Heartbleed is bad, but you can mitigate its damage, albeit via different approaches for users, admins, and developers
Let's face it: Heartbleed is a bloody mess. Worse, it's a different kind of mess for everyone who has to clean up after it. Administrators, end-users, and software developers will all be confronted with aspects of Heartbleed that each can only deal with alone.Here's what each of them needs to do to mitigate the threats that matter most to them individually.UsersIn some ways users have it hardest since the only measures they can take are entirely reactive. They can't patch the actual sites they use (unless they've actually built them), but users can still do a great deal on their own.1. Check sites you visit for the vulnerability. When news of Heartbleed first broke, the only way to find if a given site was vulnerable was to check against one of a number of manually maintained lists of vulnerable sites or to use a third-party website that tested for the vulnerability. Fortunately, you don't have to do that by hand anymore as both Firefox and Chrome now have add-ons that can manually check the status of a visited site.2. Rotate passwords, but only after a site has been patched. This is the tricky part. On the whole, it's a good idea to rotate passwords after any security breach, but only after the breach itself has been closed. Otherwise, it's like changing locks on a door that's never closed anyway. To that end, rotate passwords on affected sites, but only after you're certain Heartbleed is no longer an issue there.If you're not already using a password manager, this is as good an excuse as any to get set up with one. And if you're using sites that support two-factor authentication of some kind but haven't bothered with it, this is also a good excuse to make use of it.Users of the LastPass password management service get two -- possibly three -- benefits for the price of one. The service not only manages passwords and syncs them across devices, but even lets you know if services are Heartbleed-vulnerable and whether or not it's a good idea to update the password yet (whether or not the site has patched and it's OK to rotate passwords).3. Enable certificate revocation checks in your browser. Certificate revocation determines if the SSL/TLS certificates used by your browser have been revoked, which many sites are in the process of doing to avoid reliance on keys that might have been compromised courtesy of Heartbleed. In Google Chrome, this is in Settings: Advanced Settings, under "Check for server certificate revocation." With Firefox, this is enabled by default, so you don't need to do anything. The CloudFlare blog has further notes about the behavior of each browser when dealing with certificate revocation.Administrators
1. Patch affected systems. Before you say "duh," the trick is to find out which systems are affected. There may be more of these than you think, since OpenSSL may be employed in ways that aren't exclusively external, client-facing applications. Those are clearly the most important ones, but don't assume the inventory of affected systems ends there. Some Cisco products, for instance, may be vulnerable; ditto for Juniper Networks.Another, even trickier, example: Microsoft's implementations of TLS in Windows Server systems do not appear to be affected by Heartbleed, but that doesn't mean all software running on Windows boxes is unaffected. Some of that software may implement OpenSSL in its own way and need to be updated separately from anything else.2. Reissue and revoke certificates. Don't flinch. Reissuing and revoking certificate keys is dirty work, but it needs to be done, and even (especially!) big outfits like Akamai have started that difficult job since compromised certificates have to be revoked within 24 hours. Make sure the new certificates are properly credentialed and follow proper guidelines; don't end up like PayPal, which had some of its new certificates issued in the wrong name ("PayPal, Inc.\0a").Developers
1. Audit your code for the use of OpenSSL. Do an audit on all your own projects to determine where or if you are using OpenSSL, then patch or update appropriately. The bigger the project, the more likely it is to contain some dependency on OpenSSL.2. Get the changes out there. Make sure any products you've updated can get into the hands of users all the faster. For example, Android 4.1.1 is affected (but not earlier versions of Android), and while Google is distributing patches to its hardware partners, who knows how long it'll take before those patches actually hit affected devices. Don't be like that if you can help it.3. Consider alternatives to OpenSSL if it's feasible. OpenSSL is not the only game in town; other libraries exist. This isn't to say they're drop-in replacements or won't manifest problems of their own, but now might be the time to think about where they could be of use.
Mobile phones may be treated like playthings these days. However, these flashy gadgets can prove dangerous if not handled with care. Several instances have been reported about the phones blasting off suddenly, the latest victim of which was a 14-year-old child of daily wage workers from Seoni. The blast was so bad that the boy narrowly escaped death and ended up with severe disfigurement to his jaw, nose, mouth and face. TOI tells you the do's and don'ts of handling mobile phones.
What are the things to be kept in mind while buying mobile phones?
Buy a branded phone as far as possible. Ensure that the phone has a proper IMEI number, which is a code that identifies each phone. Check that the number on the phone corresponds to that on the box and receipts.
How and why do mobile phone blasts happen?
The most common reasons for a cell phone to explode are using it while the phone is being charged and 'call bombing'. Charging puts pressure on the motherboard of the phone, using it during charging increases this pressure manifold. This causes the cheap electronic components in some mobiles to explode. Call bombing refers to calls or missed calls received from international numbers. If one receives or calls these numbers back and the call exceeds a certain amount of time, the phone will blast. There is also a malware, or bug, found in some Android-based smartphones, that can also cause explosion by exerting extra pressure on the motherboard during charging.
What care should be taken to ensure not much pressure is put on the phone?
Avoid using the phone while the battery is being charged. If you wish to receive a call during this time, disconnect the phone from charger before connecting the call. Ensure it is not over-charged by removing the electric supply when the battery is fully charged. If your battery seems to have swollen, replace it immediately.
Why is it dangerous to buy cheap phones?
Most cheap models, like those of Chinese make, use hardware and components that are not branded and often substandard. The quality of vital accessories such as battery and earphones are compromised which can have disastrous outcome. Such components cannot be used continuously for as long as their high-quality substitutes. Their shelf life is also shorter.
Is it more harmful to surf internet or download anything on mobile phones?
Yes, because the anti-virus softwares for mobile phones are not as effective. That is why one should avoid downloading anything from a third party vendor, ie directly from the internet browser. Instead use the in-built store or market application provided by the operating system. Malware, which is software that creates a bug in the operating system of the phone, often gets downloaded with third party tools. The sites that you visit using the phone must start with an https (which means they are encrypted or safe sites).
Avoid using public or unsecured Wi-Fi connections. A hacker could access the mobile device through a port that is not secured. Make sure the Bluetooth connectivity is not switched on in public places as it can be used to send malicious files which corrupt the operating system.
Are there certain precautions that must be practiced while using a mobile phone?
While communicating using your cell phone, try to keep the cell phone away from the body as this would reduce the strength of the electromagnetic field of the radiations. Whenever possible, use the speaker-phone mode or a wireless bluetooth headset. For long conversations, use a landline phone.
Avoid carrying your cell phone on your body at all times. When in pocket, make sure that key pad is positioned toward your body so that the transmitted electromagnetic fields move away from you rather than through you. Do not keep it near your body at night such as under pillow or a bedside table, particularly if pregnant. You can also put it on 'flight' or 'offline' mode, which stops electromagnetic emissions. Avoid using your cell phone when signal is weak or when moving at high speed, such as in car or train.
How to deal with a wet phone?
After removing the phone from water, dismantle it by removing battery, SIM and memory cards and switch it off (only SIM card in case of an iPhone). Dry each component thoroughly (but gently) with a towel until the phone is dry to the touch. Then put all components in a bowl of uncooked rice in a way that all components are totally covered. If you have any silica packets (the ones that come with products like new shoes), put them in to the bowl too. Leave it there for 12-24 hours.
Never use a hair dryer to try to dry the phone quicker. Drying it with a heated hair dryer can cause important parts to melt, while forcing water further into the phone. Drying it will a cold hair dryer will just force water deeper into the phone.
Why you shouldn't hold your mobile in your mouth?
Using mobile phones too close to your mouth regularly or holding cell phone in your mouth frequently could lead to malignant salivary gland cancer and tumors in mouth. Regular cell phone users who speak with the phone held too close to the mouth face the problems of sleep disturbance, migraine and headache.
When the internet of things misbehave!“THE internet of things” is one of the buzziest bits of jargon around in consumer electronics. The idea is to put computers in all kinds of products—televisions, washing machines, thermostats, refrigerators—that have not, traditionally, been computerised, and then connect those products to the internet.If you are in marketing, this is a great idea. Being able to browse the internet from your television, switch on your washing machine from the office or have your fridge e-mail you to say that you are running out of orange juice is a good way to sell more televisions, washing machines and fridges. If you are a computer-security researcher, though, it is a little worrying. For, as owners of desktop computers are all too aware, the internet is a two-way street. Once a device is online, people other than its owners may be able to connect to it and persuade it to do their bidding.On January 16th a computer-security company called Proofpoint said it had seen exactly that happening. It reported the existence of a group of compromised computers which was at least partly comprised of smart devices, including home routers, burglar alarms, webcams and a refrigerator. The devices were being used to send spam and “phishing” e-mails, which contain malware that tries to steal useful information such as passwords.The network is not particularly big, as these things go. It contains around 100,000 devices and has sent about 750,000 e-mails. But it is a proof of concept, and may be a harbinger of worse to come—for the computers in smart devices make tempting targets for writers of malware. Security is often lax, or non-existent. Many of the computers identified by Proofpoint seem to have been hacked by trying the factory-set usernames and passwords that buyers are supposed to change. (Most never bother.) The computers in smart devices are based on a small selection of cheap off-the-shelf hardware and usually run standard software. This means that compromising one is likely to compromise many others at the same time. And smart devices lack many of the protections available to desktop computers, which can run antivirus programs and which receive regular security updates from software-makers.Ross Anderson, a computer-security researcher at Cambridge University, has been worrying about the risks of smart devices for years. Spam e-mails are bad enough, but worse is possible. Smart devices are full-fledged computers. That means there is no reason why they could not do everything a compromised desktop can be persuaded to do—host child pornography, say, or hold websites hostage by flooding them with useless data. And it is possible to dream up even more serious security threats. “What happens if someone writes some malware that takes over air conditioners, and then turns them on and off remotely?” says Dr Anderson. “You could bring down a power grid if you wanted to.”
That may sound paranoid, but in computer security today’s paranoia is often tomorrow’s reality. For now, says Dr Anderson, the economics of the smart-device business mean that few sellers are taking security seriously. Proper security costs money, after all, and makes it harder to get products promptly to market. He would like legislation compelling sellers to ensure that any device which can be connected to the internet is secure. That would place liability for hacks squarely on the sellers’ shoulders. For now, he has had no luck. But Proofpoint’s discovery seems unlikely to be a one-off.Good people, lets have your opinion(s).
JUST READ THIS INTERESTING ARTICLE, AND DECIDED I SHOULD SHARE IT WITH ALL MY FRIENDS IN HERE.Article originally posted on the Infoworld website.Recently, I was asked by an instructor at a technical college if I would mind responding to some of his students' questions. I happily agreed. Ultimately, this resulted in a lively back-and-forth session, so I decided to share the exchange with you. Enjoy!Question 1: Microsoft just announced a huge list of security patches for "Patch Tuesday." Why doesn't it just focus on a single product and fix all of the security holes in one shot?
Finding bugs in products doesn't work that way. Every product that Microsoft codes goes under dozens of manual and automated tool reviews. That scrutiny is vital because Microsoft is the biggest target, and as a result Microsoft products actually have fewer vulnerabilities than those of its nearest competitors. But even with the right tools and processes, you can't catch everything.New techniques are found, mistakes are made, and until you have perfect humans, you'll never have perfect code and you'll never have perfect bug detecting.Here's a good example. Years ago someone discovered they could buffer-overflow the HTLM color attribute field located on Web pages as it was rendered in a popular browser. No browser vendor at the time ever thought the color attribute field could be abused. The vendor's security reviewers didn't know to look for it and neither did any of the private or third-party tools, despite the fact that every field should be boundary-tested. Now all vendors check for it. Everything looks easier in hindsight -- improving software is an evolving process.Question 2: In one of your blog posts, you mentioned something like: "The NSA could be hiding small snooping programs in, let's just say, a picture of a cute kitten or a fun Android game." So how can the average Joe ever know that what they download is the real picture or app with no hidden malware in it?
The short answer is you can't -- not even close. The only thing you can do is decide to trust the entity that created the device or code, especially if it is digitally signed. Because as long as their digital-code signing cert wasn't compromised or the machine the code was signed on wasn't compromised, at least you can say that the code the developer signed was what they signed when they signed it. But the truth is you really don't know.It's all a matter of faith and trust. Certainly some vendors deserve more trust than others. Personally, I believe we need to "fix" the Internet and make hacking and snooping, even by the NSA, easier to prosecute and easier to detect. It disturbs me greatly that what the NSA does is completely legal ... and most countries don't even have the laws that we do. I wish everyone's privacy laws were stronger. In the United States, we need to modify our Constitution to guarantee more personal privacy. I thought the amendment against unreasonable search and seizure did that, but it's not even close to being enough these days.Question 3: I liked your article "Crazy IT security tricks that actually work." Someone dismissed your points of "security through obscurity." If these things work, then why would the IT Industry be so quick to discount them?People repeat dogma as fact, when all you're really talking about are cute little sayings that were a stretch from the beginning. Obscurity is one part of security. It shouldn't be relied upon as the only defense, but it certainly plays a big part. If it didn't, every army would tell the other army what all their capabilities were, where all the weapons and troops were, and make everything "transparent."The best thing I can say to anyone trying to learn is not to accept everything you hear at face value. Respect what other, more learned people say, but don't accept anything as gospel unless you do it or see it yourself. Stay skeptical.Question 4: If Stuxnet was the most complex piece of malware ever created, then couldn't the "sons of Stuxnet" wreak havoc across all of the Internet and not just at the Iranian nuclear facility?
This is a huge, huge fear of a lot of people. However, I expect that one day a much less complex piece of malware will "crash" the Internet. Sophisticated malware is needed only for sophisticated scenarios. Crashing the Internet or stealing from banks is easily accomplished with conventional malware. Hackers are likely stealing tens of millions of dollars every day, if not hundreds of millions. They are allowed to get away with it, and the public accepts it as a cost of doing business because they stay below a certain threshold. One day one of them will make a mistake, steal too much, and the world will freak out and finally fix the Internet.Question 5: It has been widely reported that the NSA put backdoors into a bunch of different programs. How do we know these backdoors have been closed?
Most of them probably haven't been closed. Until we get their complete list of software exploits, which is highly unlikely, we'll never be able to do it. And it's not just the NSA you have to worry about, but every sophisticated government and hacker group. Software is full of exploitable holes that only certain people have knowledge of.Question 6: We're being taught to hack. What is to stop us from being evil with the knowledge we've been given?
Hacking is actually fairly easy. It's like a cookbook recipe: Once you know how to hack, it's mostly a repeatable process. Most hackers simply mimic what someone else did. They seldom think of anything new. You want to impress me? Do something new. Most hackers are followers.The smartest hackers are the good guys. It's easy to hack; it's much harder to defend. It's easy to tear down a barn with a saw and a sledgehammer; it's much harder to build the barn. It's even more impressive to build a barn that can resist the saw and the sledgehammer.You shouldn't hack illegally for the same reason you shouldn't assault someone. It's morally wrong. I've had the skills to hack illegally for over two decades. I get paid to hack legally all the time. Over the past nine years it's never taken me more than an hour to break in (except one time, when it took me three hours). This includes banks, hospitals, government agencies, and Fortune 500 companies. It's not that hard to hack. And guess what? I make a very good living -- far better than I could ever have imagined. I am living the dream.Legal hacking allowed me to accomplish this, and I don't have to worry about the feds arresting me. If you go the illegal route, it's going to catch up with you eventually. It always does. You can make more money and sleep well at night by hacking legally. You'll have a better career and a better life doing the right thing.Question 7: I read that no matter how long or complex your password is, that it can be broken by a pass-the-hash attack. True?
In a sense. PtH (pass-the-hash) attacks require that the attacker obtain local administrator status on the box they are stealing hashes from (or obtain domain administrator on a domain controller). If you have that sort of access, then what can't you do?That said, if attackers steal the ultimate authentication secret -- for example a password, a password hash, a Kerberos token, a ticket, and so on -- they have the ultimate authentication they need to do almost anything. Length of password, hash, digital certificate key, and so on will not protect you.PtH attacks are a valid concern, but if they went away completely (Windows Server 2012R2 has plenty of PtH defenses built in), it would not stop attackers in the slightest ... because they already own the box. They can just do keylogging, Trojan the machine, or modify the operating system. We should be more concerned about how attackers get that elevated access in the first place, not focused on what they do with it once they have that access. ... Because sky is the limit and there is no defense.Question 8: Is the NSA leaker a hero or a traitor?
He's a bit of both. Ultimately, he broke his NDA and many laws. He has put other people's lives at risk. He should be punished for that. The only rationale to do what he has done is if what you are revealing is illegal or unconstitutional. So far nothing he has revealed is either of those things. Nothing he has revealed is a surprise to those of us who follow the NSA.Just read any James Bamford book. He was writing about the NSA's capabilities 25 years ago. The only new things that he revealed, to those of us who follow the NSA, is names of programs and perhaps some individual exploits.That said, he is to be applauded for bringing the excesses of what the NSA is legally allowed to do to the public masses. I'm hoping that everyone being upset with the NSA will lead to laws being changed, so the NSA cannot legally collect everything they are already collecting. It upsets me, and others, that it took a single employee breaking the law to make the rest of the world up in arms about something we've known for years if not decades.Question 9: We discussed the FBI takedown of the Silk Road in class and I was wondering: If the NSA has all of the access to our personal lives, why did it take the FBI three years to take them down?
Law enforcement is always slow, especially when it crosses multiple jurisdictions. It takes time to start legal projects, collect evidence, obtain warrants, and proceed. But I suspect that most of the time was spent just getting on the FBI's already busy radar. The FBI, like your own company, has a budget and a project plan each year. I bet Silk Road wasn't on the radar until enough people started complaining. Plus, many times the investigation goes on far longer than what's needed to collect evidence, as perpetrators go after bigger targets and commit more crimes, resulting in easier-to-prove court cases and longer jail sentences.Also, the NSA and the FBI don't always share information. The NSA, for the most part, doesn't care about drug trafficking, money laundering, theft, and a lot of the other things the FBI cares about. As bad as our laws are, the NSA can't simply share what it has with other legal entities.Question 10: I want to work in information security, first as an administrator then ultimately as a consultant. What is the best certification to pursue?
I have about 50 certifications, and I learned something new from each one of them. Each cert made me a more knowledgeable technician, and each gave me something that made me more employable. But if you're talking about which ones count the most, that's a slightly different answer: It's the certification most relevant to your potential employer or its customers.Fortunately or unfortunately, experience counts more. Because of that, you want to pick certs that give you both credentials and real hands-on experience. I like the CompTIA stuff. It teaches a lot. But their certs are basically thought of us "base" certifications. When you earn one of those, you know the basics. Still, great to know, and you will learn something.Personally, I'm not a huge fan of the CISSP (because it's a lousy test), but it's probably the one cert that most employers and clients like to see. I think it's because bosses and clients often have it and think it was hard, so they like to know other people they are hiring had the same hard time with it.I'm a huge fan of anything SANS does or offers. I think the SANS courses, books, instructors, and certs teach you more hands-on experience than any of the other relative certs. When I see someone with a SANS cert, I immediately trust them. It's the security geek's CISSP. I also like the CEH and other certified auditor exams. Each has its benefits. Each teaches you something.Question 11: What kind of tools should I run to make sure my PC is clean (or as clean as possible)?I never recommend a particular product. They are all fairly accurate, and they all fail miserably on a daily basis. Don't believe any of the "accuracy tests" you read. It's not that the tests are inaccurate, it's that they often set specific parameters that (accidentally or otherwise) benefit particular products.I've been in the AV field since 1987. Accuracy goes up and down on every product over time. Just pick one that is reasonably accurate and one that doesn't kill your system's performance. You should run AV, but remember that 99 percent of all successful exploits are caused by unpatched software.Question 12: How can I detect if my computer has been turned into a bot to help perpetrate a DDoS attack?It can be hard, especially if your computer has been hit with a rootkit. AV is supposed to detect that sort of stuff, but it often misses it. I love to do two things to look for bot programs myself. First, I use the free utility Autoruns. It will show you everything that is running when your PC starts. It will be a hundred things. Research anything you don't recognize. When in doubt, uncheck the program and reboot. If it breaks something, run Autoruns again and recheck.Second, download TCPView from Sysinternals. Close every program you think could possibly be communicating with the Internet. Then run TCPView. Research any programs or processes that are communicating with the Internet. Most of the time you'll see one or more things connecting to the Internet that you didn't know about. This is normal. Usually they are just legitimate programs connecting back to the vendor doing something the vendor programmed them to do. Research the destination connection points. If you can't figure out what the program is connecting to and whether it is legitimate, consider using Autoruns to disable it.But the truth is that malware programs can be very difficult to discover and remove. When in doubt, back up all your data, reformat (or reset), and reinstall everything again. This is the only way to truly know that you are starting with a clean state.Question 13: I use a MacBook Pro. I know it is built on Darwin Unix, but is it truly more virus-resistant than Windows 7 or 8?Yes and no. No, in that OS X has far more vulnerabilities than Windows -- and I don't mean a little. Windows gets about 120 to 200 bugs a year. OS X gets two to three times as many, if not more.With that said, because OS X runs on only 5 to 10 percent of the world's computers, it still isn't a very big target. Bad guys target popular things because they are more likely to get something of value. Running OS X will probably incur less risk compared to a Windows computer -- probably significantly less risk.Note that computer viruses aren't nearly as common as worms, Trojans, and other sorts of malware. Use the term "malware" or "malicious program" instead of "virus." Virus indicates only one type of malware.
These performance tips will work for any PC running Windows Vista, Windows 7 or Windows 8.Want more speed? "This PC is so slow!" This is a cry that's been uttered by PC users since, well, PCs were first invented.Since we don't think that there's anyone out there who wouldn't like to squeeze a little more performance out of their PC, we've pulled together six top tips that will help you get the most out of your Windows PC, without having to spend a fortune.These tips will work for any PC running Windows Vista, Windows 7, and Windows 8.Get rid of the junkThere's nothing like having loads of junk installed on a system to turn even the best PC into a river of molasses.There's two sorts of junk to consider. The first is the stuff that the PC makers install into new PCs, and the other is the junk that you (and other people using the PC) have installed on it.Add more RAMWhile not a free option, installing RAM is, without a doubt, the single best bang-for-your-buck hardware upgrade you can carry out on a PC. And adding RAM has never been cheaper, with an extra 4GB costing around $60.If you've got a reasonably fast USB drive laying about the place then you can use this to give your PC a performance boost by using it as a ReadyBoost drive.The ReadyBoost feature, which is part of Windows Vista and above, and allows flash memory – in the form of a USB flash drive, SD Card, Compact Flash card, or SSD – to be used as a high-speed cache to boost performance as long as they meet the following criteria:· Capacity of at least 256MB, with at least 64KB of free space· At least a 2.5MB/sec throughput for 4KB random reads· At least a 1.75MB/sec throughput for 1MB random writesMaking use of ReadyBoost is easy.· Plug the drive into the PC.· Either click on > from the dialog box, or right-click on the drive in Windows Explorer and choose and then click on the tab.· Choose whether you want to dedicate the drive to ReadyBoost (which prevents you from using it as storage), or use a portion of it for ReadyBoost.· Click .Defragment your drivesCarrying out a regular defragment of your PC is a good idea if you want to keep it in tip-top condition. The only think to bear in mind is that you shouldn't, under any circumstances, defragment an SSD drive. Not only will you get zero benefit from it, but you will seriously shorten the life of the drive.But if you are still running regular hard drives then Windows is set to defragment your system once a week, but you should check to see that this is on and that all your drives are defragmented. You can run the Disk Defragmenter any time you feel you've made a lot of changes to the data on your drives.It can be accessed from:· : > > > >· : Open the Charms bar and search for "Optimize Drives" and then click onThere's a lot of voodoo written on the web about defragmenting drives, and there are all manner of arcane command-line switches you can use to carry out different sorts of defragment. In my experience, a simple defrag once a week is all you need.Add powerIf you have a notebook system that's a bit sluggish then the easiest way to speed if up is to connect it to a power supply!Windows can detect if it is running on a notebook systems and it will switch over to a low power profile when it detects that it is running on battery power. While this is good for battery life, it's bad for performance, so if you want more oomph from the system, connecting it to a power supply will restore performance to normal levels.You can go digging around in the bowels of Windows and make permanent changes to the power profiles, but I don't recommend this as it will have a huge detrimental effect on battery life. It's much easier to remember to hook up the system to a power supply when you want more performance.Install the latest driversThe drivers that control your hardware can have a huge effect on how well your system runs, and one of the drivers that's key to system performance is the graphics card driver.While people who rely on the default Windows driver or who don't care about performance might never need to think about their graphics card driver, anyone who care about getting the best from their hardware – and especially anyone who is into PC gaming – should probably check to see if there's an updated driver every few months because it can make a huge difference to how well games run.Other drivers worth checking regularly are the motherboard drivers (which can have a huge effect of data transfer rates to and from your hard drives), and drivers for any external hardware you use.