Security error messages need improvement

Today, I had to ask a helpful technical support person how to access the secured wireless network at my local university. Even though I’d successfully logged into the system many times before and have been using it for months, somehow the device I was using had managed to forget the password that enabled the certificate that allowed the wireless network to recognise and authenticate it. As a result, I couldn’t use the network, which is locked down by both encryption and an authentication system.

Faintly embarrassed, it turns out I could have fixed it had I known I needed to dive into the deepest depths of the security settings of my HTC Desire HD phone — which runs Google’s Android operating system — and then reset the password manually.

The problem was two-fold. It wasn’t clear from the input box that popped up that the password being requested was a local one — in other words, the request came from inside the phone, not from the remote wireless network.

Additionally, it asked for a storage credential password and, you know what? I had no idea which password it was asking for, or that I needed credentials to access storage on any remote or local system. I suppose must have typed it in once, months ago, and then forgotten it almost immediately. It seemed out of place too, since I was trying to access a network, not storage.

So what’s the lesson here? As I was waiting for the IT systems person to figure out what the problem was, it occurred to me to wonder how much time is wasted around the world by poor error messages and unhelpful, over-zealous security systems and their obscure or misleading error messages.

If you’re in the IT business you might of course take a different view: it keeps you in a job. Even so, this kind of user support is useful but not massively productive work when you consider that the human being who designed the error message could, with a little more thought, have saved the time of thousands of other humans.

Security is an important part of our lives as it stops the right stuff going to the wrong people. As ever, the implementation usually involves a trade-off between security and convenience: more of one usually means less of the other.

While there’s a still long way to go before we get to the point where much security technology manages to both avoid inconvenience and improve security, thus making our lives easier, I’d suggest that some anti-virus packages get pretty close to that ideal…

Security: time to spread the word

There’s no shortage of information online about how to keep your computer safe. The problem is that I suspect most of those who need it are not the kinds of people who would go out and look for it; I’ll get back to this point.

As an example of the kinds of helpful instruction that’s now available, Google has just put up a page that shows you, step by step, how to make your computer as safe as possible. The first three steps consist of making sure the machine is free of viruses and malware (using Avast, naturally – end of plug); making sure your operating system is up to date; and making sure to perform regular software updates. It then provides steps for your browser and email client.

A key suggestion from Google’s list is that you change your password twice a year. Passwords provide notoriously weak protection. People use passwords that are easy to remember, such as their name and birth year. That’s information you could find on someone’s Facebook page. You wouldn’t have to look too far to find answers to other questions such as someone’s mother’s maiden name, or their favourite food.

So you need to make your passwords hard to guess. That’s tough because it makes them hard to remember too – but there are programs that can help. The simplest way is to write them down somewhere but in a safe way. That’s not on a sticky note on your desktop but in a safe, encrypted manner. It could be in your browser or, since not everything goes via the browser, in using a package such as the well-regarded KeePass, for example. This means you need only remember one master password, and the others can be pulled out of the safe as required.

Less fashionable but a method I’ve been using for years is a password generator. While some software may have limitations, such as an inability to generate passwords to meet specific criteria demanded by some websites, such as password length, a fixed number of non-alphabetic characters and so on, it’s a method that’s worked well for me for years. As before, I need only remember a master password, while the service passwords are generated using a combination of the service name I’m trying to access and other data that I’m not going to reveal.

But back to my original point: if you’re reading this you’re already in a category of people who are interested enough to have searched out a security-focused blog. This is both good for you and good for all of us — the more people who compute safely, the safer we all are because of the phenomenon of herd immunity.

What we need to do is to reach those who don’t make it this far. So perhaps we should all make it our mission to get at least one other person interested enough to do likewise, and they can then go on and infect someone else with the security bug.

How about it?

Is your AV software doing what it should?

The great thing about anti-virus software is that it runs in the background and with minimal impact on your day-to-day activities or your PC’s performance.

And, in some ways, that could be a bit of a drawback. It’s not a problem 99 percent of the time but occasionally, you need to keep an eye on what your AV software is doing — especially so if you don’t know what where the software came from.

Search for anti-virus using a famous web search engine, and you’ll get thousands of hits. Among the top hits is, of course, Avast but, as you trawl down the list, you’ll start finding lots of names you don’t recognise.

Some of them will promise all sorts of benefits — and the more extravagant the claims, the more it can pay to look carefully before installing. Just as you wouldn’t (I hope) just give your money without extensive research to the first person who asks you to invest with them, so it is with AV software.

How to choose then? You could check whether the software has been reviewed recently, for example. In a recent PC Magazine review, Avast got a good write-up, the author — who’s an experienced technology journalist — finding that Avast does as well as the better-known paid-for products and that “Avast! in particular tested well for malware removal”.

But some so-called AV software is, in fact, a front for malware. Once installed, it can then perform all sorts of nasty tricks, for example, trawling though your address book, mining it for contacts and sending out spam with poisoned links, or logging your keystrokes for anything that looks like a credit card number and sending the information on to identity thieves.

The standard rules for being safe on the Internet apply when choosing an AV package: check the vendor is an established player in the AV market, and look for reviews and for the experiences of other users.

Is it time to upgrade to Windows 7?
You may feel that Windows XP is good enough for what you need to do. You may feel that you don’t want to pay Microsoft any more money. You may even feel that Windows 7 is a downgrade compared to XP. But there’s more to it than that.

Windows XP is Microsoft’s most successful operating system having lasted from its launch in 2001 to 2010. Nine years is a lifetime and a half time in PC years but XP is now starting to look long in the tooth. Not only does it not support many of the newer types of hardware being released, more importantly, it’s not as secure as Windows 7.

From a security perspective, there’s a lot more in 7 than meets the eye, including the ability to take advantage of Intel’s latest on-chip security features under its trusted execution technology branding. And if you’re on XP service pack 2, you need to be aware that Microsoft ended support for it very recently, so you won’t be getting any more updates or patches, leaving you vulnerable to the latest generation of malware.

This process will continue, and eventually, no version of XP will receive updates. That day has yet to arrive but arrive it will, so it’s worth starting to think about what to do when it does.