name? With a few quick searches, you can determine who is using your name online. If another individual or business has the same name, how are they using that name? Do they appear to be reputable?

This same advice is particularly applicable to high school or college students who utilize Web 2.0 as a major source of self expression and communication with friends. I saw a documentary about teens and social networking [I can’t remember where – I’ll post a follow up when I do] wherein a high school girl was bemoaning the insensitivity of her parents who had [gasp!] forced her to reveal her MySpace password. Presumably so they could monitor her activities. The primary complaint with this intrusion into her privacy was that MySpace was a “private place where she and her friends could express themselves freely“. Okay… About all I can say to that is that she better hope that her parents do a really good job of censorship now or she may have a rude awakening when potential employers, years later after college, discover all that wicked cool [to a teenager] stuff that she posted. And her friends posted. And her ex-friends posted. This could get ugly.

Gina Trapani has this article in Lifehacker all about how you can monitor your online shadow in a fairly automated way.

You already know how well your name Googles affects how strangers and potential employers find and perceive you. Short of Googling yourself every week, how do you keep tabs on your name or your product or company’s Google-ability?

Most search engines offer feeds of their results, but compiling them one by one is a time-consuming pain in the tuckus. Using a simple tool called MonitorThis, you can get ego search results from over 22 engines into your newsreader in one shot.

Since Google’s not the only game in town, you might want a more comprehensive look at where your keyword appears on the net, across blogs, photo search sites and more. MonitorThis is a simple web page that can construct a subscription list of search result feeds in one click. MonitorThis includes results fromTechnorati, MSN News, Flickr, Yahoo and MSN, among others.

What MonitorThis does is construct an OPML file which you can import to your newsreader.

The article includes step-by-step instructions on exactly how you would set this up. Adam Pash in this Lifehacker article has yet another idea for tracking your not-so-elusive online shadow if you are a Twitter user.

In a post-Twitter world, you can also use something like TweetDeck to create a persistent Twitter search to keep track of what’s being said about you online. (For example, we keep a fairly close eye on what people are saying about Lifehacker this way, so that if people are having issues with the site or complaints with a post, we can address them as necessary.)

Remember, the first step is realizing that you have an online shadow and that like Peter Gabriel, your ghost likes to travel so far into the unknown. You can’t control how far it travels, but you can guide it. Or at least find out what trouble it has got itself into on the way.

Security ideas for your mom revisited

Information security for  everyone is a big deal with me. I even have a weblog devoted to that very ideal. So Julie Seedorf’s Something About Nothing article, “Be careful of what you store on computers” definitely resonated with me.

I read an article from PC Magazine recently. It was titled “Day in the Life of A Web 2.0 Hacker.” Because many of my days consist of repairing damage done by viruses and hackers to people’s computers, this article was of interest to me.

I like the Internet. I remember years ago my first experience with the Internet. It was exciting to be able to read Web pages created by people many miles and countries away from my home. It was exciting to be able to connect with new people. The Internet was a new information highway that would revolutionize our life.

There is no question that the Internet has changed the way we receive our news, the way we do business and the way we are in touch with people. However, reading this article confirmed what I have been feeling recently. I am frustrated with the dangers that the Internet has invoked upon our society. I am frustrated with the controls we need on our computer to keep our information safe. I am frustrated by the lack of security enforcement by law officials.

While I completely concur with Julie’s sentiments, isn’t everybody aware of the risks of our Web 2.0 lives? Aren’t there plenty of wise and erudite security experts providing all of the information that everyone needs to know about being secure? And what about all the excellent and ubiquitous security suite software packages available? Surely a tech savvy person like Julie has nothing to be concerned about. And clearly if you are a Republican VP candidate the Feds are quick to enforce even the most trivial security breaches at least as long as the Feds are Republicans. Sorry couldn’t resist.

Unfortunately all of the preceding rhetorical questions are pure irony. Phillip Hallam-Baker’s Web Security Blog article “Zero Overhead Security” sums it up this way.

Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect?

A good part of the problem can be laid our door, fellow security professionals. We can certainly build brilliant complex software and our marketing and sales brethren can sell the heck out of it. But there is something very wrong when at the end of the day someone like Julie is left with this anemic solution.

The new security programs are good. The problem with many of the new programs is that they put blocks and watch everything we do on the computer and sometimes they make it difficult for us to understand how they work. These programs sometimes block sites that we want to use. These programs sometimes warn us more than we want.

Why am I writing this column? There is no fun in this column. I don’t feel funny about the Internet right now. I am here to tell you to put a good security suite on your computer and learn what it does and what you need to do to keep your computer and information safe. Make sure you update your virus signatures, keep your firewall on and be careful what you open.

Be careful of the personal information you share with others. Create strong passwords that contain a mix of numbers and letters and don’t use the same one for all Web sites. Watch what your kids and teenagers are doing on the Web.

All of these precautions may not protect you completely but they will help.

So why do I say this is anemic? Isn’t this exactly what we’ve been telling Julie to do? Hasn’t she hit on every “best practice” point? Enough with the ironic rhetorical questions. How about some concrete ideas that Julie or you can give your mom on security that will make a difference. In three earlier articles here, here and here I attempted to build a framework of ideas that mom should consider when getting a new computer and going online. What’s missing from those articles are specific details. So without further ado:

Security Ideas for Mom – Revisited

1. Get a good firewall. Most of the popular security suites available will come with a desktop firewall, but not all of these are created equal and some are not even created well. Specifically several of the most popular include predefined exceptions for their “partners”. Now I don’t know about you, but just because someone has finances to partner with a security vendor does not imply that I should trust them. Note to vendors – transitive trust is not a desirable feature of a firewall. What I would suggest here is to think outside the software box a little (I know, heresy for a software geek, but I’m also an EE). Why not buy a hardware firewall? Like the ones that come with decent wireless access points. Even if you aren’t interested in running wireless (yet) and only have a single computer (so far) this is still a great idea, not to mention a bargain. Given that the annual subscription fee for the most popular security suite is $60, you can get a very nice wireless router for that price. And you only have to pay for it once. Furthermore, setting up the firewall, and other features on a consumer NAT router is simple. They really aren’t that smart. Which is a good thing. The only caveats are do not keep any of the defaults (i.e. SSID and passwords) and if you actually use wireless, lock it down to the specific hardware (MAC) addresses of the devices you want to allow on your network and turn off any broadcast or UPNP. Also turn off any remote maintenance. You can also use desktop firewall software along with a hardware firewall and NAT router, if you are paranoid (and you should be). Just be sure and get a good bidirectional firewall that watches outgoing as well as incoming traffic so it can stop spyware and adware that wants to phone home. Once you get your NAT router/firewall system in place, you need to go to Gibson Research web site and run ShieldsUP!. You should be completely stealth. A ghost on the internet. In my opinion, a hardware NAT router and firewall, coupled with a bidirectional software firewall eliminates most of the need for anti-virus software (more heresy I know). But l like the idea of cutting off the malware at the pass as is were.
2. If your computer is portable use full disk encryption. Period. No exceptions. Essentially full disk encryption converts the entire contents of your hard disk to random noise that cannot be deciphered without a key (passphrase or hardware key). There have been rumors over the years of groups like the NSA having the capability to break strong encryption, but trust me, you, me and mom are not worth the effort. The most widely known full disk encryption package is Microsoft Bitlocker, which is available with Vista Ultimate. For most average users, it’s probably not worth the $300 upgrade to Vista Ultimate, but for business users that are running Vista Ultimate on their mobile workstations should definitely contact their IT folks and get it set up. Fortunately there are some great (some would argue superior) alternatives to Bitlocker. I use the open source TrueCrypt package, because it runs on all of the platforms I use (Windows, Mac and Linux) and it’s free. The point is that when you lose your portable computer and the disk is encrypted, all that is really lost is the hardware (assuming you have backups) which is far less valuable than your data and personal information.
3. Get a good password manager. Certainly you can try to create and remember 50 odd strong passwords, but it’s a whole lot easier to create and remember one strong password that can be used to access hundreds of your insanely strong and impossible to remember passwords. I’ve already written an article about this, so you can read all about it. There are some very good password managers, both open source and commercial. An important feature of the password manager you choose should be the ability to set up expirations on your passwords – i.e. something that reminds you to change passwords. For email accounts you should change the password every 6 months and financial services every 3 months. Since with a good password manager this is easy to do, feel free to do it more often.
4. Get different email addresses for different purposes. When you sign up with your ISP you get an email address that is your primary. If you intend to do Web 2.0 stuff, like say a weblog or social networking like facebook or MySpace you should get a free online email address from Google (GMail), Yahoo (Yahoo Mail) or Microsoft (Windows Live Hotmail). Use this online account when you register for social networking sites. Then you can have your friends and casual acquaintances contact you via the social network site. Only use your primary email account (the one from your ISP) for banking and other communication where there is a risk of Personally Identifiable Information (PII) leakage. Do not give out your primary email to address to anyone but those sensitive accounts. This can be a problem if you’ve already let the horse out of the barn so to speak. Fortunately you can still get around it by sending out change of email address notices to everyone who has your primary asking that they use the new email address or contact you through your social network. If they don’t, just ignore them. They’ll figure it out. Or not. If you are involved in a legal or highly sensitive situation where privacy and confidentiality is crucial then you should check out a secure email service like VaultletSuite 2 Go. This service includes a minimal, but extremely secure email environment. For everyday it’s overkill, but if you are sending sensitive messages to your lawyer, it is definitely worth considering.
5. Use different web browsers for different purposes. Let me be specific here: use Internet Explorer for your banking and financial sites, and no other sites. Use Firefox, Opera, Safari, Chrome or even another copy of IE for your social networking and casual surfing. The reason I recommend IE for banking and insurance sites is that they tend to work best (or only) with IE. Social sites, on the other hand tend to favor Mozilla (Firefox) or Webkit (Safari and Chrome) browsers. Now wait, isn’t it really inconvenient to share bookmarks between browsers? Yes. Exactly. Which is why you don’t want to do that. Your banking browser should only have bookmarks for your banks. Actually sharing bookmarks is not hard and if you really want to share between multiple social browsers, get a del.icio.us account. With your public email from #4.
6. If you download software get a disposable virtual environment. Downloading anything from the web and installing it on your PC is risky business, even if it is from a reputable site, but it can be catastrophic if your tastes run to the wild side. The problem is that even decent shareware (of which I’m a huge fan) rarely uninstalls cleanly from Windows. And much of the stuff available for free download isn’t decent. In fact a fair portion of it is infected with malware, malicious or just plain bad. What you need is a virtual environment where you can download this stuff, install it and try it out before you commit it to your real environment. This can be done a number of ways. Virtualization software like VMware and Parallels allow you to create virtual machines that are exactly that. If you trash one, you just delete it and move on. The downside, as you can well imagine, is that virtualization software requires a lot of resources (i.e. a very powerful computer) and it’s not trivial. There is another kind of software that you can use to accomplish this: sandbox software. Basically a sandbox sets aside a place on your computer where programs can play nicely, isolated from everything else. Just like naughty children. The best known of these packages is Sandboxie. Using this kind of software, you can run any program “sandboxed”. Then if it blows up, or simply tuns out not to be what you wanted, you just clean out the sandbox. If you do happen to decide that you want to keep your changes for real, you can recover everything to your computer. Trust me, this will save your bacon.
7. Keep your professional and personal stuff separate. By stuff, I mean everything: email accounts, social networking sites, computers and software. Everything. That means, don’t pay games or have personal email on your work computer. It also means don’t copy that spreadsheet from work to your home machine. Now hold on, I can see not doing personal stuff on my work PC, but what’s wrong with working on my personal PC? Ask your IT folks which is worse. They’ll tell you most emphatically that taking company data into an unsecured environment is way worse than stealing a some CPU cycles, hard disk space and time playing games. Either way it’s bad for you and bad for business. If you really must check your personal email at work, then use one of your web mail accounts (see #4). Also be aware that if you are using your employer’s computer equipment you have no reasonable expectation of privacy. Think about that before you fire off a note to that hotty you met last night. But what about connecting to the office VPN from my home machine? Well okay, but just be aware that if you have a home network where you share stuff like photos, music and files you could be sharing them with everyone on your company VPN. I’d think about that for a while. Finally if you work for the government, you may have safeguards and accountability requirements on your email. So don’t be like Sarah. Nuff said.

I’m sure there are other good, and straightforward ideas for securing mom’s computer. I would love to know about them. I would also love to hear about problems with the ideas I’ve put forth here [note – blatant pandering for comments]. Maybe we can make things a bit nicer for Julie and mom. Or convince them that the internet is funny again.