Two Slashes

Since it’s a required part of my curriculum here at school, I’ve been taking a rhetoric class. Recently in this class, we were assigned a research paper on a category of problems in academia, something that we can observe and then propose solutions about. Considering the post topic and me in general, you can probably guess (at least partially) what problems I’m focusing on in my research. This assignment couldn’t come at a better time, as I’ve heard plenty of complaints in particular about password-related issues as of late. You see, the school I attend mandates yearly password cycling, and considering the timeframe at which they hand incoming freshmen their account information, it’s becoming the one-year mark for a lot of people. Mostly, every gripe I’ve heard centers around one of a few major issues:

• The passwords my university requires are much more complex compared to the passwords most people use in their daily lives.
• Most services don’t require password cycles every year, or…ever.
• Since most people keep the same password (or set of passwords) for everything, constantly forcing password changes forces people to forget their password more often since it’s not the same password as other things they use on a daily basis.

While these arguments are perfectly legitimate, the people attempting to use them as rationale against needing to change their passwords also are the same people you find in a typical setting, not groomed in any form of security beyond that of the idea that any password is a surefire protection. (Cue Morpheus’ voice…”Welcome…to the real world.”) Anyway, as part of my research paper, I decided to compare the three pages’ worth of requirements about our university passwords with the requirements used by what I thought to be popular web services. And, after a few hours’ worth of investigative work, I can sympathize with the people who think changing their password is a lot of work. In short, these services, which I thought probably had at least a slight pulse on the idea of security, are grooming their users to be lazy and very unprotective of their data and service access. I’ve put together a table that should at least give an overview of the services I selected (if you have suggestions for more, I can’t promise anything but would welcome the heads-up) and the security procedures they enforce:

The numbers in brackets above correspond to these quick side notes:

1. MySpace’s requirement is an in-between: at least one numeric and one alphabetic character must be included in the password; no requirement is made as to the case of this character, however.
2. Windows Live has two sets of requirements that depend on the services the user accesses. Typically, users only have a six-character requirement, but if necessary due to the requirements of an application they use, Windows Live will force all of upper- and lower-case letters, numbers, and a unique symbol, and mandatory password changes every 72 days. These 72-day password changes are provided as an option to non-qualified users.
3. eBay refused to accept the password ‘aaaaaa’ because it is very poor in security. However, ‘ababab’ works, which means that eBay offers at least a slight security check at registration.

Frankly, I’m very concerned with all of that red, and especially concerned with sites like Amazon, which allow you to store important credit card information in your account for easy checkout, and then allow me to log in with a capital ‘A’. Microsoft even surprises me (though in a good way), if you consider their forced-security dependency to be a good idea. (For once, Microsoft, I like.) Not that these sites and services even compare to the requirements for our university credentials, but it gives you an idea of just how absurd it is. Especially when I throw in the fact that a lot of these places have posted “suggestions” for creating a good and secure password, and then brush them all away in favor of some six-character string. So I apologize if I’m re-iterating what you already know or have seen, but after all of that, I think it’s important that people actually understand what good security is.

• The best passwords are not found in any published or publicly available work, be it a dictionary, your favorite action novel, or some random screenshot you found on Flickr. Don’t use anything important either, like a social security number. And anything personally identifiable or that has a direct reference to your life is out too; that means quit using your aunt’s birthday as a PIN.As one demonstration of coming up with unique but memorable passphrases, try to think of memorable snippets from your favorite written work (you’re probably double-taking right now, but continue reading). Now, develop your own personal algorithm for going through the phrase to select characters (hey, don’t be afraid of punctuation or numbers, because they help too and add uniqueness). For example, try taking the Fibonacci sequence’s digits and pulling those letters out. It sounds tedious now, but if you use the password regularly, your muscle memory will take over and you won’t even realize you’re entering the password anymore. At least, if you use it that regularly.
• NEVER use the same password in more than one place. There IS a reason for this, aside from “the man” trying to confuse you and prevent you from checking your mail; it’s compartmentalized security. If an attacker can compromise one account, and holds a password you use everywhere, you haven’t just handed him one site or a credit card, you’ve handed him your entire life. If that password doesn’t work somewhere else, the attacker’s got to go back to work and start all over again on the new site (if they’re indeed targeting you). If you can’t keep all of your passwords straight, get a trusted and notable password manager, and store your passwords with it. Some suites also provide you the added benefit of randomly-generated passwords like ‘Bs4&nd*D’ - but at the expense that you probably won’t remember them unless you use the application.

Considering these password recommendations are nearly timeless, it only makes me wonder when people are actually going to pay more attention BEFORE something bad happens to them. So quit complaining that you’ve got to change your password. Make it memorable, make it unique, and consider it worthy of a national secret. And for christ sake, ignore the fact that Google isn’t going to check for varied-case characters; force yourself to check for them. And a note to the few, the proud, the WordPress users: WP2.5 RC1 is nice, but I don’t think it’s ready yet. It’s got a few bugs, and I miss my old blue administration panel. I actually think it made more sense doing “Blogroll > Add Link” than “Write > Link” to add things to my blogroll.

It’s not uncommon for thieves to eye up anything they can swap around for a quick buck on eBay. Sunglasses, electronics…anything they can get a decent price for to make it worth their deal. And the worst part is that for the most part, these transactions are untraceable - unless the victim notes the serial number, and sees that serial number in a picture on eBay, chances are it’ll be across the country in a week.

One of the biggest “cash cows” for thieves is an iPod. In short, that Apple “luxury” you get when you overpay for the damn thing is only lining the thief’s pocket with even more green when they steal it and try to turn it around for cash. Exhibit A: 8072 listings (at time of posting) in the Apple iPod category on eBay. Now, I’m no expert, but usually when so many people are getting rid of something, most of them are either illegitimate or the product sucks and people can’t get a refund. (I wouldn’t be suprised if it was that second option, even though I know for a fact it isn’t; they’re decent devices, but there are better products for cheaper that can do so much more, and with a lot more expandability. However, now’s not the time for me to tangent into this. Maybe next post…)

That’s why when Apple proposed a way to disable the iPods from charging when they’re used on a computer they’re not supposed to be, I came to wonder what the f*** the Cupertino crew’s thinking. Sure, iPods are great targets for thieves, but implementing something like that is just asking for problems. I’ve got plenty of real-life scenarios, too.

1. At my (old) high school, most computer classes (and some others) allowed the use of MP3 players when the students were to be working on projects (which, in reality, was at least 75% of the time).

   Now, seeing as these are teenagers who don’t charge anything up unless it doesn’t even turn on, these people needed a way to power their players when they ran dry. And with a computer sitting right in front of you (99% of them being a Mac, no less), what better way than by plugging the thing in?I’m not questioning this practice; I actually see it as a sign that the students are “exploiting” their surroundings (in a good way), so to speak. But if the next generation iPods are going to check that the computer is theirs before even bothering to charge, you’re going to find that the students start to get mightily ticked off when that so-called “guardian circuit” is set off and their iPod becomes a very expensive “luxury” paperweight.
   

2. What happens when you buy a new computer, or have to do some serious renovation to your current one as the result of some damaged or failing hardware? Windows makes you reinstall, some of your applications might need another license purchased; in short, it’s a lot to deal with just getting the computer up and running. But now let’s add a new iPod into that, after the thing follows Windows in saying “This isn’t the same computer - buy a new license.”
3. Some people sync players between multiple computers; some they own, some they merely play the songs off the iPod while they work there (which is something the kids at school also did). While I assume that computers sharing the authorization on an account would share a code, what would become of the iPod when the fun-loving, music-seeking soul brings their player to the library?
4. I’d love to see a “security code” that matches the user’s computer manufactured into a wall charger a third-party accessory like a boombox. Those things aren’t ever going to be receiving authorization codes for iTunes, so plugging an iPod into one of those would be like forcing your player to commit suicide.

The worst part? If this actually gets implemented into anything, chances are other companies will follow with similar (though obviously not violating the patent) solutions. The same “monkey see, monkey do” approach Microsoft and Apple share when it comes to new OS features. Pretty soon it won’t be an MP3 market anymore so much as a “music brick”. And the fact that this is a hardware approach, buried so deep into the player as it is, certifies that while people won’t be circumventing this with any ease, any user with the know-how to repair it, well…can’t. It’s like putting Lo-Jack on a car and finding that the police arrest you for being in possession of the Lo-Jack-enabled car, “hot” or not.

Remember the famous saying? “Locks only keep honest people honest.” That wasn’t referring to any digital lock…that was referring to physical security locks like on a door. Digital locks like this novel theft deterrent, and even plainer and more simply, DRM, aren’t the ideal solution in this day and age.

A better idea, or one that would at least require far more know-how to deal with, would be to build the protection into the firmware in such a way that the user needs to enter a PIN (from the box, maybe, or displayed when they first authorize the iPod for the first time, or maybe user-set at initial setup) and needs to be used to charge and/or sync the device. This code would be embedded permanently into non-rewritable memory (preferrably encrypted, checksummed, and all that jazz to prevent tampering), would resist resetting with one of the Apple factory resets. Not only would that require an extreme amount of skill to remove by anyone other than an Apple techie, but it’d ensure the device could only be used by anyone who had the code.

Oh, and did I mention that it should be optional to set up, to avoid any outcry of people inconvenienced by their ATM code from avoiding the product. In this way, users can pick either the antitheft system, and a slight inconvenience, or ignore the security to avoid the hassle. Let the paranoid have their security, and let the lazy have their hurdle-less sync.

Enough rambling. Apple, if by some extremely odd chance you’re reading, I could use a bit of cash.

Of course, it’s that time of the year. All the graduated high school seniors are busy picking up things they think they’ll need at their college of choice.

Now, you’re probably wondering what I have to do with this. It’s simple…I’m the local geek, so everyone flocks to me for suggestions on PCs. And as usual, everyone wants the best machine available on the oh-so-great college-bound budget.

So I figured I’d take some of the real-world examples I’ve run into and throw them into a post full of suggestions. Take heed; most of these will probably pertain for at least a few years down the road.

So, without further ado, I present my “two slashes”…

1. The biggest tip, and consequently numero uno, is to avoid overbuying. As a student, I understand that you’re going to want to use a machine for more than just research papers, but there are limits. Remember that this will have limited usefulness in the long run, and most machines have a lifespan of between three and five years. Yes, it’ll run longer, but by that time you’re going to be hard-pressed to be able to do anything with it. If you can get away with a slower CPU, less RAM, and ten GB less hard drive space, do it.
2. When in doubt, ask. No, not the salesperson. Someone with experience. Like me. Alright, maybe someone you know more personally (if you know anyone like that), but it’s always better to get a seasoned opinion.
3. AVOID APPLE. Yes, I just put a shotgun to the heads of countless Apple fanatics, and I’m probably going to be bludgeoned the next time I step outside. No, I don’t care. Reasoning: For the same price as the lowest build of MacBook, I can have a better-specced notebook machine for $799. Yeah, bigger screen, better hard drive, full burner, and everything. And, thanks to the power of OSx86, I could have my cake and eat it too. Apple’s customer support is alright (if you don’t mind waiting in lines at the Geek Bar at the local Apple Store), and you do have Parallels and Boot Camp at this point. But why not take the extra $200 and buy yourself a nice minifridge or something instead. If you want a white laptop that bad, there’s a $5 can of spray paint at the hardware store you can use. Just make sure to do it right.
4. It might be wise to spring for both a portable and desktop machine. Having the all-mighty notebook is nice…but if it breaks you’re going to be S.O.L. until you can get it replaced. If at all possible, it’s probably wisest for you to split the budget and do both a desktop and laptop setup. If you do it right, you can sync the two up filewise, so you don’t lose anything. And hell, if you’re trying to look for a gaming laptop, it will be a lot better to get the cheapest non-gaming, school-work-only laptop you can get and trick out a desktop instead. (Believe me, touchpad Unreal Tournament matches are not the best way to play.)
5. The frills usually aren’t worth it. I don’t care if you’re getting a free mousepad with every $300 you spend. I’ve heard several firsthand accounts of people getting talked into turning a sub-$1000 laptop into a $4000 cash cow. Follow along with the bullet below, and take advantage of everything you can to get what you need, but don’t spend a penny on useless extras like a photo printer or MP3 player dock for a player you don’t own unless it pertains to you or what you’ll be using with the PC.
6. SHOP AROUND. I can’t tell you how many times I myself have slapped myself for not doing this, but believe me, it’s worth the hassle. If you can hunt around and find a cheaper price, do it. Especially if you’ve got your mind set on a model, and the price is just a tad too high. Take advantage of price matching, free/reduced-cost shipping, and anything else that might help you get what you want for the cheapest price. Remember, you’re trying to save the money for other parts of your education, not get your wallet gouged. (I’d also say lie/cheat/steal here, but not only am I talking about things legitimately, it would be against my morals to encourage you to go around thieving. If you’re thinking it…get it out of your head.)
7. Built-in Wi-Fi (on a notebook) is a must. At this point, anything without a Wi-Fi card is a poor notebook indeed. There are just too many free hotspots available.
8. If you just can’t afford it new, go (gently) used. Inevitably, there’s going to be someone who just can’t afford the shiniest, even if it’s $200. In that case, turn to sites like eBay and Craigslist and see what people there can offer you. Remember to watch the cost though; if you aren’t paying attention, the used system is going to cost you more to purchase and maintain than something new. Work with the sellers, see what sacrifices the both of you can make. Some sellers will be more flexible than others, while others will be as rigid as the Sears Tower and not give you any leeway, so use your head.
9. Extended warranties are not always the best warranties. That’s how the majority of companies make money. And again, consider the average lifespan (3-5 years) and the progression of technology. If you’re clumsy to no end, sure, I’d recommend it simply because you might trip up the stairs while holding your laptop with one hand and a book in the other because you lost your balance. If you’re at least semi-protective of your belongings, you’ll be just fine.
10. Compare retail stores against well-known online stores. Yes, just because you got a deal at Best Buy means you got a deal at Best Buy. Check all of the competition and see what you can do. (Yes, this ties with #6.) A most-certainly-incomplete list of places to check:
    • Best Buy
    • Circuit City
    • Outpost/Fry’s Electronics
    • Staples
    • Office Depot
    • Office Max
    • TigerDirect
    • Newegg
    • Manufacturer’s websites (Dell, HP/Compaq, Toshiba, Apple, IBM/Lenovo, etc.)
    • Any Mom-and-Pop shops in your area
11. If after all this, you’re going to be using a system you already have, at least reformat it and reinstall the operating system.

I’d normally get into a discussion at this point about the best operating system for you (Windows, Linux, BSD, OS X, OS/2…), but that’s a no-brainer, as for most people it’s going to be Windows out of sheer compatibility and (to be greedy and personal) because I write software for it. If you’ve already gone too far and got something made by a company whose name and logo bear resemblance to fruit, go with Parallels and Boot Camp as I discussed back up there. If you’re an intrepid explorer, dual or triple boot Windows, OS X, and some flavor of Linux (I’m preferential to Ubuntu and Kubuntu myself.). Have fun with it, especially if you can find ways to use it to reduce your cost. I’ll add this though. Unless you’re buying new and it comes with it, there’s very little reason to get Windows Vista, and for your sake you’ll probably be better with Windows XP for the moment. This recommendation will probably change in about a year or two, but for the moment and with a look at the current outlook and available software, it’s the best (read: safest) option as far as I’m concerned.

(And for those of you who think I was paid to write this or something…I wasn’t. This is all straight from the horse’s mouth, prompted by the countless questions I’ve been asked, and written with no more bias than I usually have. )

So everyone’s up in arms about this entire Apple iPhone deal. I say big deal, it’s another flashy gadget. Everyone was the same way back when Handspring released the Treo (yes, I’m talking before their Palm/palmOne/Palm buyout/merger), or (to a lesser extent) when Danger released the Sidekick.

Gizmodo decided to take a survey or something and guess what the ideal demographic for iPhone users would be. To sum their findings up, the ideal iPhone target is a well-educated (read: college graduate) male around the age of 31, probably living in New York or California, and definitely interested in leaving T-Mobile. In an odd way, it makes sense, but I’m still saying that it’s bullsh*t for various reasons, all phone-related as opposed to user-related.

The first reason I can think of is that brandishing a very expensive, very hard-to-get phone is just like hanging a ‘Pickpocket Me’ sign over your back. Obviously, you’ve got at least a phone that’ll get the pickpocket several hundred bucks on eBay (potentially more than you paid, if it’s close to the launch date), and chances are if you’re brandishing one of those, you can afford a few other luxuries with the cash and credit cards stuffed into that just-won’t-shut wallet of yours. Or should I say, the pickpocket’s?

The next reason isn’t so much concerned with cost as it is for what you’re buying. We’re talking about a device that doesn’t just have a basic calculator, but has the means to do your taxes, calculate mortgage rates for all the top banks, and play Bono songs back to you all at the same time. While combining a few different devices is cool, a la the Swiss Army Knife, this borders ridiculous in the implementation. Let me explain.

Alright, take your basic desktop PC. Tower and monitor. Alright, now take that to laptop form. Suddenly, your data’s portable, right? Now, take that laptop, miniaturize or get rid of the keyboard altogether, and give the thing a small touchscreen, and now you’ve got a PDA. Three different machines, all accomplishing the same or similar thing: holding your data and allowing you to manipulate it or view it. These three stages sound good…but then everyone has to cram the PDA’s touchscreen into the laptop (tablet PC), cram desktop power into that same laptop (the monster-sized 20″ desktop-replacement laptops that have about 25 minutes of battery life and get hot enough to cook eggs on), and make that desktop PC wireless (Wi-Fi, Wireless USB, etc.).

So everything’s already a mess, right? Let’s stack the Origami project on top. Now you have a machine that’s not quite pocket-small (unless you’re wearing a pair of cargo pants), with a touchscreen and the full power of a desktop. Wait…sounds familiar right? Sounds just like my PDA, only instead of that basic OMAP processor, I’ve got a f**king Pentium 4 in my hand in something that vaguely resembles a Sega GameGear. Funny thing is, the iPhone doesn’t look that far off either. And it’s definitely more than it should be crammed into a not-so-one-handed package.

Also in line with that is the usability. You’re taking the keypad everyone is oh-so-used to, and replacing it with a touchscreen. Scrolling through the contacts? Touchscreen. Navigating menus? Touchscreen. And the icing on the cake: browsing the web…all by touch. The thing is so touch-oriented they had to add a proximity sensor so you don’t hang the blasted thing up with the side of your face while you’re talking up your wife/boss/multimillion-dollar client. And the very concept of the bare-skin touchscreen needs thought. Even my PDA screen gets pretty nasty, and that’s with a stylus involved. I can’t imagine what’s going to get all over it from someone’s finger when it swipes directly across the length of the screen.

Another point coming to mind is expandability. Unlike some current-generation video game console-makers (*cough* all of them *cough*), MP3 player makers (*ahem* Apple’s a good example, among others), and other various people I could go on to mention, you’ll notice that they’ve actually opened the thing up to limited third-party development. Oh yes, you’ll be able to expand with more official Apple apps as well, but those aren’t sandboxed up the way the third-party offerings are going to be. I smell a virus target in the making. How does a flock of f**king iPhones DDoSing your web server sound? I bet it happens sooner or later. And this also begs the question of why they’re using OS X as the basis for it either. It’s not your MacBook. It shouldn’t be running an OS that requires over 500 MB of storage space to be installed; for comparison my PDA has 32 MB for EVERYTHING, including user storage space (although admittedly there’s an SD card crammed into the thing too for various things).

I digress.  Once again, I’m not convinced that ANYONE needs this. If anything, it’s too far ahead, and would have been better off held a few years. I’m sticking with the cheapest phone that suits my needs, my (dying ) Palm Tungsten T2, and my Zen MicroPhoto.