On the CD-ROM accompanying the book we included a tool called Passgen. In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

For a while Jesper maintained a web site for the book, running on a server in his house. His ISP changed policies and made it impractical to continue running the site. But because the tool is still so useful, I’ve put a copy in my SkyDrive—look in the “Passgen” folder.

Also, note that I’ve put a new section in the right-side column, “Resources for you.” Here’s where I’ll keep links to bits and pieces that many of you will find relevant and interesting.

Slacker licenses music directly from publishers, and includes a perpetual subscription in the cost of the player. Slacker creates stations that feed out an endless supply of music. The new models are $200 for a 4GB model with the ability to list 25 stations (up to 2,500 songs), or $250 for an 8 GB model with 40 stations (up to 4,000 songs). You can also sync your own music in MP3 or WMA format. For $7.50 per month, you can upgrade and store songs you're listening to, as well as avoid ads.

The G2 is already getting reviews as a much-improved upgrade from the first release. Like the Zune, there's no browser or other Internet features, and that might be a positive.

The G2 is tied into Devicescape's Wi-Fi home and hotspot authentication system, which lets Slacker G2 owners pre-program encryption keys or login information for hotspots that they frequent. Devicescape's software both retrieves and stores login information, allowing the G2 to be used in places that would otherwise require either tedious entry of a WPA passphrase, or be unavailable without a Web browser to handle the login.

That's ASCII, not hex: An article on wardriving raises security hackles by repeating some slightly overheated statements about Wi-Fi security. The article opens with a 63-character ASCII WPA passphrase, which is later described as "hex." (ASCII passphrases in WPA can be up to 63 "printable" characters - ASCII 32 to 127 - while a hex version of a 256-bit TKIP or AES password is 64 hexadecimal digits long.) The article tries to conflate Wi-Fi attacks that led to the largest set of breaches in retail credit-card systems and wardriving, a hobbyist activity that's never been looked on very favorably by law enforcement. The sense of ennui of wardriving pioneers is pretty clear; when Wi-Fi is everywhere and generally secured, it's far less interesting. The wardriver in the article convinced the reporter that a maximum-length WPA passphrase stored on a USB drive for automatic use was the best way to go. But, really, 20 characters containing letters and punctuation and no words found in a dictionary along with changing your network's SSID (network name) provides all the security you'll ever need for a home or small business. (If you need more, deploy WPA/WPA2 Personal.)

Green Wi-Fi's Senegal efforts hit snags: The folks at Green Wi-Fi are well motivated, and they're running up against all forms of security theater and bureaucracy both here and in Senegal, where they have an active project. The San Francisco Chronicle notes the group's effort to build solar-powered, self-sustaining Internet access via mesh networked nodes. Getting devices out of the country, clearing customs in Senegal, and hooking up their solar system all hit problems they're working through. As with the One Laptop Per Child program, I see a "build it and they will come" mentality in Green Wi-Fi's mission statement: the notion that providing computing power and Internet access will result in good things, rather than an effort to figure out what good things need to be achieved, and whether computers and the Internet will assist.

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:

Since financial services drives a lot of the information security industry it is fair to ask - are they doing a very good job at securing systems and data or are they just moving more risk on to the consumer? In 2008, should we be telling people to type usernames and password into web forms and the use those "secrets" (cough, cough) to make business decisions?

Weak identity = weak claim = weak access control.

From Ross Anderson's book (2nd edition)

Were I designing an online banking system now, I would invest most of the security budget in the back end.

I started Wi-Fi Networking News under the less euphonious name 802.11b Networking News back in April 2001 after spending months researching what became a front-cover article in Circuits, the then-separate tech section of The New York Times. The first post is still live, as are all the nearly 4,800 others.

(I had help: Nancy Gohring wrote part-time for WNN for a couple years when we had a bit more traffic; she took a full-time job for and still works for IDG News Service, which I am now slightly affiliated with through my new hardware regular blog at PC World.)

The site as it appeared in April 2001

Since starting, I've covered extensively the growth of the hotspot market, the rise and fall and rise again of municipal networks, the change in consumer equipment from expensive and slow to cheap and fast, the growth of the enterprise market, the phoenix-like in-flight calling/broadband market, and, more recently, cellular and WiMax technology.

Enterprise coverage was once a central part of Wi-Fi Networking News, but it became clear a few years ago that as equipment was redesigned to be integral to the enterprise, that my ability cover and test gear was too limited, and the need for true enterprise experience was necessary to write about it. This disappointed a lot of enterprise readers and equipment makers who wanted me to keep writing about corporate hardware.

The focus over the last few years on municipal Wi-Fi was not just necessary--few people besides me were covering it in depth--but also represented the only significant news in the Wi-Fi world outside of the development of 802.11n/Draft N gear. It's only recently that WiMax, cellular data, spectrum auctions, and in-flight broadband have picked back up to become stories that you all want to know about--because they've become real technology you might work with. As the city-wide Wi-Fi arc played itself out, I'm covering it less because there's less of interest; it's going to become routine and the province of city CTOs and CIOs.

While writing this site, I try to have opinions, but not an agenda. I try to keep an open mind, though I do descend into cynicism, often well founded, but perhaps too readily employed. I'll try my best to keep myself honest and cheery in the years to come.

The biggest trends I expect to see develop in 2008 to 2010 are in these key areas:

Appliances. I expected 2007 to be the year that Wi-Fi was in everything: cameras, games, phones, and tchotchkes. Instead, Wi-Fi has only gradually spread, with a few gaming consoles, and many handsets and smartphones gaining or extending their use. It may be that I missed a trend: cameras in phones may become so good by 2009, that we don't need a camera with Wi-Fi at all (Wired reports today on several 5 megapixel cameraphones shown at CTIA this week). It's also likely that if WiMax gets a foothold, we'll get handhelds probably in 2009 that sport high-speed connections for all kinds of high-bandwidth purposes, like live uploading of streaming video.

Video over wireless. I look at this category as not just another instance of broadcast, like Qualcomm's MediaFLO which is really TV to the cell phone; rather, we'll see ways in which Wi-Fi, WiMax, and cellular data are used to push stored and streaming media to all sorts of devices. I look to Starbucks, Apple, and AT&T to lead the way on cached media in stores that can be filled up at local network speeds: download a full-length, HD movie in a few minutes in a Starbucks from the iTunes cache rather than 3 hours at home.

Radio over Wi-Fi. Internet radio via Wi-Fi music players seems like a trend--buying a boombox you can tune in wherever you are, or using a handheld MP3 players--but even with many devices, I don't feel a sense that it's caught on quite yet. If Apple puts Internet radio over Wi-Fi into new iPhone/iPod touch firmware, it'll likely take off; Nokia allows a third-party program for its N series for Internet radio over Wi-Fi already.

Cellular data/mobile broadband. I admit to being wrong about the potential of cell data, due to the overhype from the carriers and the horrible pricing relative to throughput and availability of the 1xRTT and GPRS systems. As cell data networks have matured into true broadband--slow, but broadband--media, the hype has lessened, disclosure has improved (no more "unlimited" usage, eh?), and the value has increased. We'll see more of the same with faster flavors of GSM networking and WiMax's deployment. The networks will become faster and cheaper and less restrictive.

For a good sense of what people are still reading on Wi-Fi Networking News, here are the titles of the top 10 articles since I switched to Google Analytics in Sept. 2006:

• Change Your Linksys WRT54G Admin Password Right Now!
• WPA Cracking Proof of Concept Available
• Weakness in Passphrase Choice in WPA Interface
• Most Wireless Speakers Don't Live Up to Goal
• Best Wi-Fi Signal Finder Yet
• Linksys Latest Models: Your Experience?
• T-Mobile Loses Starbucks; AT&T Becomes Wi-Fi Hotspot Giant
• Editorial: Don't Buy Draft N
• WPA for Free under Windows 2000
• The L in Linksys WRT54GL Stands for Linux

A few observations. Security remains key in people's minds: Security articles from 2004 are still being heavily viewed in 2008. Linksys is definitely high in people's minds for particular problems: Change the default password, buy a Linux (not VxWorks) embedded router, report problems with various models. Oddly, the wireless speakers and wireless printers articles are short stubs that are pure blog: they link to longer articles elsewhere. The Best Wi-Fi Signal Finder Yet story is 4 years old and still gets 1,000 page views a month. The invisible hand--nay, the long tail!--works in archives as it does everywhere.

Will I still be pounding away 7 years from now on this site? That seems about as unlikely as the last 7 years, which means it will probably happen. Traffic has dropped off over the years from the time in which Wi-Fi was a great (and expensive) mystery to today when there's more information and less confusion about it. As long as there are any questions to be answered, I'll keep writing.

I’ve met thousands of IT pros during my years speaking at conferences around the world. And if there’s one thing that’s true for all of us it’s that all IT pros become support professionals for their family, their friends, and their neighbors—your “FFN” base, as I call it. And, like doctors, we’re expected to provide this kind of support for free!

Once upon a less-demanding time, these questions were rare and usually involved things like setting up Windows, configuring printers, snarfing from the free wireless network across the street—the sorts of things that normal people don’t do when going about their daily lives (face it, we IT pros aren’t normal). So the monthly late-evening phone call usually wasn’t a burden. Alas, those days are now nothing more than wistful memories.

You see, the bad guys (and, increasingly, girls) who lurk in the Internet’s dark alleys and secret passages have discovered that those who constitute your FFN are prime targets for their reprehensible ways. The millions of home computers squatting on kitchen counters and in bedrooms don’t enjoy the protection that corporate PCs do—no fortified network, no centralized administration and updating, no traffic inspection, no security policies. Rarely do the people in our FFNs possess detailed security knowledge, so home computers are ripe targets for attack. The bad guys know this, and they’re rapidly taking over as many machines as they can get their grubby little hands on.

For a while now, Microsoft has provided easy-to-follow guidance for home users at our Security at Home site. This is an excellent resource, with information on how to protect your computer, yourself, and your family. However, we can’t do it alone—we need your help! Maybe it’s already happened to many of you; if not, it’ll happen soon: you’ll become a security consultant for your FFN. That’s right, you. Stop glancing around the room, don’t slink down in your chair and hope I won’t see you. Your FFN is having security problems right now, and they need your help.

What to say, you ask? Where to go for guidance on how to talk to your FFN? It’s the same place: Security at Home. I’ll review some of the most important steps you can take.

Four steps to protect your computer

These aren’t optional; they aren’t open for debate. At the very minimum, all computers connected to the Internet should follow these steps.

1. Keep your firewall switched on.
2. Keep Windows up to date.
3. Use updated antivirus software.
4. Use updated antispyware software.

Computers running Windows Vista or Windows XP Service Pack 2 (SP2) already have firewalls that are enabled by default. Leave them running. I've yet to see any example of applications typically run on home computers that would break because the firewall is running. There’s simply no excuse for running a PC connected to the Internet without a firewall. Computers running anything older than Windows XP SP2 should be upgraded immediately—and this is again where you can help. Visit your FFN and ensure that everyone has installed the service pack.

Make a habit of ensuring that the automatic update client is running whenever you visit your FFN. This feature exists for them and minimizes the amount of work you need to do. Let Microsoft take care of patch management for your FFN—outsource it to us by making sure that all computers are downloading and installing updates automatically.

Simply using a firewall and installing updates can be enough to protect a computer from most attacks. But as we security consultants (stop looking around the room again!) know, attackers don’t target only computers. They target people, often by concealing malicious software inside tempting packages delivered by e-mail or Web sites. We call this the “dancing pig” phenomenon—no amount of self-control can stop someone from clicking on links or running attachments when the payoff is the promise of tutu-clad swine parading across the screen! So to add to a home computer’s defense, we need utilities that detect and remove malicious software. Antivirus and antispyware tools can take care of this for you. (Yes, you need both; they detect different kinds of attacks.)

The case could be made that antivirus and antispyware tools aren’t necessary for computers whose users are highly skilled, security savvy, and have an experienced feel for recognizing malware before it strikes. Indeed, I’ve written about this before ("Antivirus softwre—who needs it"? and "More on the necessity of antivirus software"). However, for my FFN, antivirus and antispyware are requirements. They should be for your FFN, too.

The Malicious Software Removal Tool also helps to eliminate malware. It’s updated each month through the automatic update client and runs the next time a computer boots. It scans for and removes common malware like certain prevalent worms and rootkits. Since the tool’s introduction, millions of computers have been cleaned of billions of pieces of malware.

If you need to quickly scan a computer for malware, try the Windows Live OneCare safety scanner. It’s free, and it might be a useful habit for you to develop every so often when you get a call from an FFN. There are two versions of the scanner. One is for Windows XP, the other is a beta for Windows Vista.

What about ensuring that your FFN runs as non-admin? That would be an excellent step, but a lot of software written for the home market still requires being an admin to install and run (yeah, not everyone realizes the Earth is round). Such software should be tossed in the junk bin—yet if you need to manage some knitting projects, and there’s only one program you can find that works for you, sigh… Non-admin is a tough call. Perhaps you can enforce it on the home network in your own house, since you’re right there. Enforcing it on the computers in your FFN, though, might end up creating more work for you.

Keep your information more secure

Spam and scams are the techniques most bad guys use to steal your information to try to assume your identity. I don’t like the common term “identity theft”—how can you really steal someone’s identity? You can steal a purse, thus denying the purse’s benefit to its original owner. But you simply can’t take away someone’s identity. Think of identity theft as a form of impersonation attack (it’s like spoofing a human, I suppose). To impersonate you, the bad guy needs to obtain information about you. Phishing scams and spam lure millions of unsuspecting folk (these would be your FFN) into divulging secret details they’d never tell their pastors or principals or parents.

To reduce the likelihood of having your identity impersonated, teach your FFN to follow a few simple steps.

1. Use the phishing filter that’s built into Internet Explorer 7.
2. Reduce the amount of spam in your e-mail.
3. Use good passwords online.

The phishing filter in Internet Explorer 7 includes a long list of known phishing sites, and it warns users if a site they’re visiting is on the list or exhibits characteristics typical of phishing sites. The filter can communicate with an online service to keep itself updated—and this is important, since phishing sites often disappear after just a couple days.

Windows Live Hotmail, Windows Live Mail, and Windows Mail—probably the most common mail programs in your FFN—include technology to reduce spam. Their spam filters are updated regularly through Microsoft Update, which is yet another excellent reason for keeping the automatic update client enabled. Also be sure that you configure them to block images in HTML mail, which are often used for secretly tracking whether someone’s read a message.

Don’t forget to teach your FFN about basic techniques they can learn to become more security savvy. Common practices like disguising your e-mail address on discussion boards (me AT example DOT com), using a separate e-mail address for newsletters and online transactions (yes, you can have more than one Hotmail account), and being aware of prechecked boxes on Web forms that will result in things you didn’t want—for example, various toolbars, sharing your e-mail address with “partners,” or signing you up for newsletters that you can’t unsubscribe from.

Similarly, spam becomes easy to spot once you get in tune with its characteristics. Don’t reply to any message that wants personal details. It’s highly unusual; legitimate sites will use Web pages to sign up for services or maintain accounts. If you get an e-mail message that appears to come from your bank, don’t read it—delete it. Then call your bank; if they need something from you, their customer service department can handle it. Legitimate businesses simply don’t use e-mail to conduct account maintenance transactions, because e-mail itself is insecure. Never click on links to any kind of online payment service you use; instead, type the address directly into the browser’s address bar. If you hover your mouse over a link, the real URL appears in a small box—and if they don’t match, then yep, the e-mail message is definitely fraudulent.

While working with your FFN, make the link between online safety and personal safety. Most of us wouldn’t wander down random smelly alleys in isolated parts of the city during the middle of the night. It’s the same with your e-mail. Ignore attachments you don’t expect, avoid pleas for giving to “charities,” dismiss any messages that promise easy money, and don’t reply to any spam—all this does is confirm that your e-mail address is legitimate, guaranteeing that you’ll get more. Teach your FFN to make regular use of Snopes.com, one of the best sites on the Internet for learning whether something is legitimate or a scam. Type a few words from the suspicious e-mail message into the site’s search box and see what the results are.

Web sites often require you to log on. This means you need to create a user ID and password for every site you might visit. There’s a lot of discussion about what constitutes a “good” password; personally, I’m a fan of length rather than complexity. A simple 15-character passphrase (think short sentence) is easy to remember, quick to type, and far stronger than any short complex password. A passphrase like this will withstand any kind of automated password attack, including those based on rainbow tables. And you can even use a method that helps you remember unique phrases for each site, if you wish:

• Web mail: "my dog and i got the mail"
• Shopping: "my dog and i bought some stuff"
• Office: "my dog and i went to work"

If you don’t follow this kind of system, eventually you’ll start to forget which password you used on which Web site. Ugh, how can you manage it all? How can you have strong and unique passwords on the 60 different sites you visit every day? If the site uses basic authentication, you can instruct Internet Explorer to remember its password—however, few sites use this method. Instead, forms-based authentication is far more common, and Internet Explorer can’t remember these. Some sites have “Remember my password” checkboxes on the logon forms, which causes the site to store your password in an encrypted cookie (this is fine). There are many third-party programs you can use to manage passwords; one popular and well-regarded one is the free Password Safe.

Won’t all this just overwhelm my FFN?

Not really. Ordinary people subconsciously make security and safety decisions every day—going to the same hot dog vendor you’ve always trusted, changing lanes after verifying the target lane is unoccupied, walking along known streets with good lighting. Being safe online is really no different than being safe in the real world. Yet, online, people have a tendency to move toward one of two extremes—trusting everything they read and receive or becoming suspicious and essentially refusing to engage in anything online. Maybe it’s because online threats use scary language (like “identity theft”) and receive attention that far outweighs the risks (like child predators).

The threats we all face daily online are really no different than the threats we’ve all faced ever since we came down from the trees. This doesn’t mean we should ignore them or become too agitated. It means that we can apply the common sense most of us already have, aided with numerous tools and bits of good advice from software vendors, and—most importantly—a cadre of IT pros who can help their FFNs become savvy enough to protect their computers, themselves, and their families so that they can integrate the vast power of the Internet into their normal routines and enjoy everything it has to offer.

This article gave you some starting points for conversations with your FFN. There’s far more to explore. Spend an evening perusing the resources we’ve provided for you at Security at Home. We’re regularly updating the pages here to ensure that the information is current and relevant for home users. We’ve also created a newsletter specifically for home computer security, an online safety and security magazine, and several videos that cover a variety of security topics.

One more thing: accept our humble thanks for your help. We believe that you, our IT pros, can become the most valuable element in spreading the message of how to be safe and secure online. Thank you!