Note: this is Part II of a three part series. The three articles can
be found at:
http://www.wap.org/journal/security/
http://www.wap.org/journal/security2/
http://www.wap.org/journal/security3/
If you have a computer, you need to know about computer security. This is the considered opinion of not only computer security experts and user group gurus, but also such mainstream publications as The Washington Post, USA Today, and Time magazine. Computer security risks fall into three distinct realms:
In Part I of this series (Washington Apple Pi Journal, May/June 2005), we discussed the most common security threats to Macs: physical threats. In this part, we will discuss the next most common vulnerability to Macs: mental security.
Macs are less vulnerable to mental security lapses than Windows computers. The Mac user interface is designed to keep the user from making poor choices. Non-Mac-using critics have called Mac users “pampered” and the interface “coddling” since it hides so much complexity and ambiguity from the user, but this same pampering, coddling “pretty face” does keep the average user out of trouble.
But using a Mac is all about having choices, and Apple does allow, especially with Mac OS X, the user to make bad choices – sometimes spectacularly bad choices. These mental errors can threaten not only the proper functioning of your Mac, but also the integrity of the information you store on your Mac. Following good mental security can be summed up in four broad directives:
All of these seem like sensible, everyday guidelines. Yet next to physical security lapses, mental security lapses are the most common problems suffered by Macs, and Mac owners.
In September 2003, this F-16 fighter, part of the U.S. Air Force Thunderbirds flight demonstration team, crashed and exploded at Mountain Home Air Force Base in Mountain Home, Idaho, the victim of a mental security lapse. No one was killed, and the pilot sustained only minor injuries, but the 85,000 spectators were thoroughly terrified, and the photographer deserves an award for steadfast nerves. What was the error? The pilot had practiced a Split-S maneuver at Nellis Air Force Base in Nevada, which is 1,000 feet lower than Mountain. His notes on how to perform the maneuver were not amended to take into account the higher elevation, and he didn’t have enough altitude to complete the maneuver. While most mental security errors are less dramatic, they can seem just as scary and costly if you are the victim. (Official Air Force photo by Staff Sergeant Bennie J. Davis III. Click on the image for a full-size -- 2.7 megabyte -- image.)
Generally speaking, bad ideas usually come from a desire to save money. Rather than throw out the 45-pound daisy wheel printer that you used with your Radio Shack TRS-80 Model III computer in 1980, you decide that you just need to find enough cables with connectors that sort of match to hook it up to your Power Mac G5 from 2004. When it doesn’t work – and in fact when the USB port you tried to plug it into no longer seems to work at all – you might decide that this was an expensive way to save money.
Similarly, trying to put the wrong kind of hard drive into a computer is a bad idea, along with the wrong kind of memory. True, they might have been “just sitting there” on your desk, waiting for a use, but that doesn’t mean they belong in just any random Mac. Especially if you want to keep that Mac functioning.
The most popular “bad idea” involves running outdated software. Outdated anti-virus and disk utilities can destroy all your data, rather than protect the data. Outdated applications can damage your data beyond recovery.
Expanding on this last point, a great many Mac users keep their machines for a long time – decades, in some cases. Eventually, they decide to buy a new machine, but inexplicably expect a software package written in 1990 to work on a computer built in 2005. This is a bad idea, similar to putting 15-year-old tires on your new sports car, or using 15-year-old icing on your spouse’s birthday cake.
If you buy a new Mac, or update the operating system, be sure and check that any third-party utilities or applications will work with the new system. Don’t delay upgrading your software to save a buck. It could be the most expensive buck you never spent.
Another mental error, which could be known as “magical thinking,” involves poorly functioning machines and upgrades. There are endless numbers of scenarios, but they all go something like this: the user tries to open a document, and the machine reboots. Or shuts down. Or printing a document causes the screen to flash. Or opening iTunes causes your Internet connection to crash. Or your hard drive makes funny noises every time you launch a Web browser. Or the Mac locks up when you plug in your printer.
Each set of circumstances indicates something is wrong, and needs to be fixed. In the case of the Mac locking up when you plug in a printer, the cause could be as simple as the printer drawing too much power from the USB bus, and could be fixed by adding an external powered USB hub. But in any case, the problem needs to be fixed.
Every time Apple comes up with a new update or upgrade to Mac OS X, Mac news sites are filled with complaints that the new update or upgrade “killed” computers. If you do some investigation, you will discover that, almost invariably, the user’s computer wasn’t working properly before the update or upgrade, and that, contrary to their magical thinking, the upgrade or update made things worse.
Why didn’t the user correct the problem first? The most common excuse: they were too busy to fix the problem, or didn’t have the time, or didn’t want to take the trouble. Yet on these Web sites it is invariably – without fail – Apple’s fault that this upgrade or update didn’t magically fix whatever problem the user didn’t bother to try and fix.
Don’t update or upgrade your machine unless and until everything is working. You wouldn’t expect a broken refrigerator to suddenly start working just because you’d put a month’s worth of groceries in it, or new tires to fix a broken radiator hose on your car. Fix the problems first.
Apple has made some poor design errors over the years. The Hall of Shame award goes to Apple’s decision to use the Trash Can as a means of ejecting floppies and CD-ROMs and unmounting disks. Associating storage with destruction was a bad idea in 1984, and it is still a bad idea in 2005.
But users also have design errors, particularly in workflow. Generally speaking, if your method of doing something doesn’t work, it is a mental security lapse, and you should stop doing that.
While there are endless possible examples, let’s just stick with one: taking and storing photos with a digital camera. It is an iron-clad rule that you can’t take a great photo unless you have a camera, so the first rule in photography is: have a camera. The second rule is: have plenty of film. The third rule is: don’t futz with your film.
But many users have decided to delve into the Dark Side of photography – and futz with the film. They buy inadequate memory for their digital cameras, and decide to “stretch” how many pictures they can take by taking photos that are too small. Then, when that isn’t adequate, they decide to use the camera’s “delete photo” option to delete photos they don’t want. They base their decisions on what they want and don’t want on the tiny little LCD screen on the back of the camera.
The end result: they end up deleting photos they wanted to keep. Or, just as often, deleting all their photos by accident.
One variation on this theme is to use iPhoto, or a software program that came with their camera, to transfer photos from the camera to the computer and, at the same time, delete photos from the camera. This is a bad idea: if the process fails for any reaon – the computer falls asleep, the camera battery runs down, the computer runs out of disk space – you could end up with corrupted photos on your computer and nothing on your camera.
So change your workflow design:
Designing a good workflow for any computer activity – checking E-mail, writing term papers, doing income taxes – should be designed to eliminate, as much as possible, the consequences of mental security lapses. Make backups. Store things in different places. And if a process isn’t working, change the design.
Potentially the most damaging mental security lapses have to do with revealing information. In fact, computers are often blamed for mental security lapses that frequently have nothing to do with computers.
A case in point: credit card numbers. Great hordes of people have claimed that hackers broke into their machines and stole credit card numbers. Yet, in talking to these people, investigators find they routinely made purchases via credit card while using a wireless phone. Since a wireless phone is just a radio, you don’t need to break into that person’s computer to steal their credit card information: it is much easier to intercept what is freely broadcast over the airwaves on their phone.
Another mental security problem involves phishing. Phishing is the spelling-challenged name given to a popular computer scam with many variations. In a “phishing attack,” the scammer claims to have some piece of information, and asks you for other pieces in order to (a) claim a prize, (b) swindle some corrupt government out of funds, (c) repair damage to your credit caused by someone breaking into a bank’s computers, etc.
Within hours of the capture of Saddam Hussein by U.S. forces on December 14, 2003, millions of E-mail messages were sent worldwide by, allegedly, Hussein’s daughters, claiming they had millions in secret funds. The Hussein daughters would be more than willing to share these funds with you; all you had to do was give them access to your bank accounts, so they could transfer funds into it from overseas.
Following news reports of some problems with eBay’s online security, billions of E-mail messages went out worldwide (and still more go out every day), claiming that the recipient’s eBay account has been compromised. All the recipient needed to do to restore their credit was to immediately click on the link provided which would take them to a Web site where their identity could be re-confirmed.
These, of course, were scams, “fishing” for information in order to steal the recipient’s identity, credit card numbers, PIN numbers, etc. There are countless variations, and new ones crop up every day. This year, Washington Apple Pi members have even received messages allegedly from webmaster@wap.org claiming that their “accounts” are going to be dropped unless they run an enclosed program. But the Pi Webmaster has no authority, access, or responsibility for any accounts, and didn’t send these messages. I have this on the highest authority: I’m the Webmaster. Instead, these were sent out by a Windows-based worm that was trying to infect other Windows machines. If you had a Windows computer and ran the attached program, your computer would turn into a worm-spewing zombie – just like the one that sent you the message in the first place.
Keep a few common-sense things in mind:
Above and beyond this, don’t give out any information you don’t need to give out.
Good mental security is a matter of habit. Take the time to do things properly, fix things that are broken, and if a little voice suggests what you are about to do is silly, listen to that little voice. While you don’t want to descend into paranoia and assume everyone out there is a scam artist, a nefarious business, or a terrorist, it doesn’t hurt to give out as little personal information as possible.
Combine good mental security with good physical security at every opportunity. For example, doing your income taxes on a laptop is inherently less secure than doing them on a desktop computer. All someone has to do is steal your laptop to not only gain a nice laptop computer but also your income tax data – which provides more than enough information to also steal your identity.
Closing this series: “spiritual” security, or keeping the ghosts and demons of the network out of your Mac.