Macs have long had a backup system (called “Time Machine”) that the user simply “sets and forgets”

I’ve often wondered why Microsoft can’t do something similar as the whole area of backups is one that a huge number of users find too complicated, too confusing and too tedious to engage with. All the advice I ever give about the importance of backups is probably ignored at least half of the time because it’s just too complicated a subject. Beyond Microsoft’s offerings, I’ve also been looking elsewhere for years for a simple, trustworthy backup system that manages to square the circle of combining simplicity with flexibility. I have yet to find such an animal but it seems that Microsoft may now provide an adequate solution built into Windows 8.

It is called “File History” and is available from the Control Panel.

File History Main Menu

The main menu is reasonably straightforward

It provides flexibility and ease of setting up by assuming that you will wish to back up all data found in your libraries plus the contents of your desktop, contacts, and favorites. If you always save your data in the recommended locations (eg in “My Documents” or “My Pictures”) then your data will be backed up without any further ado. If you keep data in folders that are not contained in libraries then you can add those folders to existing libraries or create a new library where you can place all of the extra folders that you wish to back up.

But – and it’s a very very big “but” – there are folders that could contain absolutely crucial data that would not be included in the backup unless you knew about them and dug deep to find them and add them to the backup schedule (by adding them to a library). The most obvious of these that comes to mind is the “pst” file if you use Outlook. Why on earth do Microsoft hide this most important of data files in a folder that is not only kept apart from other data files, folders, and libraries, but which is also hidden by default? The “pst” file contains all of your email messages, calendar, contacts, and task lists. As far as my own business is concerned, my Outlook PST file is the most important file I have (together with my Clients database). The same applies to other “email clients” from Microsoft. Outlook Express and Microsoft Mail also set up your data files, by default, in a hidden place that’s really tricky to find unless you know what you are doing.

Select a drive for File History

External drives, USB flash drives and network drives can be used for backups

File History is quite flexible in letting you choose where your backup is going to be made. You can not create the backup on your main “c:” drive (as a hard drive failure could lose you your backup as well as your normal files) but you can use USB flash drives, external hard drives, and even network drives. You could also back up onto a different partition of your main drive, but that’s risky, of course, in the event of a total hard drive failure. If the backup location isn’t available when the backup is made then the program caches the backup on the hard drive ready for when the backup drive is available. Personally, I don’t like this as it could lull you into a false sense of security about the state of your backups. I’d rather be told if a backup is not possible because the backup location is not available.

You can choose how long you wish to keep your backups (weeks, months, forever while there’s still disc space) but I need to do more digging to see if backups are automatically removed when they get to a certain age (very very bad) or removed when they reach a certain age provided that there are newer versions available (much better).

You can choose how often backups are taken, ranging from every 10 minutes to once a day. The backups then take place quietly in the background, without (apparently) causing any noticeable effect on the performance of your computer for whatever else you are doing.

Exclude from File History options

Folders and libraries can be excluded from backups as well as being added to them

From what I’ve found out so far, there are other weaknesses in File History. For instance, if you change the name of a file then that name change is not applied to backups: it’s as if you’ve created a new file. For now, though, I’m so pleased that Microsoft have, at last, built some kind of simple data backup system into Windows that I would encourage you to use it if you are not doing any other kind of backup. I could probably help you to set it up by remote control (using Teamviewer), but remember that it is only available in Windows 8 – not in either Vista or Windows 7.

File History Restore Menu

Restoring files just requires “stepping forward or backward” through time and then “drilling down” to select the files(s)

If you don’t take backups then it probably means that you’ve never had a serious data loss yet. And that’s the key word – YET. I’ve seen a few heart-breaking data losses over the years, but I know that it’s difficult for the average user to get their head around the subject. Looked at from that perspective, I think File History in Windows 8 is certainly better than nothing.

I’m going to be testing it in the coming weeks and months by running it side by side with my normal backup routines. I’ll come back to the subject if I find any fatal flaws or useful tweaks.

Originally set for April 2014, the launch of a plan to suck all our private medical data into one central NHS database has been put back six months

NHS-LogoSee NHS database launch plans delayed.

In common with many, many people and organisations, I am not convinced that access to the data will be restricted to bona fide “researchers”, and I am not convinced that the data will be “anonymised” such that I can never be identified.

Furthermore, I am not convinced that the leaflets have been sent out informing us of this new development and telling us how we can opt out. Note, by the way, that the default position is that we are opted in until we take action to opt out. If you do nothing about it then the data that you thought was private between your GP and yourself will be sucked into cyberspace and made available to “researchers”. I have not yet met a single person who has received the leaflet that the NHS claim has been sent to every household in the country. Maybe the information on the leaflet is roughly the same as on this NHS Choices web page on sharing your medical information.

Why don’t I believe that my data will remain anonymous? Two main reasons:

1) The combination of specific items in my medical record could be linked together with other specific items known about me (such as records of purchasing specific drugs/medications from a particular source) so that the possessor of the second set of data items would know the details of my medical record. This is a very real possibility: it’s known as a “jigsaw attack”. The data that the NHS is collecting will be made available to “researchers” including private companies. I think it’s safe to assume that we can take “researchers” to include the global pharmaceutical companies and, possibly, insurance companies.

2) Unless I’m being really dim about this, the “anonymising” of my medical history before it gets uploaded to the NHS database can not possibly be foolproof. The idea is that certain unique pieces of information (such as date of birth, NHS medical number, gender) are used to link together the known details about a specific person’s medical history and this history is then uploaded with a newly generated code instead of the identifiable information (date of birth etc). This is supposed to make the uploaded data “anonymous”. But – and it’s a big “but” – if they are going to maintain an ongoing history of that person then they need to update the information. To do this, they need to know – now and forever – how to link the identifiable pieces of information with the “anonymous” code. That ability to link the person with the “anonymous” data must always exist. If it exists, then it can be exploited and abused.

Filed-RecordsThe idea of creating a huge database of the medical history of the entire nation is great when kept in the abstract. Over time it will yield no end of data that will be incredibly useful for healthcare planning, research on disease development and prevalence, monitoring of health outcomes, and goodness knows what else besides. The problem is that I have no confidence in the NHS being able to keep my data secure. This is further undermined by the way they are going about introducing this :

  • Requiring us to opt out instead of opting in
  • Failing to inform us properly of the plans
  • Failing to inform us properly of the way to opt out

.. and I haven’t even mentioned the NHS record in the past for losing or mishandling our data. This is from The Daily Telegraph (but they have now removed the page that was my source – 09/11/2017):

…NHS statistics, revealed over the weekend, showed that health services were losing or breaching the safety of 2,000 patient records every day. More than 2 million serious data breaches by the NHS have been logged since the start of 2011, the figures reveal, with records dumped in landfill sites, left in shops and even sold on eBay.

NHS-Choices-LogoAm I going to trust these people to take all of the private information about me that has been recorded by my GP, and put it in a central database available to “researchers” (including pharmaceutical companies, insurance companies and hackers, of course)? No way, Pedro. I am not.

As soon as I had written the above, I hied off to my GP surgery to ask them how I can opt out. The nice lady there gave me a copy of a letter attached to a very simple form, that recorded my instruction not to have my data included in the database. I filled it in and gave it back to her. I don’t know who wrote the letter attached to the form, but it states the case so well that I have scanned and uploaded it. You can download it here – NHS-database-Opt-Out

All of this makes me feel very small and almost – but not quite – powerless. Who knows: maybe they will cave in completely and abandon the idea before we reach the postponed start date. The Daily Telegraph (not one of my usual haunts in cyberspace) seems to have got their teeth well into this story. If you are of a mind to investigate further, try this item, in which they summarise the risks v benefits of the NHS patient database.

Just for the record, I am not an NHS basher. I think it’s a wonderful service that we should be proud of, and I am very grateful that it is there for me and for everyone else. I just don’t trust the NHS – or anyone else – to be able to safeguard my medical data if it goes into one huge database floating around in cyberspace and available to private organisations with a financial interest, and all the other cyber rogues who wouldn’t be able to resist a goldmine when they see one.

Oh, and here’s a parting thought: would the American NSA be interested in its contents? I wouldn’t bet against it.

It’s 50 years (really!) since The Rolling Stones sang “Not Fade Away”

It could almost be an anthem for Windows XP.

Microsoft Ends Support for Windows XP - screen capture from Microsoft

Click the image to find out for yourself

Is no-one listening to the warnings about the impending end of Microsoft support for XP? I’ve just been looking at some statistics of my website visitors and was astonished to find that the percentage of Windows XP users visiting my site in the last month (16.1%) is exactly the same as the figure for the last 12 months (16.1%).

What could be the reasons that there seem to be as many XP users as ever?

No-one is taking any notice

I’ve heard people compare this situation with the “millennium bug“. They’re saying that the world didn’t end then, so why should it end now? Well, that’s a bit like saying that Krakatoa’s last eruption didn’t finish us off, so why worry about Somerset turning into Waterworld?

I would argue that not only was the millennium bug a completely different situation, but it wasn’t even the non-event that people now choose to remember. I was designing database systems at the time and I remember having to come up with some pretty nifty formula changes to compensate for the fact that software date arithmetic at that time assumed that all dates were in the 20th century. Had we not been concerned about similar problems in the chips themselves, there would have been a lot of inconvenience that was avoided.

Aside from silly comparisons with the millenium bug, do you want to risk everything on your computer – and every other computer that is connected to your local network – just to keep an XP machine running a bit longer?

Windows XP logo as a gravestone against Windows XP desktop backgroundPeople have taken notice but think they are invulnerable

Yes, I think this could well be true of a lot of people. There are still people out there who won’t take antivirus software seriously, so why would they even bother to consider the possibilities of virus and malware writers exploiting an increasingly fragile XP? To those people I say “thank you for paying me to remove your viruses”, but please, instead, just accept the reality that you are safer using antivirus protection and you’ll be safer not using a Windows XP computer after March 2014.

My figures are not typical

Actually, they are. Figures published in Jan 2014 by Net Market Share, StatCounter, and W3Counter, show Windows XP share of the market as 22.3%, 13.8% and 13.8% respectively.


Most of those XP users are in the developing world

Surprisingly, I can’t find any figures that show operating system usage by country. Looking at my own visitors, I find that UK, North America, and the Rest of Europe make up 86% of my visitors, leaving 14% from the Rest of the World. Is that 14% the same people as the 16% still using XP? I doubt it, but I’d like to find out more. There’s no doubt that the use of XP is likely to be skewed towards countries and regions less wealthy than Europe and North America. One of the big criticisms aimed at Microsoft for ceasing support for XP is that it will hurt users badly in areas where they can’t afford to upgrade their operating system and/or computers. Whether that is fair criticism is another question.

Pile of junked computers

Coming to a council tip near you?

There are loads of XP machines about to be pensioned off

I have seen evidence of this among my own computer support clients. It seems that a fair number of computer users have several machines and one or two of the oldest are running XP. These will be rapidly taken out of commission if XP becomes dangerous to use after support ends.

So, I think I’ve now done my fair share in warning my computer support clients about the end of Microsoft’s support for XP. I’ll try not to bang on about it again – until and unless we have more real news, at any rate.

If you’ve missed the whole subject and want to catch up, here are links to my previous blogs on the subject:

Replace Windows XP
Microsoft Will Stop Supporting Windows XP in 2014

and last week’s blog might help you along the road towards replacing a Windows XP computer:

Buying a New Laptop – February 2014

That’s it. I’ll shut up now.

Windows XP will not be supported, or updated, or patched by Microsoft after April 2014

Windows XP Logo - crossed outI have argued before that it will not be a good idea to run Windows XP after Microsoft cease support for it in April 2014. The main argument is quite straightforward – from the point of view of people wanting to do you harm, there will probably be so many installations of XP running after that date that it will be worth spending time and effort exploiting vulnerabilities that they know Microsoft will not be fixing.

Here’s another argument – taken directly from an official Microsoft Security Blog:

Whenever Microsoft become aware that there is a vulnerability in one of their products, they always check all other SUPPORTED Microsoft products to see if the vulnerability also exists in those other products. If it does, then it fixes the potential problem in all places at once. The reason they do this so assiduously (and not just because it is good housekeeping) is that the bad guys analyse security updates to see if they can find what it is that the update fixes, and then see if other products are affected in the same way.

Since Microsoft release the update for all products at once, the bad guys can’t use the knowledge to exploit an “unfixed” program. However, after Microsoft stop updating Windows XP then the bad guys can use knowledge gleaned from analysing updates to Windows 7 (for instance) to discover an unfixed vulnerability in Windows XP.

And this risk is by no means just hypothetical. To quote the Microsoft blog referenced above:

How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.

In other words, it could happen two or three times a month. And the effect will be cumulative as older vulnerabilities won’t ever be fixed.

Windows XP TombstoneI’m tempted to apologise for bringing this subject up again. After all, it probably won’t affect most of the readers of this blog as most people will be using either Mac OSX or a more recent version of Windows. But what about that old computer you’ve got in the spare bedroom on the third floor? You know, the one you boot up just occasionally when you can’t be bothered walking all the way downstairs? What about the computer you passed down the line to a family member? Are they likely to be using it next year and beyond? For all the users out there who change their computers every 2-5 years there are also plenty who don’t, as they only use their computer for the internet and don’t need the fastest and newest.

No-one knows for sure just what will happen after April 2014. Maybe nothing at all will happen (remember the Millennium Bug that turned out to be more of a damp squib?) Personally, I’m not going to risk it (unless I choose to do it on purpose on a computer completely isolated from the network of my others). However, I can just hear plenty of people saying “I’ll carry on just the same and do something about it if I have to”. But by then your data may be well and truly messed up, corrupt, missing. “OK”, you say “I’ll throw a six and start again on a new computer”. Fair enough – but be prepared to discover there are all kinds of passwords, account details, purchase histories, old correspondence, and goodness knows what else that you may have lost if your old machine has become well and truly messed up.

Viruses

Is it worth risking?

Windows Vista was released worldwide in January 2007. Lots of people still specified Windows XP on new machines after then. So let’s just estimate that any Windows XP machine is going to be no newer than, say, April 2008 (16 months after Vista was released). This means that by the time April 2014 comes around, any XP machine is likely to be six years old at the very least. Are you really going to risk all the potential problems just to prolong the life of a computer at least six years old? I don’t advise it.

PS: I do realise that many organisations were still deploying new XP installations well after the dates above, but my own IT support clients tend to be individual professionals or home users (or both). They are the readership I am addressing. Besides which, there’s an argument for saying that it’s even more important for organisations to move away from XP than individuals – even if those installations are newer.

I’m going to stop blogging about Evernote soon

…but I’d like to just share my latest findings and opinions in case this will help you to decide whether or not to take the plunge.

For the most part, I am still pretty confident that Evernote will become firmly fixed in my routines as my main admin and organisational tool. Of course, the more time, effort, and data you commit to these things the harder it is to back out later. I think I’m approaching that point of no return.

I currently have two big concerns about whether Evernote is up to the job:

1) Security

Marvin the Android

Marvin from the original BBC TV series (not the wussy-looking thing from the later film)

A big concern is the ongoing fuss (and fear, outrage, shrugging of shoulders, boredom, acceptance etc) about the NSA and it’s Prism program – sucking in the minutiae of everyone’s lives by stealing all our online data. Like all online companies, Evernote will reveal your data to the US authorities if compelled to do so by a Court Order. Whether or not the NSA already has Evernote data is anyone’s guess. But what about the portions of encrypted text in an Evernote data file? Will the encryption keep the US government out? No chance whatever. Evernote uses an ancient method of encryption called 64-bit RC2. Asking the US authorities to crack data protected by this method is a bit like asking Marvin to open doors ( “Here I am, brain the size of a planet, and they ask me to open a door” – Marvin the Depressed Android, The Hitchhiker’s Guide to the Galaxy).

Also on the subject of data security, it’s possible to prevent the casual snooper from getting into your Evernote data by protecting it with a password, but I understand that the data file kept on your hard drive is, in fact, unencrypted. A quick test of this was thwarted by Windows telling me that I couldn’t open the file because it was in use (which it shouldn’t have been as Evernote was closed). I think it’s prudent to assume that the data isn’t secure.

2) Data File Sizes

Those nice people at T-mobile gave me a new smartphone last week. It’s a rather nice Sony Xperia SP. I wasn’t sure why they had given it to me as we’d already agreed the details of my renewed contract. It dawned on me after I’d received it – it’s got 4G capability. I started getting text messages from them suggesting that I might like to upgrade my (freshly renewed) contract. I don’t like. Can’t see the point at the moment.

Android Logo

Logo of the Android operating system

Anyway, it’s an Android phone (nothing whatever to do with Marvin: “Android” is the operating system, like “IOS version 6” is the current operating system on an iPhone). It’s had good reviews and I thought it a good idea to bring myself up to speed with Android on mobiles, so I’ve been playing with it. I’m just getting to the tipping point where I might put my “proper” SIM into it. However, there’s a problem. The phone only has about 5gb of useable internal storage. That’s fine, normally, as you can fit a micro SD card of up to 32gb capacity. The problem is that Evernote does not allow the phone to move its data onto the SD card. It has to sit inside the internal 5gb. Well, my Evernote data is already 0.7gb and I’ve only been using it for a couple of months. There’s just a chance of there being a silly but big problem ahead when the data gets too big (and there will undoubtedly be other demands on that limited internal 5gb).

Nevertheless, I think I probably will make the move over to the Xperia as it’s very fast (especially with Evernote), has a bigger screen than the iPhone 3GS, and is rather nice.

The reason I keep pointing out the potential problems with Evernote as I find them is that I know what a big commitment it is to move over to a new admin system. In fact, I really like Evernote. It’s not perfect by any means but it feels solid and consistent, as well as flexible. Just to counteract some of the seemingly negative comments above, here’s a couple of tips:

Shortcuts – if you are already using Evernote, then you may find this link to some shortcuts useful.

Evernote List Sorted by Priority

Evernote List Sorted by Priority

Prioritising – one of my notebooks contains a list of “to do’s”. Each item in the “list” is a separate “note”. It is, of course, useful – and easy – to be able to sort the list into different orders, but Evernote does not have an inbuilt way of assigning a “priority” to a note, so sorting on this is not readily possible.

The answer is to create a tag for each of the numbers 0-9 (or more if you are even more neurotic about admin and organisation than I am). Then just add the relevant tag to the item (this doesn’t, of course, affect any other tags already assigned to the note). Then, just sort the list of items into tag order (see illustration). Since Evernote sorts each note’s tags alphabetically it means that the number tag comes to the left of the list and the entire list will be sorted on “priority”.

I wonder if Marvin could have thought of that.

Speaking of Marvin, if you don’t know what I’m talking about and have five minutes to spare, have a look at this YouTube clip

Passwords (again), silly Twits, and more…

Test Your Passwords

Click here for (another) password tester. Yes, I know I’ve given a link to a site like this before. I don’t apologise because I’ve seen how much upset can be caused by a malicious person guessing a client’s password. See this blog on the subject of stolen Gmail passwords, for instance. Even if you don’t change any existing passwords, please use strong ones in the future. In the meantime, find out how good that one password (that you use for everything!) actually is – or not.

A Plug for Low Cost Names

The LCN (Low Cost Names) logoIf you find yourself wanting to register a web domain, then I definitely recommend doing it with LCN. I’ve been using them for years and never had a problem, but hadn’t realised before just how good an example they set in communication and online support. This week I needed to register a domain for some testing I was doing. I needed to speak with someone and was very pleased to find that they prominently publish their telephone number on their website. Not only that, it is a normal, non-premium, UK landline number. Even better, the normally-elusive technical support people were available from option number one on their automated telephone menu system. Then they told me how many were in the queue before me. Then, within a minute or so, they answered me with a knowledgeable, UK-based adviser. That’s the way to do it!

Who Said You Could Share My Data?

Twitter and Linked In Logos merged together

Is it just a coincidence how snugly the Twitter and Linked In logos merge together?

I was rather miffed last week to receive an email from Twitter suggesting people that I might like to “follow”. Apart from the fact that I’m perfectly capable of deciding for myself whether my life is so empty that I want to fill it by “following” anybody (it isn’t and I don’t), I was annoyed by the unsolicited intrusion into my inbox and by the fact that two out of the three suggestions were people who had figured in my Linked In connections (one of whom I had deleted). I hadn’t realised before that Twitter and Linked In were connected and I certainly hadn’t knowingly given them permission to share information with each other. When I looked at the privacy policy of Twitter I learned:

Links: Twitter may keep track of how you interact with links across our Services, including our email notifications, third-party services, and client applications, by redirecting clicks or through other means. We do this to help improve our Services……

Well, I for one do not consider sharing data this way and then sending me unsolicited emails to be “improving…. services”. Instead, it just reminds me of some of my worst nightmares of these large organisations sharing more and more data amongst themselves, and then coming to computer-generated conclusions about who I am and what I want.

And still on the subject of Twitter…

Screen grab from Don't Blame FacebookDid you see the Channel 4 programme last week called “Don’t Blame Facebook”? It told tales of how injudicious tweeting and posting on social network sites can cause unforeseen problems. It’s amazing just how shortsighted and, frankly, stupid people can be in giving away too much information on these sites. Nevertheless, even I had to feel sorry for the the couple who were refused entry into the USA and sent back home without having their holiday just because of the paranoia of the spooks who monitor everything that is shared on Twitter. Apparently, the male half of the couple had tweeted that he intended to “..destroy the US” while on holiday. He just meant he was going to have some fun, and maybe a drink or two. Nevertheless, they were stopped by the US border guards on their way in, spent a while in jail, and then returned to the UK.

At the time of writing, you can still watch the programme “Don’t Blame Facebook” by clicking here.

Antivirus software intercepts and counteract threats posed by malicious software (“malware”). Malware tries to damage software installations, steal data, or extort money

Laptop in BedMalware threats can be introduced into your computer system in may ways, including when installing or downloading software, when opening data files that have been infected (such as word processing files), or when visiting websites that contain threats (the website owner may or may not know that the site contains threats).

There is a constant “cat and mouse game” or “arms race” going on between the creators of malware and the creators of antivirus software. The upshot of this is that most antivirus manufacturers update the “knowledge” of their products every day so as to keep up with the latest known threats.

What computer systems are at risk? In theory, any computer system that has any kind of link to the “outside world” is at risk. The most common way of creating that link to the outside world these days is by having an active internet connection. Any file opened or downloaded from the internet could, in principle, constitute a risk. Other media for passing malware include floppy discs (remember them?), CDs/DVDs, and USB pen drives (also known as thumb drives and – usually erroneously – memory sticks).

How can you stay completely safe from malware? Don’t connect your computer to the “outside world” (see above). There is no other way to be completely safe. This, however, is not feasible and certainly falls into the category of “throwing the baby out with the bathwater”. It is possible to protect your system from malware to the extent that it’s worth taking the risk of connecting to the internet.

Are Macs and Linux computers vulnerable to malware? In theory, yes. The main reason why almost all malware is experienced on Windows-based systems is that Windows in installed on the overwhelming majority of the world’s computer systems. If you were going to create something nasty, would you spend your time creating something that could attack 90% of the world’s computers or just 5%? It is also possibly true to say that Macs are inherently less vulnerable than Windows computers. In practice, most Mac users don’t seem to use any antivirus software. I don’t know about Linux users. In principle, mobile phones and tablet computers are also vulnerable but these, too, are not usually protected at the moment.

So, assuming that you have a Windows-based computer, what are the main features of the antivirus software you may install?

Free or Paid

Laptop and ThermometerPaid software has more bells and whistles than free versions. Personally, I’ve never been convinced by these. I even see them as a problem rather than a benefit as the more complicated the antivirus software, the more effect it has on system performance and the more likely it is to cause problems in its interactions with other parts of the system. The same, basic, antivirus detection is usually included in both paid and free versions of software.

Apart from the cost itself, there are other potential problems with paid software that include;

  • Occasional difficulties in renewing the annual licence – Norton and McAfee come to mind.
  • Automatic renewal of the licence – some of these companies will put their hand in your pocket for the renewal fee without warning you. No doubt this was mentioned in the (unread) small print of the “terms and conditions” you originally agreed to, but it doesn’t make it any less annoying when it happens. My experience is that companies who do this can be persuaded to give you your money back if you object to this and wish to cancel the renewal.

Scanning Action

There are two different things that can trigger your antivirus to check files. Both of these types of check are usually present and active in antivirus software:

  • Real-time scanning – this happens at the very moment you open a file or download it, and is intended to discover and neutralise a threat at the moment that the threat would otherwise have been launched. Your antivirus software might also refer to this as on-access scanning, background scanning, resident protection, or other names that suggest that the protection is there all the time, ready for any threat.
  • Scheduled scanning – this happens when all susceptible files are checked all at once according to a predefined schedule (usually once a week, by default).

Why have both types of scanning?

Suppose that a brand new virus appears today and your antivirus software does not know about it. This could mean that the virus will slip past the realtime scanner and be saved onto your computer. In the course of the next day or so, your antivirus software is likely to be updated with information about this new threat. If your system is set to run a scheduled scan then that scheduled scan may reveal the virus that had previously slipped past unnoticed.

To be continued next week…

Reducing Online Shopping Risks

Comments Off on Reducing Online Shopping Risks
Nov 032012

One of the most frequent questions that my computer clients ask me is “Is it safe to shop online?”

Cartoon robber stealing away from laptopThe only way to be completely safe when shopping online is … don’t do it. But that would be a case of throwing the baby out with the bathwater, akin to saying “I won’t go outside because I don’t want to be run over by a bus”.

The strategy that I, myself, have adopted is to apply a few tests and questions to any website that I’m considering purchasing from. I then balance how comfortable I feel about giving my financial details to that website with the importance of the purchase. So, sometimes I will buy online and sometimes I won’t. One important consideration is that it’s not just the cost of the specific purchase that is at stake. If something goes wrong, you can lose much more than the cost of the purchase: your card details might be fraudulently used and you might incur any amount of cost and inconvenience in sorting it out.

So, my own list of considerations looks like this:

  • I would never – ever – give financial or confidential information to a web page whose address does not begin with “https”. Look at the address of the web page at the top of your browser. Unsecure pages start with “http”. Secure ones start with “https”. The “s” means that the data being transmitted is encrypted. Any website asking for confidential information via an unsecure page is either criminal or criminally negligent. I make no apology for repeating this advice (see this previous post on assessing websites).
  • yet another cartoon robber stealing away from laptopIf I don’t know the website I’m buying from then I will do some Googling and/or other investigation to satisfy myself that the website is genuine and that the product/service they are offering is also genuine. Obviously, if a Google search on “Wobbly Products” returns loads of results that refer to customer complaints then I probably won’t proceed with the purchase. A similar test is to google the contact phone number and see what comes up (put the phone number in inverted commas in the search box – eg “07961 387564”).
  • I may scour the website for evidence of their physical location. If I can’t find an address and the telephone number is non-geographical (eg it starts with 0845 or 0870) then that will reduce my confidence. Mind you, it is now possible to attach a number that looks like a UK landline number to a Skype account, so seeing a UK landline number is no guarantee that the vendor has a traceable physical presence in the UK.
  • I look to see where the website is located. The last few characters in the website address – after the final dot – MAY (but may not) indicate the country in which the website is registered (eg UK, IE (Ireland), CA (Canada)). These last few characters of the website address are called the “top level domain”. A full list of top level domains can be found here. You may feel more confident about doing business with an unknown UK website than an unknown one registered in an unlikely part of the world.
  • Another cartoon robber stealing away from laptopI have previously used a “prepaid Mastercard” to buy something from a website that I didn’t really trust. Prepayment cards are good because they enable you to make a purchase online without risking your debit or credit card details. The way these cards work is that you buy them from newsagents (or suchlike) with whatever sum you want “preloaded” onto them. You also pay a one-off sum (I think it’s about a fiver) that covers the retailer’s costs, margins etc. So far, so good. There is a nasty sting in the tail, though, in that if you don’t spend the amount loaded onto the card in the first month or so, the value of the available balance is reduced automatically. I seem to remember that I “preloaded” a card with about £20, spent about half of it online but then found the next time I tried to use it that the balance had evaporated! So, it would probably be wise to weigh up the pros and cons before using such a payment method and definitely check the terms and conditions of the card to see if they are acceptable to you.

This isn’t the first time I’ve blogged on the subject of online security. It may seem as if I’m paranoid or it may seem that the internet is too dangerous a place to venture into. My experience – from both my own internet activities and those of my clients – is that taking reasonable steps to safeguard your finances brings the risks down to acceptable levels, but you must concentrate on what you are doing – eg by always checking that any web page that asks for your credit card details is secure.

Cartoon robber mouse stealing away from laptopMaybe an analogy will help. Suppose you knew someone who had spent their entire life in a small village and they were thinking of making a visit to Oxford Street to do some shopping. Would you tell them not to come because it’s too dangerous and they’d get fleeced, robbed, ripped off? Of course not – but you might suggest taking some reasonable precautions, such as making sure their wallet or purse isn’t on show. You might even suggest that the “perfume shop” offering incredible “closing down bargains” is just that – incredible. But you wouldn’t tell them not to come to London just because there are some chancers here who try to take advantage of the unwary. Well, I think the same sort of judgement applies to buying online. My advice is to be reasonably careful, but to do it if you want to.

PS: never give financial details to ANY website (even Amazon or Marks & Spencer or any other household name) from a public computer (such as in an internet cafe). You have no way of knowing if your every keystroke is being recorded for later misuse.

The biggest single preventable IT problem that my clients seem to encounter is lost, forgotten, or mis-remembered passwords

PadlockI know it wasn’t long ago – see this blog on passwords – that I recommended writing down all passwords – manually – in one place. OK, I can see the obvious flaw in this advice. However, the practical reality, in my experience as an IT Support Consultant, is that almost everyone needs some simple but rigid discipline to ensure that they can always find any of their passwords.

So why am I bringing it up yet again? Because some online organisations have started taking it upon themselves to force us to change our passwords before allowing us into our accounts. I think I’ve seen it with Apple in the last few weeks and I encountered it with the Dropbox website recently. With Dropbox you can simply re-use the same password (which defeats their aims of improving your security), but with Apple you can’t re-use one that’s been used in the last year.

This development adds a further layer to the complexity and frustration caused by online passwords. Being forced to change a password before you can carry on with what you were doing is just going to increase the likelihood that you will invent a variation of the existing password, fail to write it down, and then get locked out the next time you try to access that account.

Padlock with keyI’ve been trying to think of a way to make changing passwords easier – eg add 2 digits to the existing password that represent the month it was changed. The problem is, of course, that when you come to enter the password you won’t necessarily know when it was last changed so you won’t know what the current password is. It’s also true to say, of course, that any method that makes it easier for you to remember your own passwords makes it easier for someone else to crack them.

I don’t often see written advice on this subject. My guess is that anyone who is going to commit themselves in writing on the subject feels the need to be seen as “responsible” – hence all the common advice:

  • Passwords for all account should be unique.
  • Make passwords at least fifteen characters long.
  • Change them every month.
  • Never re-use them.
  • Always use a mixture of upper and lower case letters, figures, and special characters.

Hand holding keyThe only secure and comprehensive solution that I know of is to use password manager software. I’ve been using this approach myself for ten years or so. The reason I’ve not routinely passed it on to my clients is that its security depends on being absolutely certain that you have access to a working copy of the password program and backups of the data files. Frankly, a lot of people’s backup regimes are not rigorous enough for me to recommend that they put all their eggs in one basket by relying on a password manager.

However, this latest development (forcing password changes on us) has finally convinced me that it’s time to create a practical solution for my clients, consisting of recommended software, installation and training. The solution will need the following features:

  • Installation and training of a recommended password manager.
  • Installation and training in multi-level backup procedures to virtually eliminate the chances of losing the data file (data backups are always, ultimately, the user’s responsibility).
  • Ability to access the same password data whether you are currently using your Windows PC, IOS device (iPhone or iPad), Android device, or Mac.

I know the software to use as I’ve been using the specific software myself for at least six months and other software from the same company for at least five years. At this stage I’m not sure how long the installation and training of such a package will take, but I hope it can be done in a single session of, say, a couple of hours I’ll be aiming for simplicity and flexibility rather than sophistication. Please do let me know if you are interested.

We can never be completely certain that a website is safe, but we can definitely reduce the chances of ending up in a bad neighbourhood

1) Be careful of misleading subdomain names

It’s very easy to do a “Google Search” and then click on a result that takes you to a fake site. Suppose, for instance, that you are searching for a product called “Fred Smith’s Widgets” and you use that as your search term in Google. If Google then returns a result with a headline of “Buy Fred Smith’s Widgets at 90% Off” and a website address of “www.fredsmith.salesdeals.co.uk” then it would be very easy to assume that this is, indeed, the website of that well-known and reputable firm “Fred Smith Widgets Co Limited” and that by following the link you would end up in the Sales Department of that firm’s website.

Not so. Apart from the fact that anyone at all could have registered the name “fredsmith”, the actual name of the domain is “salesdeals.co.uk”. The prefix of “fredsmith.” is what is known as a subdomain. It is a sub-division of the “salesdeals.co.uk” domain and probably doesn’t have anything to do with “Fred Smith Widgets Co Limited”. Anyone can create subdomains of domains that they control and can give the subdomain any name they like. Subdomains can be freely created and are not regulated in any way. So, if the primary apparent link between what you are looking for and the Google result is nothing more than a subdomain name then it might be wise to be careful.

2) Scan a site before visiting

Even if the website is genuine, it is possible that it has been infected by malware that could damage your system – with or without the knowledge of the website owners. If you want to visit a website but prefer to make sure first that it doesn’t harbour anything nasty, you can use a free scanner to check it out. Follow this link for the Sucuri sitecheck scanner. Then enter the name of the website you wish to check. A check of my own website has just given the following result:

Sucuri Site Checker Result

Result of checking www.davidleonard.net with Sucuri Site Checker

Norton offer a similar “instant scan”. Just visit http://safeweb.norton.com/ and enter the site you wish to check. Here’s what it said about www.davidleonard.net

Norton Safe Web Result

Result of checking www.davidleonard.net with Norton Safe Web


3) Be critical of the spelling, grammar, and presentation of the website

Although it’s true that some malevolent sites are very well written and presented, it’s also true that most of them are not. Undoubtedly, we shouldn’t expect the same standard of English on a website in a non-English speaking country. Nevertheless, I believe that it’s worth including the standard of the English in an assessment as to whether to trust the site. I really don’t want to sound like a Little Englander, or suggest that “foreigners can’t be trusted” or anything like that. I’m just saying that a professionally presented website is more likely to be trustworthy than a shoddily presented one. English is undoubtedly the lingua franca of the internet so you would expect a genuine, professional, organisation to take a certain amount of care in this respect – whether the website originates in an English-speaking country or not.

4) ALWAYS look for the “https” on “Financial Pages”

If you are on a webpage that is going to ask for confidential information – including, of course, credit card details etc – then make sure that the address of the web page (at the top of the browser) begins with “https” and not the more usual “http”. The “s” stands for “secure” and it ensures that the data is encrypted as it flies through cyberspace. The “s” may not give 100% security that you are dealing with a genuine organisation but if a website is asking for confidential information WITHOUT encryption then they are definitely reckless at the very least, so don’t trust them.

5) Be wary of following links

If you are considering visiting a webpage by clicking on a link in, for instance, an email then be very careful as it is easy for someone to mislead you as to the actual website you will arrive at. If you’ve clicked on a link called “www.barclays.com” and your browser address bar tells you you’ve landed on “www.cons-r-us.com” then it might be appropriate to harbour suspicions.

6) Install a link checker

AVG Secure Search – and McAfee Site Advisor – are both browser add-ons that give instant advice in the form of icons showing the trustworthiness of the site. For instance, McAfee Site Advisor adds reassuring ticks in green circles to indicate that a site is probably safe:

McAfee Site Advisor Results

Reassuring ticks in green circles indicate that McAfee Site Advisor thinks these web pages are safe

We can never be absolutely certain that the website we are about to visit is both genuine and safe, but we can certainly reduce the risks to an acceptable level by applying some commonsense, some critical awareness, and some free tools.

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha