Protecting your heart against the knaves of the internet
I’ve been keeping an eye on the Heartbleed and Yahoo! Mail DMARC problems all week, but I don’t like to act too quickly on internet panics. The 2YK virus passed me by without even a ripple in real life (although that was my first, biggest and best internet panic), and I’ve survived a few other things that turned out to be not such a big deal. I figured I’d wait until the weekend and change the passwords then, after the dust had settled.
Then, this morning, my e-mail stopped working.
So, instead of writing a proper blog post, I thought I’d share a few classic tips for internet security, and ask y’all what you are doing to protect your writing and your professional personas on the internet.
- Back up everything that is really important. One thing I’ve been hearing this week is that Internet is Not Forever. NPR’s Pop Culture Happy Hour reported on the end of the Television Without Pity site – there was talk of the TWoP archives closing as well, but that decision has been reconsidered, it appears. However, that’s not always the case. Sometimes, when it’s gone, it takes everything with it. So, while cloud storage is a fairly good idea if you research it, I would back up really important stuff on a hard drive. According to this Mashable article, Dropbox was vulnerable to the Heartbleed, and the article reports that it isn’t clear what WordPress has done to fix the problem. I couldn’t find anything with a quick Google, either.
- If you are going to back up everything, it follows that regular purges are also necessary. Set up your criteria, and set up a schedule and stick to it. Nobody wants to lose all their hard work during an internet catastrophe. And nobody wants to slog through 200 different directories.
- Now is a great time to change your passwords, and create a system. I’ve seen several clever ideas. For example, you can use the month and year in your password, which will give you capital letters and numbers. You can write the month in your second language, or your third one, or an obscure one that you are willing to learn the months of the year for. So, your password might look something like this: sitewordIvykiai14category. (Ivykiai is approximately Lithuanian, by the way.) I would include a site-specific word, and also a category that I associate with the things I do in that site – for example, I might use “knitwit” with my Ravelry account. (Well, I might, but I won’t.)
- Notebook of secrets. I’ve got too much stuff to remember, and I have to write it down. This is simply a fact, and it goes against most advice you’ll find. But . . . what are the chances that someone will steal my purse, go to my computer and hack into my Ravelry account? Not really a problem, IMO. For more important accounts, I keep a list in a more secure place. I think this is important for two reasons: one, practically speaking, it won’t matter if someone takes the trouble to hack into many of your accounts. You need to balance security with practicality. Secondly, what happens if something happens to your brain? How will your friends and family access your accounts, take care of your business, and maybe even inform your internet friends if something has happened to you? Nobody wants to think about this, but since we are getting things in shape anyway, we may as well consider this point.
These are classic tips. They may or may not help keep you safe from the effects of the Heartbleed bug, but more than that, they are just basic good ideas to consider.
I do recommend that if you use Dropbox, you go and change your passwords today. I’m following Mashable’s advice here. Dropbox is listed about two-thirds down the article, and they pass along a tweet from Dropbox.
Also, there are apparently sites you can visit to check and see if your favorite sites have been compromised by the bug. I have to say, I tested my bank’s site at one, and came away confused. So, take those with a grain of salt, and only through a trusted source. I found this site through The Atlantic – but journalists can be panicked and not thinking security concerns all the way through, so only use it if you feel comfortable doing so.
So, tell me, how are you keeping your digital writing and persona safe today?
Eight Ladies Writing 
Good tips, thanks for sharing.
(-: If you’ve got any tips or info, please pass them on. It might be that Heartbleed won’t actually mean much to writers . . . . But I know that I’ve got writing-related materials on Pinterest, YouTube, Twitter . . . maybe about seven or eight sites in all. It’s a little scary when I think about how much of my writing *is* digitally based. I don’t think one back-up is enough . . . .
We use a daily cloud backup service for all our home computers (we chose carefully with the help of an IT professional friend – since the ‘cloud’ means that you’re hiring somebody else to warehouse all your information, it’s good to do some homework and find a provider you trust before going down this route). I also back up my manuscripts to Dropbox and my ipad in Pages and a couple of thumb drives and I print off a hard copy from time to time – paranoid maybe, but whatever else bites the dust, it won’t be my WIP!
Trust only goes so far. We do not keep personal financial information or lists of passwords on our computer hard drives at all. There are simply too many viruses and hackers around to risk it.
And regarding passwords, my ten pence worth:
1 – if you must use a word, use symbols and numbers in place of some of the letters: @ instead of a, number 1 instead of ‘I’, 3 for an ‘e’, 5 for an ‘s’ – for example 31ghtl@d1e5wr1t1ng instead of ‘eightladieswriting’.
2- Even better, pick a memorable phrase, quote, song lyric, whatever, and use the first letter of each word. So maybe instead of ‘eightladieswriting’, use ‘on the eighth day of Christmas my true love sent to me’ – written as ‘0t8d0Cmtl5tm’.
3 – Notebook of secrets – don’t write the password down, use a memory prompt, ideally something cryptic but not so cryptic it confuses you too (‘The twelve days of Christmas’).
4 – Annoying as it may be, don’t use the same password twice.
Those are my top tips. Some of the other 8LW are computer professionals – I’ll be very interested in what they have to say.
These are great points! I know people will object to writing things down, but I think as long as it’s completely separate from the computer, it’ll be OK. I’ve been discussing this with lots of people, so they do mention things like if you MUST have a list of passwords, don’t leave it near the webcam. (Even better security tip I saw on Japanese TV — put a post-it note over the webcam “eye” when it’s not in use.)
Completely agree that one should never, ever, ever have a list of passwords on the computer. I have an odd image of “information miners” but I think they can get through everything on the hard drive in very little time. It only takes about an hour for my virus program to work through it on a “complete scan.”
Also, what do you think of this XKCD cartoon? http://xkcd.com/936/ The artist argues that four random words (total 25 characters) are better than 11 characters of mixed symbols. I think they have a point — the hackers know by now to include symbols in the decoding program. But on the other hand, one can create a wonderful, playful password. I’ll never use this: 2Bornot2Bthatisthe? But, at 18 characters, it would be great for a Hamlet fan.
I’m so glad you chimed in — it’s good to have friends in IT, isn’t it? Can’t wait to see what our pros have to say. I know even in IT, there are at least two roads to Oz (binary, y’know (-:), but the more informed information we have, the better we can make decisions about what we want to do with our digital lives.
Hackers can get into anything given the time and incentive, but sometimes they don’t need either time or incentive: 80% of all passwords (or some extremely high percentage like that) is the word “password” or “admin.” I have to say that while I follow password protocols for my personal stuff, the real danger is not that somebody is going to break into “Kay Keppler,” they’re going to break into AOL, and then it’s all over, more or less, no matter what password you’ve got. I got a letter from my bank once saying that my credit and banking account info had been compromised because…wait for it…the backup tapes had been stolen out of the truck on the way to the bunker storage. So there’s a lot of ways things can go wrong. But in terms of crashes, backups to flash drives, DropBox, cloud systems, external hard drives, whatever, will certainly go a long way to prevent data loss.
The other thing about security is PIN numbers. There was a flurry of articles a while back about how 80% or 90% or 98% (really high again) of PINs were the same 20 numbers for everybody in the universe, so hackers could do one of those automated ping attacks and have a great deal of success just by hitting those 20 numbers over and over on a given banking system. Those numbers are the numbers down and across on a keyboard and the current year (so most PINs begin with 1 or 2). People are predictable, and that’s what thieves count on.
I wish we could be masters of our own computers, but as soon as we let the internet in, we really aren’t.
The rewards of internet socializing are so great, but so are the risks — LOL, sounds like a Regency comedy of manners! Updated for the 21st century!
(-: I have to say, that’s crazy about the tapes. Was it back in the day when the thieves might have reasonably had access to the “tape players”?
One interesting thing that I’ve seen in my research is the idea that a “monoculture” is not healthy. I’m really familiar with this concept from my gardening hobby — if every cow in a herd or every plant in a garden is of the same genetic stock, when a genetic disease comes through, everyone is wiped out. One-culture isn’t as resilient. Someone was saying that having just one way to protect your stuff, or one way to act on the internet is also inherently dangerous.
IDK. Standardization makes life sooooo easy. But it also makes it easy for the bad guys who want to bring down the system.
I’m getting some writing fodder from this whole experience! LOL.
The lost tapes from my bank were just two years ago. It’s probably a mistake to think that all big institutions are on to the latest thing—did you read the story about how the IRS has to pay millions of dollars to Microsoft for security patches to Windows XP because they still use XP?
So many of my schools are still using XP! There was a huge kerfluffle this week, the day AFTER the XP support was supposed to expire. I don’t know. Vista was a mess, I heard, but I quite like Windows 7 (especially the search function that lets you search for everything in your computer). Windows 8? Ugh. My husband has it. I wish they had released the next version of Windows before they decided to cut off free support.
My friend has noted that Microsoft tends to see-saw between good/bad/good/bad/good versions of their Windows OS. So, if we are lucky, Windows 9 should be spectacular.
So I’ll preface all of this by saying I’m not really an IT girl, but I have read up on this stuff A LOT and I used to work for a software company and have heard many scary tales of Bad Things Happening to Good Computer People. I hope you find some of it useful!
One of the things that most of us should do, if we can, is have two-step authentication. Google has this, so does WordPress and my bank. Basically, to log into Google or WordPress, I have to put in my password, then a numeric code generated by an Authenticator app that I have on my iPhone (as an alternate, they can text you the code). Is it a pain? Yes. Is it worth it? Definitely. You’d have to have my phone in your hand to log in (or, in my bank’s case, to set up a new Pay To account or to transfer money to an external account). You have to turn ON two-step authentication (it’s not on by default) and if you use Mac mail like I do to read Google mail, you’ll have to establish app-specific passwords…but it’s easy.
Regarding passwords, the best and easiest to follow advice I’ve seen is to use a common phrase, one that is meaningful to you, and add the first two or three letters of the site you’re logging in, plus some #s/characters at the end, to make it unique for each site. For example, your phrase could be ilovewriting. At Amazon, your password would be AMAilovewriting1!. At WordPress, it would be WORilovewriting1. My favorite? GoDaddy: GODilovewriting! Haha. This way, you don’t need to remember a long set of characters/numbers and your password is unique at every website.
One thing you might look into if you keep proprietary information on your computer (like electronic copies of tax returns, book contracts, royalty statements, etc.) is creating a partition on your hard drive and encrypting it. I followed the standard instructions for creating a new partition on my Mac’s hard drive (the equivalent is having another letter drive on a PC), have moved all my important stuff there, and encrypted it. It remains encrypted, too, unless I choose to put in the password on start-up, or when I manually launch the partition. According to Macworld, unless someone knows your password, they’re not going to get into that drive. It’s helpful to follow the password advice above, though, to make sure you don’t put in a password you’ll forget, ’cause if you do, there’s no recovering it.
As for backups, I do both cloud storage (SOS Online Backup, highly recommended by PC Mag, every 4 hours) and an external hard drive connected to my Mac (using Mac’s Time Machine). I pay a lot for the SOS Online Backup, but after reading the tale of Mat Honan’s hacking (including losing all of the pictures of his daughter’s first year of life), I decided it was worth paying for. Plus, I’d go completely mental if I lost my book! If Mat had been using two-step authentication, it never would have happened to him. You can read his story here: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ There are also great tips there (and links to other articles regarding security).
IMHO, pcmag.com is a great resource (for both PCs and Macs) to find applications, sites, etc. that serve users well. That’s usually the starting place for most of my research, followed by cnet.com. For Mac-specific stuff, I start at Macworld.com.
On a somewhat humorous side note (to compete with Kay’s story), I remember when working for my former employer (a computer software company) hearing a tale from one of the IT guys about the backup tapes a banking customer stored in the bottom drawer of a locked file cabinet. Every day, they did a backup, then put the tapes in the drawer. They used to rotate out seven of them, never keeping more than 7 days’ backup in that drawer. One day, the customer had a data loss and went to the tapes to do a restore, but the tapes were blank. Empty. NADA. Talk about a crisis! Eventually they figured out why the tapes had nothing on them: the power buffer the janitors used on the tile floor each night right by the file cabinet created enough interference to basically demagnetize the tapes. This is why you should have more than one backup method!
OMG! Tax forms! Excellent point, Justine!
Keeping in mind that I’m a layperson, I’m leery of two-step. If hackers can create such havoc by knowing my e-mail, what would happen if they had my phone number, too? I may have to change my mind, but I want to keep my phone-life and computer-life separately. For now. I will think about it.
Another issue about the phone thing is that in my last days of actively using Facebook, whenever I’d log into my husband’s computer, they could never recognize it. I always clicked on “register this computer” — so I’m worried that I may have a lot of problems with websites recognizing that I am where I am. I figure that’s a quirk of my ISP. Then again, I never had problems on my own computer. So, maybe I’m looking for trouble where there won’t be any trouble.
James Fallow also recommends using the two-step in his long, great article describing how his wife got hacked in 2011, and what they did about it: http://www.theatlantic.com/magazine/archive/2011/11/hacked/308673/ Heck, EVERYONE recommends using two-step. So, maybe I’ll just have to get with the program.
The thing about two-step is that unless they have your phone number AND are hacked into your phone, they can’t get the access code that Google or whomever generates. Mat Honan made the same point. If he had JUST had two-step authentication, they never would have been able to hack his account. It all started with his gmail account (if memory serves). It’s the one security feature that almost everyone recommends.
Something else I just picked up in reading that Atlantic article, Michaeline, is that many sites now let you use spaces in your password. Hackers can’t recognize the difference between a space and a character, so it makes it a bit harder for them to steamroller your password by simply trying a multitude of characters/numbers/letters. Typically, the first and last character in a PW can’t be a space, though. Something to keep in mind.
I just went through and reset all of my passwords for Yahoo, Dropbox, Gmail, GoDaddy, and WordPress based on this: https://www.ivpn.net/blog/heartbleed-passwords-change. I also enabled two-step authentication for GoDaddy and Yahoo. Already have it turned on for Gmail and WordPress.
It’s really interesting how the guy in the Wired article actually was able to TALK to his hackers. The hackers thought they were vigilantes for making companies clean up their security faults.
I used to daisy-chain accounts, too — I think that means using the same handle before the at-mark. I’ve been spending the weekend trying to change those, as well. But in some cases, I think a new account is going to be the simplest answer.
Thanks, too, for the ivpn link. They note that LinkedIn is not affected. But . . . I was cleaning out a long-neglected ISP-provided mail account, and I noticed that LinkedIn was the source of a lot of spcm. (Note: I’ve been warned lately that if you spell spcm correctly three times, Candlejack will erase your e-mail account. Joking! But I’m avoiding the word for now, hence the crazy spelling. Not Joking.)
Has anyone used LinkedIn and found it useful for writing stuff? I think I’ve tried to erase the account I set up years ago, and had no luck. A friend of mine signed up for Linked a few weeks ago, and they spcmmed me — I managed to turn off the emails this time around, but I feel they aren’t Reputable People. Although, they seem to have their Heartbleed under control . . . .