Defensive Computing

I have, in the past, been critical of computer articles in the newspapers I regularly read, the Wall Street Journal and the New York Times. Often I've warned that you don't read PC Magazine for mutual fund advice and you shouldn't read the Wall Street Journal for computer advice. Yet, the reporters in these newspapers are significantly more technically qualified than the Orlando Sentinel.

Today, I'm in south Florida, where the Sun Sentinel is the local paper. They reprinted an article by Etan Horowitz (no relation), Set up a home wireless network, that originally appeared last month in the Orlando Sentinel.

The article contains a number of technical inaccuracies, which I'll discuss below and well as some important omissions. The hardest part of technology may very well be learning what advice to trust.

(Credit: Belkin)

The article says "Most new laptop and desktop computers have built-in wireless networking..." New desktop computers with built-in wireless networking? Not the ones I've seen.

It warns that "...if you are using an old computer you may have to buy a wireless network adapter." True enough, but they come in multiple form factors (PC card, Express card, PCI and USB) an important point that is not mentioned.

It says that "..a printer may ... require a wireless networking adapter."

Networking a printer that does not do networking on its own, requires a print server. As far as I know, there is no such thing as a wireless networking adapter for a printer. And the print server does not need wireless networking at all, a wired/Ethernet print server can connect to a router and make any printer available to a WiFi based laptop computer.

As for the initial router configuration, the article says "... follow the instructions that came with your router and use the installation CD. If you have a desktop computer that will always be in the same room as your modem or router, run the CD on that computer. Otherwise run the CD on your newest computer."

Newest computer? I can't even guess where this came from. Initial router configuration should be done using an Ethernet connection and any computer that can read CDs and has an Ethernet port will do.

Ethernet came up again in the discussion of adding a password to a WiFi network that doesn't have one. The article says "If you aren't prompted to do this while setting up your network, you'll need to connect a computer to your router via an Ethernet cable ..."

Ethernet is not required. You can connect to the router using the wireless network and make changes to the router this way, including adding or changing the password for the WiFi network. Most likely, after adding/changing the password, the router will re-start itself and you'll have to connect to the wireless network again, using the new password.

Connecting directly to the router requires knowing its IP address. If you don't know it, the article suggests a Google search for the default IP address used by the manufacturer of the router. This is not the best approach. For one, default IP addresses may change over time. For another, your router may not be using the factory default IP address. Your computer always knows the IP address of the router, any computer running TCP/IP knows this. In Windows, open a command prompt and type "ipconfig". The IP address of your router is referred to in the output as the "Default Gateway".

Before attempting to connect to a wireless network, the article warns that "you'll have to make sure that the computer's wireless connection is turned on or that your adapter has been installed and set up."

First of all, that's an "and" not an "or". If either of those conditions are not met, the computer won't connect to any wireless network. And just what was meant by a wireless network connection being turned on? It could refer to the switch on the outside of the laptop computer that controls the wireless radio. It might refer to the definition of the wireless network being enabled rather than disabled. It might refer to a host of things.

The instructions for connecting to an existing wireless network are not the most useful. Quoting: "On Windows computers, look in the Control Panel to enable wireless connectivity and search for available networks."

If you get as far as trying to connect to a wireless network, the article says "You will be asked to choose the type of security setting (WEP, WPA etc) and enter the network key." Windows XP users that let Windows control the WiFi connection are not asked to chose the type of security. Windows is smart enough to figure out the type of security being used all by itself. And, an article targeted at a general audience has to point out that "network key" means "WiFi password".

Omissions

The article left out a number of important issues.

The Sun Sentinel version of the story says nothing about choosing WEP, WPA or WPA2 when configuring a new network. It turns out the Sun Sentinel removed this sentence from the original story: "There are several levels of security you can add to your network, but one of the most basic is to choose a security setting such as "WEP" or "WPA" and generate network keys. If possible, use WPA."

Even with this sentence, however, WPA is not at all secure if you chose a short password or use a word in the dictionary. When it comes to WPA, you should think in terms of pass sentence rather than password. The recommendation is to use at least a 20 character password. Steve Gibson offers great 64 character passwords.

Many people share a single broadband Internet connection but don't need to share files between their computers. If that's the case for you, you're much better off turning off File and Printer sharing in the definition of the wireless network and/or the wired network connection.

The article doesn't mention changing the default password for the router itself. This has nothing to do with the WiFi network, instead it controls all access to the router for the purpose of making configuration changes. I blogged about this in March, see Defending your router, and your identity, with a password change.

Finally, the article didn't even include the word firewall. Discussing wireless networking without mentioning firewalls borders on malpractice.

If you are in south Florida, you may want to complain to the newspapers. Otherwise, you'll get more of the same.

Note: One of the earliest postings I wrote on this blog, back in July 2007, was about steps to take in preparation for networking failures. See The blinking lights on a router are talking to you.

See a summary of all my Defensive Computing postings.

Defensively speaking, anyone using a public WiFi hotspot should employ Virtual Private Network (VPN) software to encrypt all traffic/data traveling over the airwaves. Less obviously dangerous, but equally snoopable, are wired Ethernet connections to the Internet in hotel rooms. I wrote about the dangers in hotels last month, see Defending against insecure hotel networks with a VPN.

If you work for a large company, you may already be using VPN software to make an encrypted connection to the home office. Many of you however, need it and don't use it.

Yesterday I briefly described the VPN services, and related costs, from two companies, WiTopia and HotSpotVPN (see More about VPNs: Price and Trust). The head of each company made long comments on yesterdays posting. Since they raise important points, I'm re-publishing them here.

Glynn Taylor of HotSpotVPN

Below is Glynn's comment, unedited.

My name is Glynn Taylor and I'm the founder of HotSpotVPN and WiFiConsulting, inc. I'd like to expand upon my rather terse reply above.

Trust is one of the most important things in the security business. Our privacy policy consists of some strong simple statements that we have stood by for five years. We pledge that we will not sell, share, trade, disclose or rent any of your information to others. We also state that we will not record, sniff, scan or view any HotSpotVPN user's Internet traffic. Beware any VPN vendor that will use your information for other purposes.

Price: We have many more features than any of our competitors and this leads to higher costs in our infrastructure. It also leads to the most safe flexible and usable VPN service available. We use the service ourselves so we built it with everything we wanted it to have.

TunnelGuardian: HotSpotVPN is more than just a VPN. We have software running in our infrastructure that will proactively block malware and optionally block all on-line advertisements from getting to the client's computer. In low bandwidth situations the ad-blocking speeds up the surfing experience. Most importantly on-line ads served through reputable ad agencies can be used to load Trojans and viruses onto a computer. Ad blocking prevents this attack vector from being used against our users.

Most Flexible: With HotSpotVPN2 you have a choice of ports to use and you can switch from tcp to udp protocols. We default to tcp on port 443 so if a browser on a https session works, the vpn will work. You can also change to the udp protocol which provides much better voip streaming video and audio than tcp.

Our servers are spread out across the country so you can choose the servers closest to you to minimize latency. If you are in Europe you would use our east coast servers, in Asia, our west coast servers. It makes a big difference. I have used the service from China, New Zealand and Europe over the last year and this is very important.

Bandwidth: Our goal is to provide quality service to our users without having to throttle their bandwidth down to annoying levels. We have succeeded in this and are actually adding another 1.2 Gigabits during the next change control window (about a week from now).

Thank you.
GT

Bill Bullock of WiTopia

Below is the un-edited reply from Bill Bullock, President of WiTopia.

Hi. This is Bill Bullock from WiTopia. Glynn raises some additional points in his amendment that I feel should be addressed just so they are not misleading. Not that Glynn meant to mislead in promoting his service. I would like to give credit where credit is due, but clarify that we do not charge less because we "skimp" in the areas mentioned.

Glynn said: We pledge that we will not sell, share, trade, disclose or rent any of your information to others. We also state that we will not record, sniff, scan or view any HotSpotVPN user's Internet traffic. Beware any VPN vendor that will use your information for other purposes.

Reply:

Same with WiTopia as governed by our privacy policy. We absolutely do not record or monitor customers' data, sites visited, etc. and also certainly do not share customer information with any third party. Again, we take the privacy aspect of the service deadly serious.

Glynn said: Price: We have many more features than any of our competitors and this leads to higher costs in our infrastructure. It also leads to the most safe flexible and usable VPN service available. We use the service ourselves so we built it with everything we wanted it to have.

Reply:

Yes. We use our own service too. :) I think words like "most" may be misunderstood. I don't believe any VPN provider (or any network service) can accurately claim "most usable," "most safe," "most flexible." We have comprehensive security and usability features in place. Some simply keep "bad guys" off the service, thwart attacks, and enforce solid security policy, and some are convenience such as providing zero-config SMTP relays, certificate regenerators, etc. This gets into network design elements and "secret sauce" that would likely be quite boring to most people. Again, I would sincerely hope both services have serious networking expertise behind them.

Glynn said: TunnelGuardian: HotSpotVPN is more than just a VPN. We have software running in our infrastructure that will proactively block malware and optionally block all on-line advertisements from getting to the client's computer. In low bandwidth situations the ad-blocking speeds up the surfing experience. Most importantly on-line ads served through reputable ad agencies can be used to load Trojans and viruses onto a computer. Ad blocking prevents this attack vector from being used against our users.

Reply:

I have a legitimate question on TunnelGuardian, but HSVPN may have a great answer. Don't know. It sounds like a neat feature if you think ads are slowing your connection.

Here's the question: To deliver the TunnelGuardian service, wouldn't HotspotVPN have to inspect the html code before encrypting it to block malware, on-line ads, etc.? Wouldn't the traffic have to be scanned?

Glynn said: Most Flexible: With HotSpotVPN2 you have a choice of ports to use and you can switch from tcp to udp protocols. We default to tcp on port 443 so if a browser on a https session works, the vpn will work. You can also change to the udp protocol which provides much better voip streaming video and audio than tcp.

Reply:

OK. again with the "most" stuff. :) We will soon allow customers to "customize" on the client side and choose different ports, etc. We optimized a standard configuration/bundle which would suit the needs of most everyone before we allowed customization. This ensures easier support, scaling, and allows us to offer a lower price to more people.

WiTopia's openVPN SSL service is optimized for video and VoIP (using udp) and we designed the PPTP to be more "scrappy" using tcp as its error-correcting ability is superior if there are network irregularities.

Glynn said: Our servers are spread out across the country so you can choose the servers closest to you to minimize latency. If you are in Europe you would use our east coast servers, in Asia, our west coast servers. It makes a big difference. I have used the service from China, New Zealand and Europe over the last year and this is very important.

Reply:

We do agree moving gateways closer to customers is a factor of performance so we have several spec'ed out to be deployed over the next quarter. Although, there are other factors... and from personal and customer experiences from all over the world, I'm not sure this matters as much as even we once thought. Improvements in routing, capacity, peering points etc. on the Internet have lessened the need for geographical proximity. Still, we'll be doing our rollout too. Purchasing shiny new gear.

Glynn said: Bandwidth: Our goal is to provide quality service to our users without having to throttle their bandwidth down to annoying levels. We have succeeded in this and are actually adding another 1.2 Gigabits during the next change control window (about a week from now).

Reply:

So I don't crash CNET's servers with my response, I'll just conclude with, we don't throttle any bandwidth whatsoever. Our only policy is if usage falls completely outside reasonable customer norms, e.g., you try to run a phone company over it, we have the right to be "unpleasant." Haven't had to do it yet!

A note about finding each company. HotSpotVPN is at hotspotvpn.com. The website hotspotvpn.org is from a competing company, one that I know nothing about. This competitor doesn't say anything about who they are, and doesn't even offer a physical address on the Contact Us page. Trust is part of the equation with VPN companies, so I would not consider using this competitor. WiTopia is at witopia.net. There is no website at witopia.com and if one shows up tomorrow it will not be from the VPN company, which does not, at the moment, own the .com domain name.

See a summary of all my Defensive Computing postings.

Last month I wrote about using a rented VPN (Virtual Private Network) service to provide encryption for everything you do on the Internet (see Defending against insecure hotel networks with a VPN). The need for a VPN on a wireless WiFi network is pretty obvious, but, as I wrote, it is equally important for anyone who travels, as there are a number of ways to be spied on when you use a wired connection in a hotel room. I mentioned two companies that rent VPN service, Witopia and HotSpotVPN.

A reader left an interesting follow-up comment:

"I like the idea of using a VPN service, especially since WiFi is provided with my apartment and I don't want my landlord virtually snooping around. But which of the two is a better service? I like Witopia's price because I could afford to buy an account for each of my computers. How does HotspotVPN justify the higher price. Also, I can't find any information on either as to the information they keep about my surfing habits, marketing data, etc. Why should I trust either of these companies more than my landlord, a hotel, or Starbucks?"

I ran this question by each company and their responses are below. First, some background on pricing and services.

Both companies offer an SSL based VPN for a yearly fee.

The Witopia service is called PersonalVPN, the HotSpotVPN service is called HotSpotVPN-2. Witopia charges $40/year and uses 128 bit encryption using the Blowfish cipher. HotSpotVPN charges $109 for similar 128 bit Blowfish encryption and more for higher grades of encryption.

In his Security Now podcast, Steve Gibson said the lowest level of encryption from HotSpotVPN is sufficient. On this subject, Witopia's website says "Depending on other factors, higher levels of encryption may simply bog down your processor without providing the security you might think."

Both companies also offer PPTP based VPN service, thrown in when you purchase their SSL based VPN. I'm no expert on the technical differences between the two types of VPNs, but SSL is more secure whereas PPTP can often be used without installing software. Both companies note that PPTP is the only type of VPN supported on an Apple iPhone.

(Credit: Matalyn)

HotSpotVPN offers a stand-alone PPTP based VPN service, Witopia does not. Being techies, they gave it the imaginative name HotSpotVPN-1. Quoting their website: "HotSpotVPN-1 is perfect for the infrequent traveler because it is available in 1,3, and 7 day increments for only $3.88, $5.88, and $6.88 respectively." On a yearly basis, HotSptVPN-1 is $89.

Witopia

Addressing the reader comment, Bill Bullock, President of Witopia says:

"These are good and fair questions. I can't comment too much on HotspotVPN's pricing model, but as far as we know, WiTopia's PPTP + openVPN SSL bundle is technically identical to HotspotVPN's PPTP and openVPN SSL bundle...at least as far as the protocols offered. I hear they offer a fine service and have a loyal following. It may just be a difference in strategic approach to the market.

As far as trust, that is a valid point. You need to trust your VPN provider. Not only their philosophy, but their technical prowess. There are a lot of new entrants in the market now with "sketchy" approaches, and many others seem to be single-server shops that may unknowingly make errors compromising your data as they try to scale. I would hope that any established VPN company that has a track record and has been covered positively on the Internet by customers and the press is a safe bet. What needs to be understood, is that our livelihood depends on keeping you safe and honoring your privacy. If we ever compromised that, unwillingly or with bad intent, I would imagine word would get out pretty fast. I can say that here at WiTopia, we take it very very seriously."

HotSpotVPN

Glynn Taylor President of WiFiConsulting, the company behind HotSpotVPN says:

"Our higher price reflects that you will get two vpn's for the price of one. You will get an openVPN VPN and a PPTP VPN for your iPhone or whatever you want to run it on. Also we have a boatload of bandwidth that is intelligently biased towards VOIP. I think we also offer higher encryption than most."

Do Something

Serious techies take another approach altogether. They have computers running all the time that run VPN server software. For a secure Internet connection, they phone home (so to speak) and surf the Internet from the wired connection at their home base, be it a home, office or a rented server.

Whichever approach/company you use, the time really has come for VPNs to be added to the list of standard defensive software for everyone using the Internet.

Update. March 15, 2008: For more on this see A VPN debate: WiTopia and HotSpotVPN

Note: Witopia is witopia.net. Witopia.com seems to be owned by a person rather than a company and there is no such website. All prices are rounded off.

See a summary of all my Defensive Computing postings.

My point last month, when I wrote that Ethernet connections in a hotel room are not secure, was that wired Internet connections in a hotel are no more secure than wireless connections. The issue I described involved a technically savvy guest, reconfiguring the network to place their computer logically between you and the outside world. Thus positioned, they might as well be watching over your shoulder.

A few days ago Leo Notenboom cited two additional reasons why wired hotel connections can't be trusted: hotel employees can snoop and, if the rooms are connected with a hub, even a nontechie person in another room can easily snoop on your Internet connection (see "Can hotels sniff my internet traffic?").

There are two approaches for dealing with this, a good one and a bad one.

The bad one involves dealing separately with each Internet application. For Web browsing, this means only viewing sensitive pages through an encrypted HTTPS connection. For e-mail using client software such as Thunderbird (as opposed to Web mail), it means a nontrivial reconfiguration of the e-mail environment, which may not even be possible, since not all e-mail providers offer encryption. Then still, instant-messaging, FTP, and other applications have to be dealt with individually. What a mess.

The good approach is to use a VPN, or virtual private network, to encrypt everything.

Virtual private networks

Often VPNs are spoken of in terms of corporate employees connecting back to their corporate LAN. But there are also VPNs for the rest of us. A handful of companies rent out VPNs to anyone, and they're not very expensive.

These rented VPNs provide a secure, encrypted pathway (techies use the term "tunnel") between you and the company renting the VPN. For example, if the VPN company is in Cleveland, your computer makes a secure connection to Cleveland. Everything traveling between you and Cleveland is encrypted. No matter who does what in a hotel, all they can get from you is a useless encrypted bunch of bits.

When your Web pages, e-mail messages, instant messages and whatnot get to Cleveland, they are decrypted and dumped onto the Internet just like everything else. The encryption is only between you and Cleveland, not end to end.

Put another way, someone staying at a hotel in California looking at my personal Web site, michaelhorowitz.com, in Texas would send an encrypted request for a Web page to the VPN company in Cleveland, where the request is decrypted and forwarded to Texas. My Web site responds and sends a Web page back to Cleveland (as far as my Web site knows, the request came from Cleveland) where the VPN company encrypts it and sends it to the hotel in California.

This does slow things down a bit, but with a broadband connection the trade-off is certainly worth it and probably not noticeable.

To use the VPN service, you first connect to the Internet, then start up the VPN software. At this point you are safe, secure and happy. When you are done, first shut down the VPN software, then disconnect from the Internet.

Where to rent

Two companies that rent VPNs are Witopia and HotSpotVPN. Both offer two types of VPNs, PPTP and SSL. The pros and cons of each type of VPN are not something I'm ready to get into. Suffice it to say that a PPTP VPN is usually cheaper, probably won't require software to be installed, and is not as secure when compared to an SSL-based VPN.

The HotSpotVPN-1 service is based on PPTP, while the HotSpotVPN-2 is based on SSL. HotSpotVPN-1 is roughly $9 per month, and HotSpotVPN2 ranges from roughly $11 to $14 per month depending on the strength of the encryption. According to Steve Gibson, the cheapest encryption strength is sufficient. In both cases, yearly charges are 10 times the monthly charge. HotSpotVPN-1 is also available by the day or week.

WiTopia calls their rented VPN service PersonalVPN. The SSL-based version of PersonalVPN is only $40 a year (the equivalent service from HotSpot is $110 to $140 per year). Witopia does not offer the PPTP version by itself, instead they currently throw it in for free when you purchase/rent the SSL-based product.

HotSpot also throws in a PPTP-based VPN when you order their SSL-based product. Both companies point out that Apple's iPhone supports PPTP-based VPNs.

Using a VPN is a small annoyance, but security and convenience will forever be at odds.

For more on this see More about VPNs: Price and Trust from March 14, 2008.

See a summary of all my Defensive Computing postings.

Many years ago I dealt with Network Solutions for registering domains and the experience was not a happy one. Subsequently I avoided them, until recently, when a client had a domain registered there. I would have been happy to let sleeping dogs lie, but wanted to use an advanced domain related feature offered by another registrar. It was time to deal with Network Solutions again.

Starting at networksolutions.com I tried to find instructions for moving the domain registration to another registrar. No can do. If the instructions are there, I couldn't find them. On the home page Domains menu, the Transfer Domain Name link takes you to a page with instructions about transferring to, but not from, Network Solutions. You can't find the procedure by searching the web site either - there is no site search. So I emailed customerservice@networksolutions.com asking how to transfer a domain away from them. Network Solutions responded with:

"We are committed to creating the best customer experience possible. One of the first ways we can demonstrate our commitment to this goal is to quickly and efficiently respond to your recent e-mail. Please provide us with the domain name involved, so we could advise you accordingly."

If they really wanted to provide the best customer experience, instructions for transferring domain registration away from them would be easy to find. At this point, I'm thankful that I avoided Network Solutions all these years. After responding with the domain name in question, they came back with this:

"We are committed to creating the best customer experience possible. One of the first ways we can demonstrate our commitment to this goal is to quickly and efficiently handle your recent request. We have received and reviewed your e-mail. Please know that we genuinely want to help you in this matter.

We received your recent request regarding a domain name registration. However, on the account you are not listed as either the Account Holder or as a contact (e.g., Account Administrative or Account Technical contact). Our contracts do not allow us to exchange information with any individual who is not listed as an Account Holder or Account Contact."

Is it just me, or does any company that says how much they want to help you, never actually follow through? For example, if you call LL Bean someone answers the phone quickly and helps you. They don't say how much they want to help you or how committed they are to helping you, they just do it.

The fact that Network Solutions does not want people to know the procedure for leaving them, should tell you all need to know about using them as a registrar. Shades of AOL. All registrars do not do business this way.

One registrar that I like, directNIC, makes it easy to find instructions for transferring a domain away from them. Clicking the Domain Transfers link on their home page takes to you a page with a link to the domain transfers section of their FAQ. One of the questions there is "How do I transfer a domain from directNIC to another registrar?" That wasn't too hard to find.

At Register.com the path is even more direct. On their home page, click on Domains and then Domain Help. This brings up a list of questions including this one "How do I transfer my domain name to another Registrar?"

Register.com and directNIC are not afraid to tell the world how to stop using their services. Good for them. Remember this the next time you go to register a domain name.