Tech Gurus - Information Hub for everything Technology

JUST READ THIS INTERESTING ARTICLE, AND DECIDED I SHOULD SHARE IT WITH ALL MY FRIENDS IN HERE.

Article originally posted on the Infoworld website.

Recently, I was asked by an instructor at a technical college if I would mind responding to some of his students' questions. I happily agreed. Ultimately, this resulted in a lively back-and-forth session, so I decided to share the exchange with you. Enjoy!

Question 1: Microsoft just announced a huge list of security patches for "Patch Tuesday." Why doesn't it just focus on a single product and fix all of the security holes in one shot?
Finding bugs in products doesn't work that way. Every product that Microsoft codes goes under dozens of manual and automated tool reviews. That scrutiny is vital because Microsoft is the biggest target, and as a result Microsoft products actually have fewer vulnerabilities than those of its nearest competitors. But even with the right tools and processes, you can't catch everything.

New techniques are found, mistakes are made, and until you have perfect humans, you'll never have perfect code and you'll never have perfect bug detecting.

Here's a good example. Years ago someone discovered they could buffer-overflow the HTLM color attribute field located on Web pages as it was rendered in a popular browser. No browser vendor at the time ever thought the color attribute field could be abused. The vendor's security reviewers didn't know to look for it and neither did any of the private or third-party tools, despite the fact that every field should be boundary-tested. Now all vendors check for it. Everything looks easier in hindsight -- improving software is an evolving process.

Question 2: In one of your blog posts, you mentioned something like: "The NSA could be hiding small snooping programs in, let's just say, a picture of a cute kitten or a fun Android game." So how can the average Joe ever know that what they download is the real picture or app with no hidden malware in it?
The short answer is you can't -- not even close. The only thing you can do is decide to trust the entity that created the device or code, especially if it is digitally signed. Because as long as their digital-code signing cert wasn't compromised or the machine the code was signed on wasn't compromised, at least you can say that the code the developer signed was what they signed when they signed it. But the truth is you really don't know.

It's all a matter of faith and trust. Certainly some vendors deserve more trust than others. Personally, I believe we need to "fix" the Internet and make hacking and snooping, even by the NSA, easier to prosecute and easier to detect. It disturbs me greatly that what the NSA does is completely legal ... and most countries don't even have the laws that we do. I wish everyone's privacy laws were stronger. In the United States, we need to modify our Constitution to guarantee more personal privacy. I thought the amendment against unreasonable search and seizure did that, but it's not even close to being enough these days.

Question 3: I liked your article "Crazy IT security tricks that actually work." Someone dismissed your points of "security through obscurity." If these things work, then why would the IT Industry be so quick to discount them?

People repeat dogma as fact, when all you're really talking about are cute little sayings that were a stretch from the beginning. Obscurity is one part of security. It shouldn't be relied upon as the only defense, but it certainly plays a big part. If it didn't, every army would tell the other army what all their capabilities were, where all the weapons and troops were, and make everything "transparent."

The best thing I can say to anyone trying to learn is not to accept everything you hear at face value. Respect what other, more learned people say, but don't accept anything as gospel unless you do it or see it yourself. Stay skeptical.

Question 4: If Stuxnet was the most complex piece of malware ever created, then couldn't the "sons of Stuxnet" wreak havoc across all of the Internet and not just at the Iranian nuclear facility?
This is a huge, huge fear of a lot of people. However, I expect that one day a much less complex piece of malware will "crash" the Internet. Sophisticated malware is needed only for sophisticated scenarios. Crashing the Internet or stealing from banks is easily accomplished with conventional malware. Hackers are likely stealing tens of millions of dollars every day, if not hundreds of millions. They are allowed to get away with it, and the public accepts it as a cost of doing business because they stay below a certain threshold. One day one of them will make a mistake, steal too much, and the world will freak out and finally fix the Internet.

Question 5: It has been widely reported that the NSA put backdoors into a bunch of different programs. How do we know these backdoors have been closed?
Most of them probably haven't been closed. Until we get their complete list of software exploits, which is highly unlikely, we'll never be able to do it. And it's not just the NSA you have to worry about, but every sophisticated government and hacker group. Software is full of exploitable holes that only certain people have knowledge of.

Question 6: We're being taught to hack. What is to stop us from being evil with the knowledge we've been given?
Hacking is actually fairly easy. It's like a cookbook recipe: Once you know how to hack, it's mostly a repeatable process. Most hackers simply mimic what someone else did. They seldom think of anything new. You want to impress me? Do something new. Most hackers are followers.

The smartest hackers are the good guys. It's easy to hack; it's much harder to defend. It's easy to tear down a barn with a saw and a sledgehammer; it's much harder to build the barn. It's even more impressive to build a barn that can resist the saw and the sledgehammer.

You shouldn't hack illegally for the same reason you shouldn't assault someone. It's morally wrong. I've had the skills to hack illegally for over two decades. I get paid to hack legally all the time. Over the past nine years it's never taken me more than an hour to break in (except one time, when it took me three hours). This includes banks, hospitals, government agencies, and Fortune 500 companies. It's not that hard to hack. And guess what? I make a very good living -- far better than I could ever have imagined. I am living the dream.

Legal hacking allowed me to accomplish this, and I don't have to worry about the feds arresting me. If you go the illegal route, it's going to catch up with you eventually. It always does. You can make more money and sleep well at night by hacking legally. You'll have a better career and a better life doing the right thing.

Question 7: I read that no matter how long or complex your password is, that it can be broken by a pass-the-hash attack. True?
In a sense. PtH (pass-the-hash) attacks require that the attacker obtain local administrator status on the box they are stealing hashes from (or obtain domain administrator on a domain controller). If you have that sort of access, then what can't you do?

That said, if attackers steal the ultimate authentication secret -- for example a password, a password hash, a Kerberos token, a ticket, and so on -- they have the ultimate authentication they need to do almost anything. Length of password, hash, digital certificate key, and so on will not protect you.

PtH attacks are a valid concern, but if they went away completely (Windows Server 2012R2 has plenty of PtH defenses built in), it would not stop attackers in the slightest ... because they already own the box. They can just do keylogging, Trojan the machine, or modify the operating system. We should be more concerned about how attackers get that elevated access in the first place, not focused on what they do with it once they have that access. ... Because sky is the limit and there is no defense.

Question 8: Is the NSA leaker a hero or a traitor?
He's a bit of both. Ultimately, he broke his NDA and many laws. He has put other people's lives at risk. He should be punished for that. The only rationale to do what he has done is if what you are revealing is illegal or unconstitutional. So far nothing he has revealed is either of those things. Nothing he has revealed is a surprise to those of us who follow the NSA.

Just read any James Bamford book. He was writing about the NSA's capabilities 25 years ago. The only new things that he revealed, to those of us who follow the NSA, is names of programs and perhaps some individual exploits.

That said, he is to be applauded for bringing the excesses of what the NSA is legally allowed to do to the public masses. I'm hoping that everyone being upset with the NSA will lead to laws being changed, so the NSA cannot legally collect everything they are already collecting. It upsets me, and others, that it took a single employee breaking the law to make the rest of the world up in arms about something we've known for years if not decades.

Question 9: We discussed the FBI takedown of the Silk Road in class and I was wondering: If the NSA has all of the access to our personal lives, why did it take the FBI three years to take them down?
Law enforcement is always slow, especially when it crosses multiple jurisdictions. It takes time to start legal projects, collect evidence, obtain warrants, and proceed. But I suspect that most of the time was spent just getting on the FBI's already busy radar. The FBI, like your own company, has a budget and a project plan each year. I bet Silk Road wasn't on the radar until enough people started complaining. Plus, many times the investigation goes on far longer than what's needed to collect evidence, as perpetrators go after bigger targets and commit more crimes, resulting in easier-to-prove court cases and longer jail sentences.

Also, the NSA and the FBI don't always share information. The NSA, for the most part, doesn't care about drug trafficking, money laundering, theft, and a lot of the other things the FBI cares about. As bad as our laws are, the NSA can't simply share what it has with other legal entities.

Question 10: I want to work in information security, first as an administrator then ultimately as a consultant. What is the best certification to pursue?
I have about 50 certifications, and I learned something new from each one of them. Each cert made me a more knowledgeable technician, and each gave me something that made me more employable. But if you're talking about which ones count the most, that's a slightly different answer: It's the certification most relevant to your potential employer or its customers.

Fortunately or unfortunately, experience counts more. Because of that, you want to pick certs that give you both credentials and real hands-on experience. I like the CompTIA stuff. It teaches a lot. But their certs are basically thought of us "base" certifications. When you earn one of those, you know the basics. Still, great to know, and you will learn something.

Personally, I'm not a huge fan of the CISSP (because it's a lousy test), but it's probably the one cert that most employers and clients like to see. I think it's because bosses and clients often have it and think it was hard, so they like to know other people they are hiring had the same hard time with it.

I'm a huge fan of anything SANS does or offers. I think the SANS courses, books, instructors, and certs teach you more hands-on experience than any of the other relative certs. When I see someone with a SANS cert, I immediately trust them. It's the security geek's CISSP. I also like the CEH and other certified auditor exams. Each has its benefits. Each teaches you something.

Question 11: What kind of tools should I run to make sure my PC is clean (or as clean as possible)?

I never recommend a particular product. They are all fairly accurate, and they all fail miserably on a daily basis. Don't believe any of the "accuracy tests" you read. It's not that the tests are inaccurate, it's that they often set specific parameters that (accidentally or otherwise) benefit particular products.

I've been in the AV field since 1987. Accuracy goes up and down on every product over time. Just pick one that is reasonably accurate and one that doesn't kill your system's performance. You should run AV, but remember that 99 percent of all successful exploits are caused by unpatched software.

Question 12: How can I detect if my computer has been turned into a bot to help perpetrate a DDoS attack?

It can be hard, especially if your computer has been hit with a rootkit. AV is supposed to detect that sort of stuff, but it often misses it. I love to do two things to look for bot programs myself. First, I use the free utility Autoruns. It will show you everything that is running when your PC starts. It will be a hundred things. Research anything you don't recognize. When in doubt, uncheck the program and reboot. If it breaks something, run Autoruns again and recheck.

Second, download TCPView from Sysinternals. Close every program you think could possibly be communicating with the Internet. Then run TCPView. Research any programs or processes that are communicating with the Internet. Most of the time you'll see one or more things connecting to the Internet that you didn't know about. This is normal. Usually they are just legitimate programs connecting back to the vendor doing something the vendor programmed them to do. Research the destination connection points. If you can't figure out what the program is connecting to and whether it is legitimate, consider using Autoruns to disable it.

But the truth is that malware programs can be very difficult to discover and remove. When in doubt, back up all your data, reformat (or reset), and reinstall everything again. This is the only way to truly know that you are starting with a clean state.

Question 13: I use a MacBook Pro. I know it is built on Darwin Unix, but is it truly more virus-resistant than Windows 7 or 8?

Yes and no. No, in that OS X has far more vulnerabilities than Windows -- and I don't mean a little. Windows gets about 120 to 200 bugs a year. OS X gets two to three times as many, if not more.

With that said, because OS X runs on only 5 to 10 percent of the world's computers, it still isn't a very big target. Bad guys target popular things because they are more likely to get something of value. Running OS X will probably incur less risk compared to a Windows computer -- probably significantly less risk.

Note that computer viruses aren't nearly as common as worms, Trojans, and other sorts of malware. Use the term "malware" or "malicious program" instead of "virus." Virus indicates only one type of malware.
These performance tips will work for any PC running Windows Vista, Windows 7 or Windows 8.

Want more speed? "This PC is so slow!" This is a cry that's been uttered by PC users since, well, PCs were first invented.

Since we don't think that there's anyone out there who wouldn't like to squeeze a little more performance out of their PC, we've pulled together six top tips that will help you get the most out of your Windows PC, without having to spend a fortune.

These tips will work for any PC running Windows Vista, Windows 7, and Windows 8.

Get rid of the junk

There's nothing like having loads of junk installed on a system to turn even the best PC into a river of molasses.

There's two sorts of junk to consider. The first is the stuff that the PC makers install into new PCs, and the other is the junk that you (and other people using the PC) have installed on it.

You could spend your whole weekend manually tracking down this junk, but it makes much more sense to get a tool to do the job automatically, and the best tool out there for this job is PC Decrapifier. This free download will scan your system and quickly (and safely) remove any junk on your system.

After running PC Decrapifier you might optionally want to do a pass using another free tool called CCleaner. This will go a bit deeper and clean your system of temporary files, log files and other junk.

Add more RAM

While not a free option, installing RAM is, without a doubt, the single best bang-for-your-buck hardware upgrade you can carry out on a PC. And adding RAM has never been cheaper, with an extra 4GB costing around $60.

Finding what RAM your PC takes is easy. Head over to a vendor such as Kingston and use the online search tool find the right RAM for you. There are also handy videos that will show you how to go about installing the new RAM in your desktop or notebook PC.

ReadyBoost to the rescue

If you've got a reasonably fast USB drive laying about the place then you can use this to give your PC a performance boost by using it as a ReadyBoost drive.

The ReadyBoost feature, which is part of Windows Vista and above, and allows flash memory – in the form of a USB flash drive, SD Card, Compact Flash card, or SSD – to be used as a high-speed cache to boost performance as long as they meet the following criteria:

·         Capacity of at least 256MB, with at least 64KB of free space

·         At least a 2.5MB/sec throughput for 4KB random reads

·         At least a 1.75MB/sec throughput for 1MB random writes

Making use of ReadyBoost is easy.

·         Plug the drive into the PC.

·         Either click on General options > Speed up my system from the AutoPlay dialog box, or right-click on the drive in Windows Explorer and choose Properties and then click on the ReadyBoost tab.

·         Choose whether you want to dedicate the drive to ReadyBoost (which prevents you from using it as storage), or use a portion of it for ReadyBoost.

·         Click OK.

Defragment your drives

Carrying out a regular defragment of your PC is a good idea if you want to keep it in tip-top condition. The only think to bear in mind is that you shouldn't, under any circumstances, defragment an SSD drive. Not only will you get zero benefit from it, but you will seriously shorten the life of the drive.

But if you are still running regular hard drives then Windows is set to defragment your system once a week, but you should check to see that this is on and that all your drives are defragmented. You can run the Disk Defragmenter any time you feel you've made a lot of changes to the data on your drives.

It can be accessed from:

·         Windows Vista/7: Start > All Programs > Accessories >System Tools > Disk Defragmenter

·         Windows 8: Open the Charms bar and search for "Optimize Drives" and then click on Defragment and optimize your drives

There's a lot of voodoo written on the web about defragmenting drives, and there are all manner of arcane command-line switches you can use to carry out different sorts of defragment. In my experience, a simple defrag once a week is all you need.

Add power

If you have a notebook system that's a bit sluggish then the easiest way to speed if up is to connect it to a power supply!

Windows can detect if it is running on a notebook systems and it will switch over to a low power profile when it detects that it is running on battery power. While this is good for battery life, it's bad for performance, so if you want more oomph from the system, connecting it to a power supply will restore performance to normal levels.

You can go digging around in the bowels of Windows and make permanent changes to the power profiles, but I don't recommend this as it will have a huge detrimental effect on battery life. It's much easier to remember to hook up the system to a power supply when you want more performance.

Install the latest drivers

The drivers that control your hardware can have a huge effect on how well your system runs, and one of the drivers that's key to system performance is the graphics card driver.

While people who rely on the default Windows driver or who don't care about performance might never need to think about their graphics card driver, anyone who care about getting the best from their hardware – and especially anyone who is into PC gaming – should probably check to see if there's an updated driver every few months because it can make a huge difference to how well games run.

Other drivers worth checking regularly are the motherboard drivers (which can have a huge effect of data transfer rates to and from your hard drives), and drivers for any external hardware you use.
For those of us that have worked in the IT industry, we are well aware of the image of the IT department at most businesses. Arrogant, rude, obstructive; these are just a few words that have typically been associated with IT. Stereotypes likes these can limit effectiveness and make it difficult for your IT department to do its job. Improving the image of your IT department is something that is not only beneficial to your employees, but also the company as a whole.

Demonstrate that you're human beings

The most common mistake made by IT departments is that they forget that the majority of their work is customer-service based. This means that there is a great deal of human interaction required and you must learn to deal with other people.

Too often, because most IT problems can be solved remotely, members of the IT department will spend almost all of their time in their respective office. It is important to get involved around the office and not hide out in the IT department.

Getting out of the IT department every now and again will give you the chance to meet the users and establish relationships with them. This also gives them a chance to put a face and name to the IT department which is much harder to put a negative connotation on. It may be a good idea to occasionally go help a user face to face even when it's unnecessary as this will help them understand what goes into fixing an IT problem. This will help users remember that the IT department is made up of human beings and not a group of robots who can magically solve all their problems instantly.

Establishing a good rapport with the users will make things easier for everybody. You will be less frustrated with their requests and they will be more patient and appreciative of your efforts to find them solutions.

Communicate and educate

Maintaining communication with users as well as continuously educating them will improve your IT department's image and efficiency.

Communication is something that is important throughout the entire company, but it may be most important between users and the IT department. By keeping open lanes of communication with users you can show that your department is accessible and easy to get in touch with. This will improve your image within the company as well as increase efficiency as users will be more comfortable coming to you with issues early, rather than waiting until a major problem develops.

Education is equally essential to improving your department's image. Informing users on basic IT solutions is beneficial to both parties and can be done in a number of ways. One way to do this is by organizing meetings or workshops with employees from every department where you can work hands-on with users to help them better understand IT processes.

Games/competitions can be incorporated into these workshops and prizes can be given away to add some excitement. Providing those who attend the opportunity to win a raffle prize could also be used as an incentive. Another way to keep users informed is by including a monthly IT column in the company newsletter that offers tips and advice for basic IT issues. This will improve the department's image as users will see you as being genuinely helpful and it could also save you some time as users may be able to fix a problem themselves rather than by contacting IT.

Be personable and avoid jargon

Finally, the simplest thing you can do to improve you IT department's image is to just be personable. If you are friendly and patient with users, then they will give you the same courtesy. The "golden rule" applies well here and it is important to remember that if you are rude and short with users they are unlikely to listen to your suggestions which could lead to the frustration of fixing the same problem over and over again.

Also, remind yourself that you are interacting with a person who more likely than not doesn't know as much about technology as you do (otherwise they would probably be in the IT department). It is important to avoid jargon and terms that those unfamiliar with IT may not understand. This needs to be done without talking down to the person, as doing so will only cause resentment. It is incredible how beneficial simply being polite can be to your department's overall success.

Improving the image of your IT department within your company can contribute directly to a more successful and effective department. An improved reputation for your department will make it much easier (and less stressful) to do your job. Although there are some negative views and stereotypes associated with IT, it is possible to take actionable steps towards abolishing these stereotypes and improving your image into one that is held in high regard.
Snow White was prescient. In a scene from the 1937 Disney movie, she gets a team of birds and cute woodland animals to clean the dwarfs' house while she warbles "Whistle While You Work."

A decade or two from now, that's going to be how you take care of your house - except the work will be done by small robots, each built for a single purpose. They will hover in the air to pick up clutter, climb walls to wash windows and scuttle under furniture to vacuum while you sit back with a cappuccino and binge-watch Breaking Bad reruns.

Outdoors you'll find a robot swarm cleaning the streets, trimming trees, and watering plants. Little packages will get dropped off by flying quad-rotor drones, probably emblazoned with the familiar Amazon.com smiley face. For the big stuff - like, say, a refrigerator - an autonomous vehicle guided by Google technology will pull into your driveway, and a hulking Google bot with six legs will carry the fridge up your stairs and gently set it where you want it.

Over Thanksgiving, Amazon unveiled its drone delivery project on 60 Minutes, and in no time the jokes and indignation were flying:

Hunters will grab their shotguns and use the drones like clay pigeons.

The drones will short out and fall from the sky by the hundreds when a rainstorm blows in.

Walmart is working on drones that kill Amazon drones.

Then, days after Amazon's reveal, Google went public with its new robotics unit, run by Andy Rubin, the whiz who created Google's Android operating system. The message: Google's investment is no lark. Robots are for real.

In fact, Google and a lot of other companies believe robots today are like cell phones back when they were the size of bricks and cost $6,000. It may take 10 or 20 years, but before long everybody is going to have a robot - or several.

These robots will not look the way most people expect - they won't walk and talk like C3PO or Rosie from The Jetsons. An all-purpose humanoid robot doesn't make much sense. As tech thinker Kevin Kelly wrote, "To demand that [intelligent robots] be human-like is the same flawed logic as demanding that artificial flying be birdlike, with flapping wings."

Instead, the world will gradually acquire many kinds of robots, each designed and built to most effectively carry out a particular task in a way that saves humans time, money or drudgery.

The Amazon drones would do that. Loaded with artificial intelligence, they promise to deliver small items faster than any human could.

Google's experimental driverless cars are robots. One day, a delivery truck driver will seem as redundant as an elevator operator.

Robotics and artificial intelligence are tough fields, but there's so much research lab and start-up money going into it, we'll get the technology right long before we sort out how to integrate robots socially, legally and practically. It's less difficult to imagine delivery drones working than to imagine the New York sky darkened by thousands of the things carrying everything from shoes to Chinese take-out.

"We'll solve those kinds of problems when the benefits to society become large enough," says Colin Angle, chief executive officer of iRobot, maker of the granddaddy of consumer robots, the Roomba vacuum cleaner. Angle notes that when cars were invented, they were insanely dangerous and disruptive and widely hated.

Society is already a long way into robotics and we often don't know it. I recently visited some family members who own an enormous farm in Saskatchewan. They handle the harvest with just three people and a giant combine that has so many smarts, the driver mostly rides along and never touches anything. In another decade, the smarts will be so good that the farmer can stay inside and play the commodities market while machines do all the work in the field.

Robot news will keep coming. A company called Knightscope just unveiled its robotic security guard. It could roam a warehouse floor at night, its camera keeping an eye out for anything unusual, its chemical sensors sniffing for leaks.

A startup called Play-i is making toy-like bots that can teach a 5-year-old how to program bots. And you know where that will lead in two decades: 25-year-olds who can invent ever more intelligent bots.

Rodney Brooks, who runs the robotics lab at the Massachusetts Institute of Technology and co-founded iRobot with Angle, has a new robotics company,Rethink Robotics. It is making an inexpensive industrial robot that is simple to train and can work alongside a human. An entrepreneur, for instance, could set one up in her garage and teach it to make something, creating a small automated factory.

Brooks and Angle have long believed the Roomba was the first phase of the "robot-enabled home." They followed Roomba up with the Scooba floor-washing robot, and promise more along those lines - perhaps a window-washing bot, or a clothes-folding bot. (iRobot won't give specifics.) The bots will likely all be wirelessly connected to each other, and to a kind of "head butler" robot that takes commands from its owner and hands out tasks to the many mini-bots. (Speaking of prescient, the old Looney Tunes crew got it close to right in a 1947 cartoon.)

Robots working with people is no fantasy, Angle insists. This is the not-to-distant future.

Plus, it's a whole lot easier than getting birds and squirrels to do your dusting.
The NSA has been revealed to be collecting data from the communication links used by Google and Yahoo data centers. What does this mean for you and your business?

I'll admit I'm not a subscriber to conspiracy theories. I believe Oswald acted alone, 9/11 wasn't an inside job, and the Titanic just plain hit an iceberg and sank. That being said, the revelation by Edward Snowden that the National Security Agency (NSA) has been spying on Google and Yahoo wasn't a particular surprise to me - nor to many other people either. It wasn't a matter of a conspiracy; it was only a matter of time.

The purpose of the NSA is to gather information that might be vital to United States interests. My goal isn't to discuss whether the NSA should or should not engage in this kind of activity, but rather what it might mean for you or your business if you are a Google user or customer.

What have they been up to?

The story was reported in the Washington post on October 30th. "According to a top-secret accounting dated Jan. 9, 2013, the NSA's acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency's headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records - including 'metadata,' which would indicate who sent or received e-mails and when, as well as content such as text, audio and video."

Basically, the NSA has been looking at data in motion - network traffic - between Google's data centers. This took place overseas where the NSA is permitted to conduct these operations. The full implications have yet to unfold but Google's past and future may well be divided by this line crossing its history.

Google has condemned this activity and explicitly stated "We do not provide any government, including the U.S. government, with access to our systems."

In turn, the NSA has defended their actions (PDF) by stating: "NSA conducts all of its activities in accordance with applicable laws, regulations, and policies." They assert they are looking for "terrorists, weapons proliferators, and other valid foreign intelligence targets" and that "our focus is on targeting the communications of those targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to us."

Regardless of intent or results, if you or your business has data on Google's servers – whether in the form of Gmail, documents stored in Drive, or company information kept on private Sites, I'm sure you're wondering exactly what you should do to protect your data from unwanted interception from any third party or agency.

So, what can I do?

First I want to state that my advice applies to individuals and businesses engaging in legal activities who are concerned about their privacy. I feel you have less to worry about if you aren't a desirable target for government spying, but I understand we all have different definitions and opinions of what the feds may have planned or what constitutes a "desirable target."

Now, this may sound shocking or cavalier, but if you're a Google customer and you transmit confidential information to their systems, you shouldn't be doing anything differently - with one special exception which I'll discuss below. Why is that? Because you've had your data in the hands of others all along and safeguarding it to the best of your ability, not to mention your level of comfort, has been a priority from the get-go. Hopefully it's an ingrained habit.

This means not sending messages through Gmail containing information which might ruin your organization if leaked (such as an announcement about an impending buyout offer).

Yes, your browser connection to Gmail is encrypted via certificate as shown above, but that protects you against someone sniffing traffic between you and Google. In this case the NSA was monitoring data between Google data centers, meaning they were already inside the perimeter.

Good security practices also mean not storing information on anyone else's servers unless it's protected by strong encryption. For instance, I use TrueCrypt to create virtual encrypted disks (also known as containers) which I can mount as a drive by entering my password (which is over 18 characters). Nothing I don't wish to share with the world is kept online other than within these TrueCrypt containers. This certainly gave me peace of mind when I lost a smartphone in New York City last summer which had copies of my TrueCrypt containers on it.

If you encrypt your data with a long, random 256-bit key (some feel 128-bit is sufficient, but the key to that is the length of the key!) it is virtually impossible for someone to guess the password via "brute force" computation. Upload this encrypted information to Google Drive and you can rest easy. Yes, it may be a pain having to mount and unmount the TrueCrypt container to add or change information - not to mention resynchronizing the saved file up to your Drive account. However, that's simply the price tag for keeping sensitive material off-site.

As for passwords, you are changing those on a regular basis, right? Same goes for your encryption keys (I realize I just stated it's impossible for someone to guess the password but how many of your ex-employees might know it?). What about ensuring your company workstations are free of malware, keystroke loggers, and other threats which can impact your privacy? How about making sure your wireless networks are locked down and your routers aren't using the default passwords? Hopefully you can see where I'm going with this. Threats will always be present whether inside or outside, and require the same measures.

Now, I need to talk about that special exception of what you should do differently, which I mentioned above. Be forewarned that encryption isn't necessarily a magical shield. The NSA is working hard to defeat or reduce the complexity of encryption. For instance, not all encryption products are ironclad; the NSA has engaged security vendors to devise back doors which they can exploit. Open source products are your best bet - and TrueCrypt is one such example. Best of all, it's free.

It should also be noted that in response to this incident Google is encrypting the connections between data centers, meaning that the traffic within their systems will be more difficult to snoop on. Google is making it clear their priority is to maintain the security of their customers.

Going forward from here

I don't believe this issue is sufficient cause for concern to compel companies to opt out of using Google products. In-house systems and services can pose similar risks and you can never guarantee with 100% certainty your data won't fall into the wrong hands. What you can do is tie those hands so your data isn't extractable no matter where it lives.

In the end, what with Google fighting back against the NSA, this episode may end up meaning little or nothing at all to you, so long as you've been following smart guidelines and safe habits.

Posted on: Techrepublic