Tuesday, November 13, 2018

U2F: Universal 2nd Factor Authentication

What a Hardware Security Key is

A U2F key generates one-time authentication codes, uniquely encrypts them so that only the legitimate site being logged into can read the code, and of course sends it. The user places the key into a USB port and when a code is required, lightly presses the gold circle.

Why it is important

Hackers are aware that many high risk targets are frequently using various forms of two factor authentication to secure their accounts. For targets worth individualized attention, hackers will attempt to defeat two factor authentication systems by tricking the target into providing them with the code. The new U2F security key standard defeats this new form of attack by making a code that only the legitimate site can use. A hacker, with a fake site, will find the code sent to it to be useless for logging into the legitimate site and because the user never sees the code, they cannot read it to a “tech support” person. In other words, the key removes the greatest weakness in any security system -- user error.

U2F Setup

A security key can be the easiest form of two factor authentication because the user may only have to tap the key once. There is no looking for SMS message, copying it, pasting it in or opening an authentication application. Even the newer smartphone prompt that ask the user if he or she is logging in and then the user presses “yes” or “no” requires the user to access the phone and unlock it. While much easier than other ways, the main difficulty with a security key is that one needs to keep it at hand when logging in.

The first decision one has to make is whether to be security-key only or to allow other forms of two factor authentication to be used too. Allowing other forms of two factor to be used in conjunction with security keys has the advantage of making it easier to authenticate on devices that either don’t have USB ports, such as phones, or where the USB ports are inaccessible. If one is often on the road and using multiple devices, having another form of two factor authentication is probably a wise idea. If one is using a few devices at home and at work, then using a security key as the only allowed method is workable.

A security key can be used for as many accounts as desired. And, multiple keys may be associated with the same account.

If one is using a key-only account, having a second key is highly desirable, in case the first is lost. These keys are quite rugged. They can survive washing machines, being stepped on and otherwise abused. The real concerns is forgetting to bring it or not being able to use it on a computer with inaccessible USB ports.

Once the decision of how the key will be used has been made, the setting up process is approximately the same as with any other two factor method. Turn on two factor authentication within the application, such as Gmail or Facebook, if it’s not on already, then add a device, press the circular button on the key when asked, and then press the circle on the key at the next login.

Single Factor Protection

Passwords are considered so weak that some vendors are offering passwordless logins for users with U2F keys. Hackers using malware to capture the user’s password or to flood the system with password guesses, will not be able break in. As long as the owner keeps the key safe, the account should be safe from breaches of authentication. Windows 10 has recently supported the use of a key-only login. It is likely that other services will follow suit. However, a good password protects your accounts if your key is ever stolen. Two-factor is more secure. Whether using a device as the only form of protection will be enough is a personal decision. A middle ground is to use a security key that has a fingerprint reader built in. This not a true two factor solution but it does mean that another person would not be able to use the key.


Security keys have to be purchased. Keys with Bluetooth and NFC can range from $40 to $60, but the simplest U2F keys can be found for $9.


Losing a key is obviously a risk if the attacker can discover the user’s password. Lost keys can be deactivated.

Most two factor systems allow the user to declare the device being used as a trusted device. Doing so means the user may not have to use a second factor on that device for 30 days. The key element is trust. A device, such as a laptop, should not be trusted given that it could be stolen. One of the advantages of a security key is that it’s so easy to use that a user may not feel a need to trust any device. Pressing the key at every login is quite simple and if there is any chance the computer would be stolen or that someone could access it, then not trusting the computer does not carry a significant burden.

Monday, November 05, 2018

Website Security Best Practices

What it is

The appropriate set of “Best practices” depends on the type of website being protected. One set of practices does not fit all. The precautions for a website offering public information is clearly going to require less attention than does a site that contains sensitive user and financial information. Once confidential information has been taken, no amount of effort can bring it back. This section has two sections. The first section, Basic Steps, applies to all websites and the second section, Advanced Steps, includes some of the considerations relevant to sites whose breaching would result in irreversible damage.

Designing for Security

Website security is rarely a topic of conversation during a web design process, yet it should be. Security is difficult to retrofit after a site has been created. With public websites, hacking attacks can range from being merely embarrassing to being a source of malware infections for website visitors. The need for security is far higher when personal and/or financial information is involved. Once a person’s personal information has been taken, it’s never coming back. In many cases, if money is stolen, it too may never be restored. Being aware of what a website collects and stores should be a fundamental part of the website design process. Adding security to a website after it has been designed tends not to be effective.

Basic Steps

  1. Keep your site simple. What a website doesn’t have cannot be exploited. Most informational sites can be turned into static pages. “Static” just means the page is always the same. Commercial sites require the services of a CMS (Content Management System) to dynamically build pages. Because the CMS is a primary avenue of attack, not having one represents a significant improvement in security.
  2. Update software. Most breaches are based on vulnerabilities already patched. Hackers take advantage of systems that have not been updated for months, if not for years.
  3. Have a backup. The most effective way to repair a hacked site is to restore a recent backup of the site. 
  4. Use strong passwords. A common method for breaking into a website is to login as the administrator. Use a strong password and two factor verification, if available. Some systems will also block login attempts from foreign countries or from IP addresses not placed on the website’s access list.

Advanced Steps

  1. Use encryption. Websites with any non-public information should always be protected by an encrypted connection (HTTPS). The trend is for all websites to have encryption and digital certificates, but while it is still optional for informational sites, it should not be considered optional for sites that have any form of private information.
  2. Use a traffic filtering service. A typical firewall works by blocking access to unauthorized traffic, but a website must be reachable. Website firewall services filter traffic, rather than block it. This service entails the traffic going through a system that looks at all the packets of data. If it sees a pattern inside a packet or a pattern of packets representative of an attack, the service does not pass the traffic to the website. This is a very simplistic description of such services, and not all services are the same, but high value sites should have some sort of traffic filtering.
  3. Separation of data and website interface. Storing sensitive data on a second and isolated server can help protect the data in the case of the website being compromised. An attacker is forced to defeat two systems, not one.
  4. Anonymize and separate user data. Collect only the information the site needs. If you don’t need a person’s birthdate or government ID number, don’t ask for it. If you just want to know if the user is a child, youth or adult, ask that or for the year of birth. When a report does not need to use the person’s full information, anonymize and abstract. Keep the most sensitive information in a separate database protected with more stringent access controls.
  5. Get advice. A site with private information is always more difficult to secure and the ramifications of a breach are far more serious than they are for informational websites. Get expert advice on structuring the website for security. And then ask another expert to test the security of the site.
  6. Use external credit processors. When it comes to sensitive information processing, such as for credit card purchases, it’s best to use an established provider.


It’s impossible have absolute security. Even if the technology was perfect – and it never is – people are not perfect. They make mistakes and can be tricked into granting access to attackers. Generally, however, an attacker is scanning large numbers of websites for possible attack. If the above steps are followed, it is probable that the attacker will focus on a less well protected site.

Friday, February 24, 2012

How to test your web loading times

Wired has an interesting article on how to measure web page load times. As they rightly say, the ability to measure load times for a web page is both very important and also very difficult to determine. I would like to explore some of these factors and to add a few considerations of my own that don't always get included under the topic of web site performance.

Build it and they may come

If people have a choice of whether or not to visit your new web site, they may decide the wait is simply too long. Standing in line at the grocery store we may roll our eyes when the cashier takes too long, but try the same situation on-line and the person "in line" simply hits the back arrow and finds a more responsive site. So, load times are in some ways as important as the quality of the content. The easier it would be for a visitor to find the same content or service elsewhere, the faster your site has to load.

As bad as it may seem that you are losing people to other sites due to slow load times, the problem becomes even worse if those people are finding your site via a Google search. Google measures all their user activity to determine what Google search users like and don't like. Things they like go up and things they don't like go down. When it comes to measuring search results, a click from the search results is seen as a valid indicator of value. But, when a user quickly returns to the search results to try the next link, Google sees that as evidence that the site at the end of the link was not valuable. And, as you might have concluded, the subsequent searches will list your site lower on the search results.

Don't evaluate a site under optimal conditions

One of the most common mistakes I've seen with inexperienced development teams is that the web site owner reviews the site on the developer's computer. It's a natural thing to do because the site has not been optimized or the web server may not have been prepared -- and all of these reasons are quite valid -- but if you don't look at the site under some sort of realistic conditions while developing the site, you may end up with a slow site that cannot be easily fixed. And before you announce your publicly, you certainly must test it out under a wide range of conditions.

I was involved in a situation where an office I was consultant to put up it's very first web page for an online learning program -- this was a long time ago -- and they did not check their new web site under normal conditions. They loved their new site because it looked so much better than all the other web sites. They had wall-to-wall intricately designed graphics. Today that accomplished in a reasonable way, but back in the web 1.0 days, there was no way to get such images into a design without very slow load times. And that's what they had but didn't know it. So they went to announce their new online learning program by purchasing a $50k+ full-page advertisement in the New York Times Sunday edition. Saturday night I got call saying the site was down and could I look at it. It didn't take long to see that the site was running but that the graphics were choking the system. What would have happened if large numbers of Times readers tried to access it on Sunday is yet another issue. It turns out they thought it was broken because the manager went to show his wife the new site and it would not come up. That was the first time the site had been reviewed on a computer other than that of the graphic designer's laptop. I was able to optimize the images and get it down to merely slow, but the lesson I saw that night is one I've seen various versions of many times since.

Stress Tests

Even if a site loads well under realistic conditions, it's unlikely that you will have hundreds or thousands of simultaneous testers. A properly designed site can still come to a crawl if the server has limited capacity. Usually, it's a limitation of bandwidth that will slow the site first. Any decent server purchased within the last five years is going to have enough capacity to serve even the largest Internet connection. But as people divide their servers into multiple virtual servers, the capacity allocated to the web site might not be sufficient for heavy use. So one way to evaluate the capacity of the server and the Internet connection is to perform a stress test. The cheapest way is to get as many people as possible to use the site at the same time and then see what the levels of used resources are. Divide the number of people into the amount of resources to determine how many people could be served. This will give you a basic feel of how many users you might have, but there are so may variables that this number should be considered only an approximation. But it's not an easy calculation even if you do know how many resources a user typically uses. Users who return to your site multiple times may have your site's graphics in their browser cache. That means they take a lot of resources on the first visit but not on the subsequent visits because they are not downloading your banners and other graphics from your site. Users who come from some ISPs, such as AOL, may get images from their ISP's cache. In this case, it's not the first time a person visits but it may be the first time a person visits from a given ISP. All other users, even when it's their first visits, will be downloading your content from the ISP's cache and not from your site. Of course, this is good news for your site in terms of reducing strain, but, as you can see, calculating resources is never easy.

But, if you are on a fixed set of equipment and Internet connections, the most comprehensive review comes from using an external stress test firm. Such firms have servers located around the world and will attempt to reproduce varying levels of traffic from a number of geographically dispersed locations. They will also use different browsers to see if there are any browser-related bugs in your site's design.

The solution I like most is host the web site on a hosted platform where more capacity can be added instantly. Some providers allow a web site to burst up to a higher level of capacity than paid level. If the site consistently goes about the paid level, then the hosting provider will expect you to upgrade to the next service level. While this is a great solution, don't let this option make you lazy. A slow site may not choke the Internet connection of the hosting firm, but your users will still leave the site if is slow. No one is increasing their speed on their side.

Evaluate and Adjust

Many times the parts of the site that will be of most interest to users will be obvious and at other times a site may generate traffic to pages or parts of the site that were not envisioned to be of great interest. Because Google search results flattens a web site's hierarchy of content levels, you may find that a page three levels down in your site is more popular than the pages above it. There can be multiple reasons for this. Perhaps the higher level pages were not clear as how to find the content users really wanted and visitors use Google to find content on your site. But in other cases, your site may simply being supporting needs you did not realize your audience had -- or you found an audience that you didn't expect to be interested. If the cause is user confusion, fix the text and menu options. Web site statistics can be used to see the "path" users take as they click through the site. Look for results that don't make sense. If a large number of people are going to a page and not continuing on as would be expected, perhaps this indicates a problem. Consider bringing up the content or putting a link to it on the home page.

You should also ask yourself if the usage patterns you are seeing indicate a different form of interest than what the site was originally built to address. If so, adjust your site to meet these new needs -- assuming the new audience is of interest to your organization, of course. One of the lessons that's important to learn is that the goal is not just to make a site load faster; rather, it's to get the user to the desired content as quickly as possible.

Monday, December 05, 2011

What are the Top Five Apps to Help Prevent Distractions?

If you work from home, you know how little distractions that take fifteen minutes out of your day can really add up. These can come in the form getting lost surfing the web, playing a quick game of Angry Birds, or listening to your favorite radio show, which are all detrimental whether you're trying to meet a deadline in the office or complete your dissertation. While these are all important aspects of daily living, finding the time to manage your schedule so you can get things done can be hard without the proper guidance. Check out these top five anti-distraction apps that will help you stay on track while you work from home.

Stay Focusd

Have you ever told yourself you would take a five-minute break to watch a video on YouTube but still find yourself glued to the monitor watching cat videos an hour later?
Stay Focusd addresses this issue by providing you with an easy-to-use blacklist for sites that you find too distracting. You can set the maximum allowed time you want to be able to use these distractive sites in a 24-hour period and after that time expires, the extension will no longer let you browse those sites. It is easy to set up and is seamlessly designed for Google Chrome.

Focus Booster

The pomodoro technique has long been thought of as an easy means to give yourself a small break while getting more work done throughout the day. The general idea is to give yourself 55 minutes of work time and five minutes of break time so that you stay focused on the task at hand. Focus Booster is an Adobe Air application that runs on your desktop. You can customize the time to give yourself as much as 15 minutes of break time. Focus Booster also comes in the form of a web app called Focus Booster Live if you don't want to download anything to your desktop.

Read It Later

If browsing RSS feeds causes you to lose a lot of time during your day, then
Read It Later is the perfect companion to minimizing distractions. If you find a page you want to save until later, you can install one of the many extensions for Firefox, Chrome, or Safari and click a small button to add the page to your Read It Later account. When you have time to read everything you saved throughout the day, simply open the page. Read It Later also offers iOS and Android apps and cleans up unnecessary clutter so you only see the content you want to see.

Mr. Number

One of the most annoying things about smartphones is that they can be distracting when you need to get work done. If you want to prevent being distracted by someone constantly calling you or sending you texts, Mr. Number can help. You can block any phone number for any period of time. Mr. Number is available for Android smartphones.

Shush! Ringtone Restorer

One of worst things about silencing your phone to avoid distractions is forgetting to turn it back on when it is needed. Shush! solves this problem by allowing you to silence your phone for a specific period of time. Simply use the volume rocker to silence the phone and a window will pop up asking how long you would like to keep the phone silenced. Once that time period has passed, the phone will return to its previous volume level. Shush! is available for Android phones.

Of course, minimizing the distractions you suffer while using your computer depends on your own willpower. Apps like Stay Focusd include methods to keep you from circumventing their settings such as having to type an entire paragraph of text error free, but sticking to your guns and using these tools as a supplement rather than a crutch is always the best way to get things done in a timely manner.

Elaine Hirsch

Wednesday, October 26, 2011

Kenya pays up with M-PESA

M-PESA and Personal Finance

Since its inception in Kenya in 2007, the M-PESA mobile finance technology has become a widely-used and cost-effective tool for managing personal finances for many developing areas. This small-value electronic payment method was introduced by Safaricom, part of the Vodafone group and largest mobile phone operator in the country. M-PESA transactions in Kenya alone have surpassed those conducted via Western Union throughout the world. It doesn't take a PhD online graduate to see the power of this personal finance solution and realize it's value in developing countries.

“M” stands for “mobile” and “PESA” is the Swahili word for money. M-PESA is literally a “mobile money” service that allows people to make deposits, withdrawals, and transfers without bank accounts. Many businesses have realized its potential and made it possible for customers to pay their bills via M-PESA.

M-PESA is currently available in several other countries, including Tanzania, Afghanistan, South Africa, India, and the UK. It provides a simple way for people abroad in these nations to send money to friends and family members at home.

The service has transformed the way people carry out their personal financing, particularly in the developing nations where more people have mobile phones than bank accounts. It's estimated about 300 million previously “unbanked” people will be using some type of mobile banking by 2012.

Although there are different types of mobile banking services, M-PESA has become more successful because it provided the core of what people really wanted: a way to send and receive money. Other systems offer standard banking services through the mobile phone, but M-PESA doesn't require users to have any bank accounts at all. All they need are their IDs and mobile phones to register for and use M-PESA services.

The initial concept of M-PESA was to provide microfinance institutions a means to collect loan payments easily. However, Vodafone and Safaricom soon realized that was a mistake and reconstructed the program, changing its slogan to “Send money home.” This gave them the opportunity to offer their customers what they truly wanted, which is the major reason for its success.

Before M-PESA, customers used to have quite a difficult time sending money to their rural homes. They would use such unreliable means as putting money in envelopes and sending it through the postal service, public transport systems, or with friends. Alternatively, they had to make personal trips, which was costly and time-wasting. With a vast network of about 28,000 agents in both urban and rural areas in Kenya, M-PESA has helped people do away with such methods and enabled easy access to their money almost anywhere.

M-PESA’s simple user interface coupled with free registration, free deposit, and no minimum balance has made it attractive to customers who previously may've shied away from banking entirely. Many people use the system for personal business transactions without worrying about carrying a lot of cash. With more than 14 million customers in Kenya, its success has prompted the World Bank to pick Michael Joseph, the former Safaricom CEO, to help replicate the model in other developing countries.

Academic studies have shown that a lack of understanding personal finances leads to further externalities such as lack of funding for education. With conventional financial institutions in America and other developed nations funded by public taxes, such a no-obligation, totally mobile personal finance solution might well become appealing worldwide.

Elaine Hirsch is kind of a jack-of-all-interests, from education and history to medicine and videogames. This makes it difficult to choose just one life path, so she is currently working as a writer for various education-related sites and writing about all these things instead.

Wednesday, September 28, 2011

Integrating Cellphones into Classrooms with Positive Results

I'm happy to announce that the post below is the first guest post on this site. Natalie is clearly enthusiastic about the use technology in the furtherance of education. I hope to see many more insightful posts from her. Natalie's bio is at the end of this post. TT

The use of cellphones within the last decade has changed to include more than simply a single mode of communication. As technology continues changing rapidly, educators need to explore the possibilities for using cellphones to enhance learning in online and conventional classrooms, especially on a secondary level. Rather than being a disruption to teaching, cellphones could actually be used by teachers with students as a technology to expand possibilities in the classrooms, if educators are open to changing traditional paradigms.

With the rise of text messaging among all cell phone users (not just young people), educators can recognize the value of this exercise in orthographic knowledge and ability. Some educators regard it as a major distraction, but many want to integrate a popular mode of communication with education and are realizing that text messaging can actually be used to boost learning. Recent studies have shown that texting in the classroom has a positive effect on students' ability to write lengthier and more creative papers in general.

More teachers are harnessing the vast power of texting as an educational tool in a variety of ways. For instance, teachers can have students send in their answers to projected questions for quizzes or discussion as text messages. This simple strategy turns students' phones into a simple and flexible classroom feedback system. Software used to receive text messages from students collects responses and may even give teachers options for managing and displaying collected data.

Student responses are then more easily gathered together and made accessible both to teachers and students themselves. This type of student input can be made anonymous, which can encourage students who might not otherwise participate to do so. By the same token, tracking specific students' responses gives teachers a clear view of who's struggling with comprehension and needs additional help, or who's getting ahead with the material and needs extra challenge.

This sort of constructive use of mobile technology can and should be used in all subject areas as a dynamic tool for learning. Taking advantage of technology students already have and will be using one way or another really is one of the most valuable means of harnessing that technology for educational ends. Whether teachers like it or not, technology is the future of schooling on all levels.

Indeed, cell phone use in the classroom isn't just limited to secondary schools: elementary teachers and students are also finding similar uses. For example, texting has led to the development of a new literary form known as the "cell phone novel." This type of literature is written entirely using text lingo, such as "Ur" instead of "you're." The novels are written in the form of a text message conversation between any number of interlocutors, include minimal punctuation, and are completely open to the shorthand that characterizes text messages. Young students can use this creative and entertaining form of writing to learn narrative structure and even grammatical mechanics (albeit without the usual focus on spelling and punctuation) much more effectively than they would with the rote drills usually reserved for such topics.

It may become increasingly important to take once distracting technologies like cell phones and harness their power for the benefit of the classroom. The transition may be fraught with bumps in the road, and the boundaries of technology use clearly drawn. Education needs to embrace technology, not simply to keep up with a new generation but to actually make good the promise technology holds for learning. Because of its prevalence and flexibility, many educators already advocate the use of cell phone technology in the classroom. Students need to benefit from the increased learning that will occur with well-considered use of technology, and feel validated for utilizing skills they are already confident with. Using cell phones in class can help both educators and students streamline the learning process and have a readily available tool for increasing class cooperation and participation.


Natalie Hunter grew up wanting to be a teacher, and is addicted to learning and research. As a result she is grateful for the invention of the internet because it allows her to spend some time outside, rather than just poring through books in a library. She is fascinated by the different methodologies for education at large today, and particularly by the advent of online education. She also loves to travel and learn via interaction with other people and cultures.

Monday, September 12, 2011

Blog as alternative to school newspaper

Blogs have been great tools for various types of classwork but with today's bevy of smartphone apps that allow for direct editing, the blog is now a very viable alternative to the school newspaper. In fact, it would allow for a near real time newspaper that could be very handy for sporting events, field trips, and other events where people want to know what is going on as it is going on.

Yes, Twitter can provide real time access, but it's limit in the number of characters it can handle and multimedia is constrained to pointing at external links. Google, the owner of Blogger, has just released an app for the iPhone that will allow blog post creation and editing. The user can upload and edit posts just as they would with a computer. The posts can include photos taken by the phone. It's not clear if the app can also handle videos taken by the camera. Given that Blogger handles video, it seems like the type of feature that if not there now can be expected in future releases.

The idea of making a post from a phone is not new. It's been possible to upload posts from smartphones using email for a long time. And, in a pinch one would have to use a smartphone's web browser to edit. Having a specific application makes the entire process easier.

The only issue that you need to consider if the process by which posts are published. If you trust your field reports, you can upload the posts and publish immediately. If there are good reasons for concern, you can have your reporters submit posts as drafts and then have the editor/moderator publish them.


Monday, June 27, 2011

Digital Certificates

Getting a digital certificate is becoming more important as browsers start expecting to see everything that is encrypted as needed a digital certificate. And, many things are expecting to be encrypted -- which is a good thing in terms of security. The digital certificate is what proves to your browser that it is created an encrypted link with the right computer. This is important because encrypted connections often contain sensitive information and one does not want to providing user names and passwords to faked site.

The bad news is that setting up a digital certificate is not an easy process. Most people have created "self-signed" digital certificates -- in fact it's almost impossible not to have self-signed certificates. But browsers don't accept self-signed certificates because there is no external proof that you are who you say you are. That's where a public digital certificate is required.

Below is a diagram of what steps are required to obtain and use a public digital certificate. In upcoming posts, I'll describe my experiences and challenges with getting and using my public certificate.

Wednesday, June 22, 2011

Microsoft System Sweeper

System Sweeper is an important tool that Microsoft apparently uses to scan computers that are manifesting problems that are otherwise not identifiable. I gather that people calling Microsoft for help and still have weird problems will be directed to this free utility. It's a shame that more people don't know about this utility because it finds viruses, trojans, and even root kits.

One of the problems with antivirus software is that once a bad piece of software gets on a computer, it can hide from the av software. This is especially true of root kits -- which dig under the operating system. The only way to find such deeply buried malware is to scan the computer's hard drive before it has been booted. That means booting from another device. System Sweeper comes from Microsoft as a bootable system. The image file one downloads is burned to a CD-ROM. The CD-ROM boots into a specialized version of Windows that has as its own function the running of System Sweeper. So far, most of the people I have given this disk to have come back reporting at least minor problems that they previously did not know about.

I suspect the main reason Microsoft does not make this important tool well known is because most users don't understand the idea of downloading ISO images and how to boot the CD-ROM drive. Because problems on your users' systems will come to haunt your network, it makes sense to make disks for your users and help them run this utility on their home computers.


Monday, August 23, 2010

Open Source Tools for Education

The Guide to Computer Training has an interesting list of open source programs well suited for educational uses. While there are many such lists, this one covers pretty much the most important applications directly related to educational use.

The site also has a useful listing of schools that offer IT degrees of various types. While it may not be difficult to find schools with IT degrees -- probably most universities have a computer science department -- it is not always easy to find only the schools that offer a specific specialty. There is also a review section. Over time, the review section will hopefully become more useful as students and former students report on their experiences.


Tuesday, May 25, 2010

Don't Eat the Cookies

Google has a useful set of tools for blocking cookies -- the type your web browser generates and not the nice ones you eat. First of all, let's set straight what a cookie is. It's a small text file created by your browser at the behest of the site you have visited -- or of a third-party's site somehow related to a site you've visited.

Cookies are not programs, viruses, or Trojan horses. The intention of a cookie is to save user or activity information so that the site may "recognize" you and hopefully make your experience on their site better. The downside is that cookies can create privacy issues. This is especially true with the cookies set by advertisers. In general, you want to allow cookies from the sites you visit but probably not from third-party sites, such as DoubleClick. The link at the top of the page tells you how you may stop third-party cookies plus the ones that DoubleClick set. I had not realized that DoubleClick had gotten around the third-party cookie blocking systems, but it has. The add-ons and instructions on this Google page -- the owners of DoubleClick -- gives you all the information you need to know.


Tuesday, March 09, 2010

Replacing Computer Fans

I recently had an overheating problem that caused the computer to crash after a few minutes. The solution from the computer vendor was for me to purchase a $75 dollar power supply. The power supply was fine; it was the fan that was the problem. I looked online and found a number of places that sold just the fan. I opened the power supply case -- be care because the capacitors can still store electricity after the unit has been unplugged. I was happy to find that the fan was plugged into the case for power. I did some measuring of the fan's size and looked at the number of pins. With that information, I found a replacement fan for $4.00 plus $2.95 shipping. One of the parts vendors I found was directron.com. There are many other sites, but I like their system for quickly finding the right fan.


Tuesday, January 12, 2010

Securing Your Internet Browser

The US Computer Emergency Response Team has a slightly old but nonetheless valuable document on how to secure one's Internet browser. Given the high level of risk associated with browsing the Internet, this form of security might be the single most important step you can take to keep your computer safe.

Browsers are serious applications. They just don't show you a picture of some remove web page, they are interacting with the web site's server in a variety of ways and they have the power to interact with your computer in ways similar to that of your operating system. In fact, some computer magazines have called the browser the new operating system. Great power brings great danger. The more a program can do for you the more it do against you.

The question of which browser is the most secure is frequently debated. Google Chrome now makes that claim because it has a system for isolating the activity of the web pages from the operating system. This isolation, called "sand boxing" is a system used by a number of applications, such as Java. It helps but is no guarantee of security. IE, frequently described as the least secure, can be made secure if the recommendations of CERT are followed. The problem with these solutions is that the end result is a browser that may not be able to do many of the activities expected of it. The best solution, in my opinion, is to make the default settings in IE strong and add sites you know well to the "trusted" list. These sites can do more because the browser allows them to access features that an untrusted site would not be allowed to use. If you go to a wide variety of new web sites each day, you might want to use Chrome, but if you only go to a handful of the same sites each day, a locked-down version of IE might be the best solution.

Even if you dislike IE, you should still read the instructions for making it more secure. Love or hate IE, the reality is that there are number of sites that only function with it. There are times that you have no option but to use IE.

Of course, the best form of security is common sense. The brain is still the best form of security software.


Friday, January 08, 2010

Living with Secunia

My last posting was about Secunia's online scanner. I've downloaded and used their personal software inspector. I have to say that I like it. It does not grab too much of the CPU yet it monitors the system quite effectively. Many applications these days automatically update. Secunia picks up on that and lets you know. This is useful so that you don't run home to put in a critical update when it has already been done.

There are a few things that can be annoying. The main one I have is that it keeps reporting a problem with a fairly unusual application -- in my case, a video camera monitor -- and offers a link to a fix. The fix is the same version as the problem. The video camera people probably will never update their application and given that their system running on my computer does not connect to the Internet, I'm not too worried. The solution I had to use is to "ignore" the application. I would rather not do that in the case there is actually a newer version at a later point.

Yet, given that most vulnerabilities are in the applications and not so much the OS, this tool is a must have. While most programs are getting better at auto-updating themselves, there are many applications out there that don't.

In the school environment, this system is also useful to discovering applications you might not have installed. When you seen an update pending for an application you didn't install or forgot to remove, this provides you a chance to take action. I like the fact that this scanner will tell you exactly where the offending application resides. Most updates don't do that.

I'm going to keep using this product!


Wednesday, November 11, 2009

Secunia: Automating the Windows Software Updating Process

Secunia is one of a short list of firms that perform vulnerability testing. While it does not perform many of the tests that a Blink does, it is light and can be run from Secunia's web site. Most users are aware that Windows system updates are important -- or at least they don't interfere with the automated updating system -- but many of the new threats come from applications such as Flash and Acrobat. These programs are in direct contact with the Internet in a way that exposes them to all types of attacks. Few users would think to even check to make sure these applications are updated.

Secunia is also very useful to finding applications you may not have even remembered installing. On my system it found an ancient version of WinZip. It clearly was not something I was checking for updates, yet many attachments come as zip files and WinZip will automatically start up to uncompress the zipped file. If the attachment was dangerous, WinZip would have been compromised. So, a program like Secunia is important to keeping track of all the potential entry points to your Windows computer.


Tuesday, November 03, 2009

SoundBible: A possible answer to your prayers

SoundBible is a site that contains a large number of free-to-use short audio clips. While many of these sounds can be found elsewhere, this site puts them together in one place, provides a good description, and offers them in multiple formats. These sound files are great for student projects, such as a YouTube or Power Point. This site is also a great way to expose your students to working with audio files without having to work with huge files. They have fun and your lab still has hard drive space at the end of the class.


Friday, October 02, 2009

YouTube Education 2.0

YouTube has just release version to of their education video site. Youth are now using YouTube as their primary search tool. The educational section is something like iTunes University. This site is worth visiting or taking another look.


Friday, August 28, 2009

Installing Snow Leopard: Not an obvious decision

Snow Leopard, Apple's newest OS, is an interesting decision for educators. The school year is about ready to start and it's always easiest to do major upgrades during the vacation periods. Snow Leopard has a number of significant advantages that make it compelling to schools. The advantage I like the most is that the new OS is actually smaller than the current OS. If your drives are packed to the gills, then this move will be potentially quite interesting.

The problem is that not every application your school may be running will operate on Leopard -- or will at least take a re-install. If you are using older versions of software because you cannot afford the upgrade, you may locked out permanently. See Computer World's story on Adobe's statements about their software on Leopard. While Adobe's position is defensible on an economic basis, it's none too comforting to people stuck with old software.


Thursday, August 13, 2009

The Back of the Class is front row

There are many podcasts related to education but a new one, The Back of the Class, takes an refreshingly different approach to educational issues. Shows, such as the one on why the skills of a comedian are useful for teachers, addresses a common problem from what I assume must be the first association of comedic skills with instructional technique. And no, "the teacher must be joking" does not count. :-)


Thursday, August 06, 2009

Nine Ways Google Wave Can Alter the Course of Collaboration

Nine Ways Google Wave Can Alter the Course of Collaboration is a short slide show about the possible impact of Google Wave. While there are amazing up-sides to Google Wave, there are also possible downsides.


Friday, June 26, 2009

Sugar on a Stick

The MIT Review has an interesting bit of news on the next evolution of the OLPC program. The original operating system, called Sugar, is being modified so that it run from a USB flash device. Because Sugar is build for low-end hardware -- what else does one get for $100? -- the operating system and its bundled educational applications should run great on old hardware your school might have in a back room. Sugar, BTW, is a version of Linux.

Sugar and the applications that come with it have been extensively tested with school kids and are in wide-scale use around the world. You know you cannot upgrade your old system to Windows Vista or to OS X, so you have nothing to lose. There is no installation required. You download on to a USB device and set the PC's bios to boot from the device. Unplug the device and the system will boot from whatever is on the hard drive.


Friday, June 19, 2009

Pigs Fly!

InfoWorld has a very good post on Microsoft's recent security advances. Microsoft has spent billions on security and now it is beginning to show. It's not that security is extremely difficult on its own; rather, it is the combination of security and compatibility with old software and old hardware that is the trick. Apple has been able to switch operating systems and start all over again. DOS application, on the other hand, still run on Windows. Personally, I prefer Apple's model but I can understand why Microsoft felt it had to drag its history into the future.

The posting covers a number of the new techniques that closes the doors on the most common avenues for attacks. Whether we like Windows or not, I think we can all agree that reducing the number of zombie computers slinging spam by the billions is a highly desirable goal.

What does all this mean to you? Basically, the answer to whether Windows is security or not must now be considered seriously and not just addressed by a derisive laugh.


Saturday, June 13, 2009

Three Point Lighting

After one jumps into posting videos on YouTube and other on-line services, it's only a matter of time before you start wanting better quality. While a better camera can help, most schools don't have the money to buy high-end equipment.

The most important aspect of video is audio. Unless you are video recording mime or interpretive dance, the audio is important. If you are providing instruction, the audio is critical. We'll cover audio at some later date.

More important than the quality of the camera is lighting. While a high-end camera might be able to correct for common mistakes, it's always better to avoid mistakes in the first place. 3d Rendering has a nice tutorial on how to set up an effective lighting system called "three point lighting." Basically, the idea is to light from the front with a strong light and use a second light at the subject's side so as to create some natural shadows. A back light creates a sense of distance from the back wall. While there are three-point lighting systems on the market, you might be able to get away with less if you have a reliable source of light coming in from a window. You may also be able to cut down on lights if you use a reflecting board to bounce light from where a second light might normally be placed.

The most important thing is to try lots of combinations to see what works best for your environment and subjects. For example, how you would light for a school play would be very different from an one-on-one interview. The concept of three-point lighting is the same but the equipment and angles would differ.

Good luck and have fun!


Sunday, May 31, 2009

Alternative To for knowing your options

One of the great difficulties with working on the cheap is that the software your school uses or would like to use is beyond your budget. While there are many places to find which Mac or Linux based program can replace a Windows program, there are not many sites that provide lists of alternative programs on the same OS. Alternativeto.net does just that.
Alternativeto.net lets you click on a program you use or might want to use to see what other programs do the same thing. The site is still quite basic, but given the lack of alternatives, this site is a lot better than nothing.
If anyone knows of better sites, please put them into the comments area.


Monday, May 04, 2009

Blue Screen of Death

MaximumPC has a great article on the dreaded "Blue screen of death" window that sometimes appears after a sudden crash in Windows. While the message can be an indication of a fatal problem, it also supply you with the information needed to fix the computer. Too often users see the screen and assume that it's only useful to a computer technician -- and then only to make sure the headstone for your dead computer reads correctly. MaximumPC makes it clear that it's far more likely that a recent hardware addition is the cause of the blue screen.

One problem that MaximumPC did not cover is how to handle the situation where the blue screens sails past in a fraction of a second as part of endless loop of failed boots/restarts. My trick with such situations is to use a video camera to video the screen and then replay the recording until I can read the blue screen.


Friday, March 27, 2009

Inexpensive Video Streaming

Streaming video is becoming more common all the time. Point-to-point video, such as Skype, is already huge. But what do you do when the subject to be video streamed is on a distance stage or in a dark room? Web cams were made for people sitting in front of a computer. To my surprise, modern video cameras do not stream video nor do many of the "YouTube" video cameras. I did find a solution but it was not an obvious route: the Sony DCR-HC38.

The newer video cameras can transfer files to PCs and allow for editing of content located on the camera, but very few can stream. Even "YouTube" cameras, such as the Flip, don't stream. While YouTube does not offer live streaming, it does allow live recording. The Flip cannot not handle even this mode. Perhaps Cisco will add this capability now that they have purchased Flip.

I looked at top-end web cams and they simply don't have the optical zoom and steady-shot features I wanted. If all you want to do is to sit in front of your PC and Skype someone, a web cam is fine. However, if you want to stream a performance on a stage, a speaker at a distant podium, or a sporting event, webcams don't cut it. Sony has a new "Webbie" camera, but it doesn't have streaming.

The good news is that some older video cameras can handle web streaming -- and those cameras are now inexpensive as vendors discontinue older models. The unit I found is the Sony Handycam DCR-HC38 ($180). You'll need to contact Sony support for new USB drivers not found on the install CDs. The USB works with XP. If you want to run this on a Mac, you'll need to use the i-link (i.e. firewire connection). I have not tried out the firewire connection with my Mac, but I have used the USB on my XP laptop using Skype and one of my streaming services, Mogulus.

Mogulus is a great service for broadcasting public content. The most significant downside is that they don't have mechanisms for restricting access to a broadcast. Their paid-for offering does have privacy settings but it's far too expensive for non-commercial use. Kyte, another streaming service, does offer private broadcasts, but it's limited in terms of functionality as compared to Mogulus and it has a 60 minutes limit. That's a lot in YouTube terms, but not enough for many meetings/events. I'm now exploring Justin.tv. It does not have time limits and it allows for free private broadcasts -- with commercials. I have not used it as yet, so it may have downsides I don't yet know about.

If you think you might want to do video streaming, buy one of these discontinued cameras before new and probably much more expensive cameras hit the market. Yes, the new cameras will have better video quality -- but the extra quality will not translate to the image seen via the Internet.


Tuesday, March 10, 2009

Look mom, no wires! (Wireless Vue cameras)

Avaak has a new web cam system -- Vue -- that does not require a computer, Ethernet wires or even a power cord. Additionally, while it transmits over the Internet using wireless signals, that signal can ride over links between camera units. These units use mesh networking to link one camera to another. At the end of the chain is a base station that links to your network. Mesh networking is a great way to extend a network's range well beyond the source of the school's Internet connection.

These units can be great for a school that needs to get a video camera to a difficult to support area. Because the units require no wires, it should be easy to put these cameras into weatherproof enclosures and us them outdoors. These could be used to monitor the parking lot, play ground, and other places that video cameras have difficulty being installed.

Another aspect I like is that this is a mobile system. As long as you have some access to the Internet for the base station, you could "string" the video cameras all around a special event, such as a sporting event or a performance in on the stage.

These cameras use lithium batteries for power. I have no idea how long these unit operate. Fortunately, given the fact that the units broadcast over the Internet, it should be easy to see when a unit has run out of power.

I should point out that broadcasting over the Internet does not mean the video streams are public or even that the video goes over the public Internet. Your school may just want to use it for internal coverage and have the signals stay on the school's LAN.

In any case, this system does appear to solve a number of video needs that are not otherwise easily addressed.


Tuesday, March 03, 2009

Flexible display gettting closer to school

Flexible screens appear to be one step closer to being in the schools. The video above shows a demo of a small version of a flexible screen. Of course, one of the things I noticed was that the display can written on, as well.

I think one of the main benefits for a display being flexible is not so much that it can be rolled up, but because it is probably going to be able to resist the physical punishment of being carried in a heavy book bag or crammed beneath a desk top.

Ebooks have always had promise of being replacements for paper textbooks, but this new invention would also allow students to do homework and take tests on the hardware. The possibilities are truly exciting.


Tuesday, February 24, 2009

Your computer is the plug

Marvell has produced a new Linux server that plugs into a wall socket. Essentially, what Marvell has created is a small Linux appliance. Others have gone this direction. What I like about this one is that it plugs directly into a wall socket and is designed to run all the time. One potential use for this computer is a host for a web camera. Internet ready web servers can cost quite a bit and they actually include a web server in their hardware. By using a computer with a low-end web camera, you get both the camera and the server, but you control the mix of the two.

This unit could also be used to run a continuous presentation in the school lobby or some other place that a full size computer would not work.


Kindle Two Arrives Today -- what it means to you

Amazon's new Kindle is launching today. The first model was a big success and the second model has been getting even better reviews.

It's $350 price is not so bad if one considers the lifetime wireless connection and the savings of e-books over paper books. The unit could pay for itself in less than a year. My hope is that Amazon can get the school textbook publishers to convert their text books to Kindle-ready formats. Not only would it save a huge amount of weight on our students' developing backs, but content could be updated on the fly. The Kindle and those that will follow will be our future. The only question is whether the publishers will participate fully or be dragged into the 21st century.


Thursday, February 19, 2009

Anyone who has purchased a fully functional calculator knows they don't come cheap. You also cannot use the calculator that Microsoft or Apple supplies. SpeedCrunch is an open source project that matches the features of a top-end calculator and then adds some features that only a computer interface allows. With the new nettop computers, it may not be much of a difference between an expensive calculator and nettop computer in terms of expense. SpeedCrunch runs on all major OSes.