CompuBlab

If it's computer related, we'll blab about it!

Month: June 2011 Page 1 of 2

Patient Records Online – A Really BAD Idea

Today I read in the British publication The Telegraph that a London hospital is making plans to move patient records “into the cloud” (which is to say, they wish to make the patient’s records available online). You can click here to see the Telegraph Article

Folks, this is as BAD an idea as I have seen since it was proposed that presidential elections in the United States should use online voting!

Why is this a bad idea? I can spell it out for you in one word: Security (as in “the lack of”).

If you have followed the news at all this year, the number of so-called “secure” systems whose data have been compromised is astounding:

And the list just keeps going on and on…

Folks, I’m going to give it to you straight. I am a computer scientist who holds both a Bachelors and a Master’s Degree in computer science and has over thirty years in the profession…and I will tell you that in the final analysis, your data online IS NOT SECURE!

Encryption, the scrambling of data that so many online databases tout as protecting your data, can be broken (and has been broken time and time again). Multiple method user identification (like the RSA Secure ID device) has been broken as well (see above). SSL certificates, the things that let you log into a website “securely” for things like online banking or making purchases, have been “forged” in the past. Passwords most certainly are not secure (so many can be simply “guessed” with just a little information about the account holder), and this is before we even BEGIN to factor in:

  • Unscrupulous employees of the companies that are supposed to be protecting your data (a.k.a. “inside jobs”)
  • Social Engineering – a con method of getting someone to reveal key information about their account so that a hacker can compromise their data
  • Human error where data is exposed to the public by programmer or administrative error rather than by being “hacked”

Given the list above (and this is just some of the more largely publicized break-ins), I don’t think you need to take my word for it. Read those articles and do some searching for yourself online. If your data online was that secure, then why are there so many break-ins being experienced by these so-called “secure” computer systems?

Now bringing it back to patient records online, Tony Lucas, the founder of Flexiant, the company that is putting all of this together, is either misinformed or just plain lying. Again I direct you to the list of compromised systems above. There are techniques that can help secure your data against amateurs trying to gain access to it, but in the face of determined system crackers, the evidence is overwhelmingly against him that your information is actually secure.

Most distressing to me is that Mr. Lucas is making noise about this information being available via mobile phones…a technology that to date has still not demonstrated that it can be safe from malware.

When it comes to the computer security techniques employed today, I like to use the analogy of someone who wants to steal your car. Do you lock your car doors? I know I do. Do I think that it 100% protects my car from theft? Of course not! If someone really wants my car…there are ways to get it. Same thing with car alarms. Do you think that just because you put an alarm system on your car that no one is capable of stealing it? For me, the answer is “of course not.”

The goal of many protection systems on a vehicle (such as locking the doors or installing an alarm system) is to prevent the mischievous kid, the amateur, or the opportunist from stealing your car. I think most people are aware of the fact that if a professional car thief wants your car, they ARE going to get it.

And so it is with computer security.

We use encryption, secure IDs, SSL certificates and passwords to protect our data against the amateurs, the opportunists, etc. If a “professional” wants to steal our data…their odds of getting it are pretty good.

With the state of security being what it is, do YOU feel good about having YOUR medical records placed online? The potential for abuse is enormous, and the protection that these companies are offering up for your data is by no means air-tight.

Please keep all of this in mind the next time someone offers to put your medical records online, or to have voting for the next President of the United States handled online.

Warrantless GPS Tracking

Is it legal for law enforcement officers to track your location via GPS without a court order? By agreeing to hear the case of Antoine Jones, a man from Washington who was convicted on drug-related charges in 2008, that is precisely the question that the US Supreme Court has will most likely have to answer.

You see, a lot of the case against Antoine Jones traces back to GPS tracking information that was obtained by placing a GPS tracker on Jone’s vehicle. Jone’s lawyer is claiming “foul” in that he asserts that attaching a GPS tracker to a suspect’s vehicle is much like tapping a suspect’s phone…and phone taps require a warrant from a judge. This is a perfect case of technology progressing beyond what the framers of the US Constitution ever imagined.

As you may know, the Fourth Amendment protects individuals against unlawful search and seizure. One instance of this protection is seen in  “phone taps” or “wire taps,” which require a warrant from a judge before they may be performed. A judge’s job is to ensure that law enforcement officers are requesting the phone tap because they have a reasonable suspicion of wrong doing…and not for any other reason (well, the REAL definition of this is a bit more specific, but I am generalizing here for the sake of brevity).

Well, Jone’s lawyer is asserting that GPS information tracking should be held in the same regard as phone conversations. Namely, that such information is private, and that only by the granting of a judge’s warrant should such tracking be allowed under the Fourth Amendment.

How the court rules on this issue is likely to impact all of us. At stake is personal privacy versus the ability of Law Enforcement Officials  to be able to gather evidence against suspects.

My personal take (which is to say, my opinion only):

I personally believe that GPS tracking SHOULD require a judge’s warrant. I don’t believe that anyone should be allowed to “track” anyone else without their knowledge unless a judge has been convinced that there is probable cause of wrong doing. To me, the “secret” tracking of someone via a GPS tracker is akin to “stalking” a person…an action for which there are laws already in place for the public’s protection.

I should also point out that while this is my opinion, I also think that there is a problem with our legal system regarding the improper gathering of evidence. For example, if an officer gathers evidence in a manner where the authenticity of the evidence is not in question, but the legality of the evidence IS in question, then I think that the evidence should stand (that is, I think it should be able to be used against the defendant). An example would be where an office discovers a dead body in a suspect’s closet moments before a search warrant arrives. There is no disputing that there is a dead body on the suspect’s closet. Unless there is some question of somehow the body being planted in the closet, I think the evidence should stand and that the officer should receive appropriate consequences for his or her actions.

Again, just my two cents…

So keep an eye on this issue in the news. I certainly will be watching it.

References:

Been Busy!

Greetings all!

Sorry there has been a slight delay in posting here. Personal life has gotten just a tad busy.

This past weekend I participated in “Field Day,” a single day in the US where all amateur radio operators go out into the field and operate on portable power for 24-hrs. It is a chance for amateur radio operators to practice their emergency communications skills in a fun way. I made some new friends and enjoyed helping out.

Anyway, back to the compu-stuff…

I have been watching the technical news over the last few weeks, and when I started this blog I expected to be talking about computers and related technology. However, now I find that dominating the news seems to be two recurring themes:

  1. Mobile Devices
  2. Security Breeches/Hacking

Sadly, part of the news dominating the Mobile Devices topic is lawsuit after lawsuit of one mobile technologies company to another. This is evidence of our horribly broken patent system in the United States, and is also an indicator as to why mobile technology prices in the United States are so much higher than they have to be. In the end, I think the only ones that are winning in this battle are the lawyers…but that’s for another post (or several).

Security breeches have been on the rise, and two world-wide hacking groups (anonymous and LulzSec…you can think of them as two teams in the game) have been garnering a lot of press.

I’ll have something to say about these topics in the very near future.

Thanks for tuning in..more to come shortly…

Non-Admin Logins

If you’ve read the news at all lately, you are no doubt aware that computing hackers and “malware” (software that does malicious things to your computer or your data) is very much on the rise. As such, I thought I would comment on a computer setup technique that is very simple to implement, yet stops a large number of malicious software programs before they even get started.

This technique involves setting up a “non-administrator” login account. This technique is especially important to users of Microsoft’s Windows XP operating system…but it applies to ANY operating system.

Whenever you access a modern operating system (such as Windows, Max OS, Linux, etc.), you typically have to “log in” to the system using a user name and password. While some operating systems can make it look like you are bypassing this step (such as some configurations of Windows XP), the fact is that you really are NOT bypassing the log in phase. What is occurring is that the operating system is logging you in “automatically” to a specific “default” login account.

Login accounts serve many purposes, one of which is to be able to assign permissions to the user of that account. Permissions are used to limit what actions a given user is capable of performing. For example, you would NOT want just any old user of your computer to be able to format the main hard disk, causing you to lose all of the data on that drive. Some people might format the disk maliciously…others might do it accidentally. To prevent this, only highly trusted users have their login accounts granted the permission to perform such a potentially dangerous action.

The thing that is important to note here is that some operating systems (Windows XP was one of them) used to set up your log in account for you during installation…and always set up the account as an Administrator (an administrator account is one that typically is allowed to do ANYTHING on the system). When it comes to malware…running in an Administrator account is a death sentence!

You see, malicious software typically needs to install itself somehow onto your computer in such a way that it will be activated each and every time your computer is turned on. To do this, it needs access to parts of the system that non-administrator logins usually are not allowed to access. Since malware first runs under the account that is logged in at the time if first arrives on your computer, if you are logged in as an administrator, the malware has no trouble at all installing itself into the deep recesses of your computer. However, if after you set your computer up you were to create a “non-administrator” login account…and if you always used THAT account for your every day activities, then malware would have a MUCH harder time trying to install itself into the operating system.

Now, there are some really “hard-core” malware programs out there that can take advantage of flaws in your operating system or other related software and install themselves even from a non-administrator login account. However, by using this one setup technique, you eliminate a LARGE precentage of the malware floating around on the internet from being able to trouble you.

Since each operating system has its own method for setting up login accounts, I can’t give you a step-by-step description on how to do that. You will need to read the manual (always a measure of last resort!) or else get assistance from a computer savvy friend or family member that you trust.

If you already have a non-administrator account that you use on your computer for every day tasks, then good for you! If not, make it a goal this week to set up (or have set up on your behalf) a non-administrator account and then USE THAT ACCOUNT for your day-to-day activities. The headache you avoid may just be your own!

Social Networking and Birthdates

We all have heard about the dangers of identity theft. There have even been some clever commercials about it on the television. But when the “bad guys” get a hold of enough information to impersonate you to the point where they can establish credit in your name, you are in for a world of hurt. The amount of time and effort that you must spend to clean things up, not to mention the damage to your reputation and the pain of clearing your credit rating, can be enough to give you a major migraine headache.

But did you know that those who are listing their birthdates on social networking sites (or any other site for that matter) are taking a risk with their identity?

The information that an identity thief needs to steal your identity is:

  1. Your name
  2. Your Birthdate
  3. Your Social Security Number

The name is pretty much a given. It can be taken from lots of places. The social security number is something most of us by now have heard that we need to protect with great vigor. But what about your birthdate?

Well, beyond the fact that it is one of the three pieces of information that an identity thief needs to steal your identity, it was reported two years ago that it is possible to “guess” your social security number with a surprisingly high degree of accuracy given only your birthdate, the state of your birth, and publicly available data.

Research at Carnagie Mellon University in 2009 ( Click here for SSN Prediction Article) showed that by using your name, birthdate, state of birth, and publicly available data, they could predict the first 5 digits of your social security number with 60% accuracy in only two tries! And with less than 1,000 attempts, 8.5 percent of people’s complete social security number could be accurately guessed.

Of course you may be saying, “so if it takes 1,000 attempts to get my SSN correct, what have I to worry about?” Well, it turns out plenty. You see, the “bad guys” can create programs to query credit card systems to apply for a credit card. They can try different combinations of name, social security number, etc. over and over again until they get the right one. Thus, needing only 1,000 tries is not that big of a deal to them.

Now also keep in mind that this research was performed TWO YEARS AGO! I have no doubt that statistical methods, as well as the data contained in online public databases has only increased the accuracy of such predictions.

Now consider the millions of people who use social networking tools such as facebook who proudly post personal information such as their home state, their birthdate, etc., and you begin to see the potential for abuse of this information. An additional problem with birthdates is that there are so manly public databases that contain this information that the persistent “bad guy” could probably find your birthdate without much trouble. But why would you want to make it easy for them?

With regards to social networking sites, there are a growing number of people who now give false birthdates so as not to divulge that information so publicly. However, whether or not you want to make it easy on the “bad guys” by posting it on your facebook profile is up to you. The purpose of this post is to simply make you aware of the potential danger, however slight you may feel that it is, so that you can make an informed decision.

Until next time…think before you post!

 

Bill to Legalize Online Poker

With an economy crumbling, wars and rumors of wars all around us, terrorism running rampant, and troops in harm’s way on foreign soil, where do some of our elected officials get the time to propose bills to legalize online gambling? But that’s just where Rep Joe Barton (Texas) has been spending some of his time (Click here for full article).

How sad that with the nearly limitless possibilities of good that could be accomplished by applying technology to modern day problems, some of our elected congressmen are more worried about how technology gets applied to gambling than to how it gets applied to educating the many people in this country who cannot read. Even though I oppose gambling on many grounds, I do subscribe to the idea that people need to be allowed to make choices for themselves. But even so, there needs to be a sense of priority here…and I truly cannot fathom how Mr. Barton can justify spending his time in such a pursuit with the myriad of critical issues before our current congress.

Technology introduces a number of “gray areas” and “new interpretations” into our legal system whose laws were never designed to take into account some of what technology provides us today. Posts in this category will be designed to help inform you as to what some of those issues are so that you can have more information to help you make your own decisions.

I’ll post more on this subject at a later time…l

Happy Father’s Day!

A big “Happy Father’s Day” to all those Dad’s out there!

IBM Turns 100

If you think about it for just a moment or two, you’ll realize the difficulty in a technology company staying relevant for 100 years given the rate and diversity of technological advancement during that time. Well, IBM has done just that.

Of course, IBM is a totally different company today than when they started out 100 years ago as the Computing-Tabulating-Recording Company in 1911. It wasn’t until 1924 that it changed its name to IBM (which computer folks used to refer too as “itty bitty machines”).

So here is a salute to IBM for managing a feat of epic proportions in this day of constant technological change.

 

Click here for PC Magazine’s write-up with more details on 100 years of IBM.

Dropbox and Online Storage

If you are a user of an online storage facility like DropBox or one of the many others, have you considered the security ramifications of what you are doing?

Today, computing “in the cloud” is a big buzzword (that should probably be “buzzphrase”). Cloud computing, in its simplest form, is just a fancy way of saying that your computing resources are coming from someone else. Online storage and backup services have been around for a while, and I have been amazed at how people have not understood all of the impact of storing data online.

Perhaps the most important thing I want to make certain you consider is exactly WHAT information are you putting on someone else’s servers. Is it just pictures, or school projects, or other items not of great importance to anyone but you? Then you are fine. But what if you are storing files related to your banking, or tax returns, or other sensitive information? Here you might want to give pause for storing such information “in the cloud.”

You see, no matter what these companies tell you, computer security is still in its infancy. These companies may tout that they use “encryption” methods (that is, they “scramble” your data in such a way that hopefully only THEY can recover the original data at a later time) to hide your data…but what they don’t tell you is that encryption is not “fool-proof” protection. In addition, when you put your data on someone else’s servers, you have to also hope that the company who is hosting your data screens its employees very carefully. Encryption doesn’t mean diddly if the company’s employees are not properly screened and are given access to both your data and the encryption algorithms used to protect it.

I am not saying that online storage is not to be trusted…I am saying that you need to be made aware of the risks of putting your data online. If you choose to put your data online and you have an understanding of the risks and accept them, then this is a good thing.

KNOWLEDGE is your best weapon against bad outcomes with computing…and knowledge is what I hope to impart to you. Do not assume, just because your data is encrypted that it cannot be read. It makes it more difficult to be read, but there are ways of breaking encryption. If you need proof of this, just follow the tech news for a few weeks and you’ll see how many security violations are being reported in the news on a weekly basis. Encryption is good…but by itself it is not, in my opinion, sufficient to protect your data.

The best security for data is to not have the data accessible to those who might try to gain access to it. Tax return information stored on a CD in your home is much harder for a hacker in another country to gain access to than data you have uploaded to an online storage facility.

Don’t get me wrong…I am not saying “never use online storage”…I am only saying be very aware of WHAT you are storing there…and know the risks. Life is not without risks. The important thing is that we identify the risks and choose for ourselves what risks are worth taking and what risks we choose to avoid.

Knowledge is the key, my friends, and that knowledge will set you free!

More RAM is Better

A quick note for those of you who are contemplating buying a new computer…

Many times we are entranced by a salesman or a spiffy advertisement to spend a little extra money to go for that slightly faster processor than we originally planned. Well guess what? A computer’s performance can be degraded by many things…not all of which have anything to do with the processor.

In technical terms, we describe these different bottlenecks as “I/O bound” or “CPU bound”. What do these mean? The layman’s description for these terms has to do with what part of your computer is “standing around waiting for something to do.”

An I/O bound process means that your input/output hardware (things like your networking, hard disk drive access, etc.) is going as fast as it can (being utilized 100%) while your processor is standing around waiting for your I/O subsystems to fetch what it needs so it can do its work. In cases like this, that extra money spent on the faster processor is pretty much wasted.

A CPU bound process means that your CPU is working as fast as it can (being utilized at 100%) while your I/O subsystems are waiting for your CPU to give them more work to do. In THESE cases, the shelling out of more money for a faster CPU would make a difference.

But here is the kicker: More often than not, processes are I/O bound…NOT CPU bound! That is, more often than not, your processor is more than fast enough to do what you want…it is the rest of the Input/Output subsystems that cannot keep up!

So what’s a guy or gal to do to get the biggest computing “bang” for his or her computing “buck?” Well, it turns out that MOST of the time, adding additional memory (RAM) decreases I/O bottlenecks…and fortunately for you, RAM memory is a cheap component to increase.

So why would memory (RAM) help with Input/Output intense programs? Well, it has to do with how your computer uses RAM memory.

You see, RAM memory is the “fast” electronic memory your computer uses to hold running programs and their data. This is some of the fastest memory on your computer, and so it is a vital resource when it comes to your system’s performance. Due to some advanced memory techniques (known as virtual memory), when your computer runs short on this fast RAM memory, it starts to use your hard disk (in the form of a “swap file”) as additional RAM memory. The good news about this is that it lets you run more programs that you otherwise could. The bad news is that when your computer begins to use the hard disk in place of RAM memory, things slow WAY down (because a hard drive is MUCH slower than electronic memory).

The solution, you see, is to add more RAM!

Sadly, it has been my experience that most computer vendors today sell computers with far too little RAM. They will sell you a computer with FOUR processors (a quad-core computer) and not enough memory to hold just the operating system (like Windows) plus a complex program (like some of today’s newest games). Fortunately, adding memory today is pretty cheap, and is something with just a small amount of care you can do yourself.

This information that I have presented here holds true for most computing uses. However, there is one field of home computer use that needs more information, and that is the field of hard-core gaming.

Today’s latest computer games (the really graphics-intensive games) rely very heavily on the ability of the graphics card to perform countless computations in order to create a visual experience that rivals real life. If you are a person that is in to such games, then performance problems can also be related to your graphics card (for the non-gamer…the graphics card is rarely a problem). Even here, you have to be careful about buying a suped-up high-performance graphics card and then not giving your computer enough RAM memory to keep from getting bogging down.

I’m not going to go into a detailed discussion of video cards and gaming in this post, as it has already become rather lengthy. I may take that up in another post. But for now, just know that many times you can get better computer performance by adding one or two additional gigabytes of RAM than by spending the money for a faster processor.

Page 1 of 2

Powered by WordPress & Theme by Anders Norén