Check whether you’ve been Gawkered — now!

Check whether you've been Gawkered — now!

By Woody Leonhard

Last week, somebody broke into Gawker.com and stole 1.3 million account names, e-mail addresses, and passwords — and then posted all the booty on the Internet.

Your online security might not be at the top of your mind this time of year, but most likely you’re doing more Internet shopping. In light of the Gawker break-in, take a few minutes to assess your passwords.

Think you’re immune because you’ve never used Gawker? Not necessarily so. If you’ve spent any time at all on Lifehacker.com or Gizmodo.com — and I bet you have — your passwords may be running around with a giant “kick me” sign on their backs.

A group calling itself Gnosis broke into the Gawker.com servers and stole the site’s source code, employee e-mails, user account info, and much more. Gnosis then rolled that data into a BitTorrent file and sent it pinging around the Internet. According to a Mediaite.com story, the Gnosis hack was meant to rattle Gawker’s self-deluded sense of data security.

If that were the whole story, you probably wouldn’t need to give it a second thought. But Gawker Media Network, owner of Gawker.com, also runs two widely used tech sites: Lifehacker.com and Gizmodo.com. The Gawker crackers picked up user info about everyone who has an account at any Gawker Media site.

In addition to user names and e-mail addresses (used to confirm the registration), the stolen data includes Data Encryption Standard (DES) encrypted passwords. DES encryption is not terribly difficult to break, as a posting by the Intrepidus Group explains in detail. In fact, more than half of the passwords have already been cracked. Duo Security posted a list of the 250 most common, already-cracked passwords — led by the insanely simple “123456” and “password.”

Weak password security can be costly

While perusing the list is entertaining, the important lesson here is about password use. For example, let’s say you posted a comment on Lifehacker a few years ago. To post the comment, you had to give an e-mail address and password — which, at this very moment, somebody might be decrypting. Now let’s say you’re sloppy and using the same password for PayPal you used for Lifehacker. If a cyber thief has the foresight to sign on to PayPal with your e-mail address and cracked password, you can kiss your PayPal balance good-bye.

If there’s the remotest chance you’ve posted a comment on Lifehacker.com or Gizmodo.com, go immediately to Duo Security’s “Did I get Gawkered” site and enter your e-mail address. (See Figure 1.) If your name’s on the list, change your passwords!

Figure 1. Enter your e-mail address into Duo Security’s “Did I get Gawkered” site and find out if your address and password are compromised.

You, of course, would never use the same password on two different sites. But just in case, now would be a good time to review the strength of all your passwords. In a future column, I’ll tell you about my two favorite password managers and show you how they could’ve saved you from a Gawk attack.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praises, or constructive criticisms in the WS Columns forum.

Woody Leonhard‘s latest books — Windows 7 All-In-One For Dummies and Green Home Computing For Dummies — deliver the straight story in a way that won’t put you to sleep.

Last chance for Hacking Exposed, Chapter 1

Protecting Web applications — and the customers who use them — from cyber attacks is the responsibility of every Web developer. McGraw Hill’s Hacking Exposed: Web Applications, Third Edition, by Joel Scambray, Vincent Liu, and Caleb Sima, exposes the thinking and tools of today’s hackers — and gives developers the insight they need to harden their apps.

Through the end of this month, all subscribers may download — for free — Chapter 1, Hacking Web Apps 101, and get a better understanding of how hackers might steal your data. It defines Web hacking, delves into how and why Web apps are attacked, and explains application weaknesses hackers commonly exploit.

If you want to download this free excerpt, simply visit your preferences page and save any changes; a download link will appear.

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

   

The best of Wacky Web Week — 2010

By Revia Romberg

We’re not sure what to make of this, but the Wacky column is a Windows Secrets subscriber favorite — measured by the number of hits it receives — proving that our readers have a fine sense of humor.

So to end 2010 with a smile, we’ve put together a special Wacky — the five most popular of the year. We’ll start, however, with one of our all-time favorite videos. And at the end, we’ve tossed in two more of our particular favorites. Enjoy!

Bailey, the black-nosed reindog, plays in snow

	We want you to meet our favorite reindeer — Bailey. He’s not your usual reindeer; he’s probably not even your usual dog. With that Christmas classic, “Rudolph, the Red-nosed Reindeer,” playing in the background, watch as Bailey flies through winter snow, leaping and frolicking with the simple joy that’s all dog. Play the video
	#1. Office prank busts out more than laughs Working the 9-to-5 office drill can drive you a little batty — unless you look for ways to liven things up a bit. Just don’t take it too far. Watch as this guy tries to spice up his routine with a seemingly harmless prank: taking unseemly advantage of the copy machine. What starts off as funny quickly turns into a big oops. Wonder what he’ll tell his boss to get out of this one …Play the video
	#2. Fun ways to take revenge on would-be thieves Working the 9-to-5 Getting ripped off really stinks. While someone else is out having fun with what’s rightfully yours, you’re left with lost time, money, and good humor. But here’s a way to get a bit of payback — if not on the hard-core thief, at least on those opportunists who think they’re getting something for nothing. It might just make you think twice about playing finders, keepers. Play the video
	#3. Drunk as a skunk? No, drunk as a squirrel! While taking a stroll through your neighborhood park, you hear a rustling in the leaves. It’s that always-cute and fuzzy squirrel. Odd, he seems to be having difficulty climbing his tree! What could be more embarrassing to a squirrel than being so drunk he’s falling out of his arboreal home? It’s like a person who can’t figure out which key opens the front door. It may sound implausible, but watch as this furry critter, besotted on fermented pumpkin, attempts his usually simple climb. Play the video
	#4. Pac-Man has now invaded your living space The best optical illusions are truly mind-boggling. Tricking your brain into seeing what isn’t really there can be challenging — but once you get the hang of it, you have the sensation of a hallucination without having to ingest any controlled substances. See whether you can guess the technique behind this illusion involving everyone’s favorite yellow dot-eating blob, Pac-Man. What looks to be a simple picture is actually much more. You may think — I mean, look — twice the next time you see a video game come to life! Play the video
	#5. The sincerest form of feathery flattery The old saw that imitation is the sincerest form of flattery can take many forms &#8212 someone who copies your dress, someone who copies your mannerisms, someone who steals your favorite catch phrases. But what if that someone has feathers and takes on a form of imitation that’s totally unexpected? Listen as this Australian lyrebird imitates the many sounds of local zoo construction. It might make you listen extra-closely to the little sounds around you! Play the video
	Fast-talking boy gets everything he’s after It’s hard not to be amazed — and a bit jealous — when listening to people with a glib tongue. Those fast-talkers can connive their way out of a speeding ticket or wrangle their way into a hot new nightclub. But it’s downright scary to watch a fast-talker in the making. Consider this example: a boy — too young to shave — smoothly convinces store clerks to sell him booze and dirty magazines. After watching this, you might want to pick up the milk yourself. Play the video
	Unexpected gift leads to a greedy end When an overworked office worker’s copy machine malfunctions, fate gives him a portable black hole — and the knowledge that life might have suddenly taken a radical turn for the better. In this short film, we’re given a humorous lesson in morality, if not conventional physics. A little free candy is one thing, but will the power of this worker bee’s portable singularity overwhelm his better judgment? Play the video

The best of LangaList Plus — 2010

By Fred Langa Every issue, the LangaList Plus technical Q&A tackles difficult — and sometimes esoteric — problems sent in by paid Windows Secrets subscribers. For this last LangaList Plus of the year, we’ve assembled a half-dozen of the most popular Langa stories, covering topics as diverse as notebook batteries and self-healing PCs.

The care and feeding of laptop batteries

A reader named Rick got a new laptop for the holidays and is wondering how to maximize the life of its expensive batteries:

• “I just got a new laptop with Windows 7 for Christmas. The new laptop has a 6-cell lithium-ion battery. How can I get the most life from my new laptop’s battery and make it last the longest?

  “Should I periodically charge and then use/drain the battery? Should I leave the battery in the laptop even when I’m using the AC plug? Will heat from the laptop when it’s plugged into AC affect the lithium battery?”

Excellent questions, Rick!

Heat is the enemy of lithium-ion (Li-ion) batteries. When your laptop runs on AC, it’s smart to remove the battery pack and store it in a cool place. Low temperatures forestall the inevitable and irreversible chemical changes that occur in Li-ion batteries.

In fact — and this will sound odd — if your laptop is run mostly off household AC power, you can greatly extend the life of its Li-ion battery this way: run the battery down to about 40% of maximum charge, remove it, and store it in a tightly wrapped plastic bag inside your refrigerator! Storage at about 40 degrees F (4 to 5 degrees C) is ideal. Think of it as the 40-40 rule: 40% charge, 40 degrees F.

If you can, avoid running Li-ion batteries all the way down. Early portable electronics used nickel-cadmium batteries, which benefit from full discharge cycles. Conversely, Li-ion batteries last longer when kept in a charge state between 40% and 100%. It’s OK to run Li-ion batteries flat when you have to, but the ideal scenario for longest life is one full discharge cycle for about every 30 or so partial cycles.

Sad to say, even if you’re perfectly careful with your Li-ion batteries, they’ll slowly go bad on their own due to their irreversible and inevitable chemical changes. This is one of the main reasons why cool storage helps preserve Li-ion battery life: the cool temperatures slow the chemical reactions.

Even a well-maintained Li-ion battery will usually show signs of age two or three years after manufacture. That’s why it’s not a great idea to buy a spare battery for your laptop unless and until you really need to use one. If you buy a spare you don’t really need, it’ll slowly go bad on its own, giving you no (or reduced) return on your investment.

If you do have a spare battery, store it in the fridge with about a 40% charge when it’s not in use.

When you buy replacement batteries, check the date of manufacture. This will usually be stamped or printed on the battery case. Cut-rate batteries may have been sitting on a warehouse shelf for a couple of years, meaning that a good chunk of their useful life will have passed before you ever plug them in.

With careful use, you can get 300 to 500 charge cycles from a new, high-quality Li-ion battery — especially if the battery’s stored in a cool location when not in use. With just a little luck, by the time the battery no longer holds a useful charge, you’ll be ready for a new laptop, anyway!

These two excellent articles provide more information on Li-Ion battery life:

&#8226 How to prolong lithium-based batteries from BatteryUniversity.com

&#8226 The care and feeding of Li-ion batteries from TechRepublic.com

These Registry mods will kick-start your workday

Melvin Billik successfully applied some Registry edits to improve his PC’s performance and is now looking for other speedup tweaks:

• “I enjoyed reading Scott Dunn’s Registry fixes article in the Jan. 21 Windows Secrets. I did try the fixes that will hopefully shorten my PC’s shutdown time. I think they’re working.

  “Now I’m wondering whether there are fixes to shorten the boot-up time. My computer always takes about two minutes or more to boot to a usable state. I’ve tried a few assorted things — like limiting some of my startup programs — but I’m wondering about possible Registry fixes.”

You’re off to a good start if you’re already controlling the software that autostarts at boot time. Doing that, and limiting the amount of housekeeping that Windows has to do at startup, are usually the very best ways to shorten boot times.

For a quick refresher on Windows startup management, see the Oct. 4, 2007, LangaList Plus, “Reducing start-up software shortens boot time,” and the Oct. 11, 2007, column, “Limit IE and Recycle Bin caches for speed.”

There are a few Registry-based options for speeding Windows startups, though they probably won’t deliver as much oomph as the above-referenced methods. But if you’re looking to wring every last bit of speed out of your system, the following Registry tweaks are worth a try.

These changes aren’t particularly difficult or dangerous, but of course, it’s always smart to make a backup before you do any serious maintenance work on your system.

• Clean out the clutter. Windows parses the Registry at startup. If there’s lots of junk in there, the initial parsing will take longer than otherwise. Two excellent and free Registry cleaners are Macecraft’s PowerTools Lite (site) and Piriform’s CCleaner (site).
• Defrag your Registry keys. The Registry is contained in one or more large files. Like any large file, the Registry can get broken into noncontiguous blocks. This slows access times because your hard drive’s heads may have to jitter all over the platter to gather the Registry’s separate pieces.

  Having your Registry in one unbroken piece can speed access. To defrag your Registry, use Microsoft’s free PageDefrag (info/download).

• Condense your XP Registry. Many Registry-optimization tools for XP can re-index and rebuild the system in a more compact form. For example, both PurifySoft’s Registry Purify (site; free to try for 7 days; $29.95 to buy) and Macecraft’s jv16 PowerTools (site; free to try for 30 days; $29.95 to buy) have Registry-compaction modes for XP.

  Alas, Vista and Windows 7 use a different Registry structure and aren’t amenable to this sort of compacting.

And although this isn’t a Registry tip per se, if you’re looking for faster starts, keep your hard drive defragged. Windows loads a ton of software at boot, and a defragged disk makes this initial loading go faster.

With all these techniques, you’ll have done just about everything possible to make your boot times as fast as they can be!

Get free firewall testing with online services

Brian Brooks wants to make sure his firewall/router is doing its job.

• “The other day, while using my Netgear DG834 modem/router, I was wondering whether there are any good tools that can safely test a firewall setup from the outside. I vaguely remember years ago reading about tools that will check ports, etc. I would really find it useful if you’d recommend a few basic checks.”

The best place to start is Steve Gibson’s free and reliable Shields Up firewall testing site.

A PC’s Internet “ports” are numeric addresses that online sites use to communicate with your PC. Shields Up rapidly and safely checks your ports and reports on the status of each one as follows:

• Open — available for use by anyone on the Internet (and potentially, a hacker’s doorway to your PC)
• Closed — unavailable to outsiders but still visible to anyone searching for open ports on the Internet (inviting further attacks from hackers)
• Stealth — closed and completely invisible to outsiders

Another highly regarded and free port probe is on HackerWatch’s site.

It’s smart to use more than one port probe. While one test might miss something, it’s much less likely that two independent tests will.

After testing a firewall from the outside, test it from the inside with leak tests. Mimicking malware, these tests safely and harmlessly try to phone home to a test site. Properly configured firewalls will warn you when an app tries to contact an online site, giving you the option to cut the link.

Two good (and free) leak tests can be found on Steve Gibson’s LeakTest page and on PCFlank’s Leaktest site. Here, too, two independent tests are better than one.

There are many other testing sites available, but I recommend that you do not rely on tests offered by security-tool vendors. Their security tests sometimes seem geared more to scaring you into buying their product than offering a truly objective and dispassionate analysis of your setup.

What good does defragging do nowadays?

Reader David H. Copp asks a valid and timely question:

• “You have a good piece about defragging in your April 22 column. But I think you are echoing a myth.

  “Back in the days of my first hard drive, a 20Mb Seagate ST-225, defragging was important. But so far as I know, there are no measurements that show that defragging a modern drive has more than one or two percent impact on performance. Please correct me if I am wrong!”

You’re right that defragging isn’t as important as it once was. But there’s more to defragging than simply improving hard drive performance.

Before we dive in, let’s run through a 60-second defragging refresher.

Windows normally stores the files on a hard drive in a series of blocks. When a drive is new or well ordered, each file’s blocks can be written to the drive more or less sequentially. But over time, holes open in that orderly sequence as files are changed or deleted; they are then filled with bits of data from other files. Eventually, a file’s blocks may end up scattered all over the disk.

When a file’s blocks aren’t contiguous, the drive heads have to seek out the blocks, physically navigating to each block’s location. Each seek adds to the time it takes to retrieve the entire file.

Defragging corrects this by moving data blocks back to contiguous, sequential series — the system can again access the files smoothly and quickly, with little or no extra head seeks.

The seek times of today’s hard drives are over 10 times faster than those of that ancient Seagate drive David mentioned. So the benefit of reducing seek times is an order of magnitude less. You probably won’t notice any difference accessing a given file, whether the drive is defragged or not.

But the aggregate seek times still matter. We now use our drives far more intensely than we used to. (Heck, my first hard drive held 10 megabytes of data; nowadays, I take individual photos larger than that.) So the total number of seeks our hard drives perform today has increased by an order of magnitude.

Speed aside, there other benefits from defragging. For example, it improves your odds of recovering a deleted file, folder, or partition; it reduces overall wear and tear on the drive heads; and it helps minimize noise and heat during normal operations.

Initial disk defragmentation can take hours. But after that, it takes just a couple of minutes if you run the process every day. Because you can run defragging as an unattended process in all current versions of Windows — no third-party tools needed — one might ask: why would you not defrag?

Looking for a better antivirus/security package

Conrad Ware asks a question that’s not only worthwhile on its own but also lets me give you a six-month update on my real-life test drive of Microsoft Security Essentials.

• “Over the past 20 years, I have used all the big-brand virus and Internet security software: McAfee, Norton, Kaspersky, etc. All of them did a great job doing what they were designed for — and all slowed my computers down to a crawl.

  “I am presently using Windows XP, but I plan to purchase a new laptop with Windows 7 Home Edition and want to use MS Security Essentials on it.

  “Tell me what you can about MS Security Essentials and if it’s OK to use as primary protection.”

Yes it is, Conrad.

Earlier this year, when Microsoft Security Essentials (MSE) was still new, I decided to put it to an extensive real-life test by making it the only full-time security solution on my daily-use and portable PCs. I then reported my initial results in the May 6 Top Story, “The 120-day Microsoft security suite test drive.” I also promised future updates.

So here it is: after six months of full-time use on nine different systems, MSE looks like a solid winner.

For my tests, I used Windows’ built-in firewall (on XP, Vista, and Win7) and a copy of Microsoft Security Essentials, which I allowed to run with its default settings. Over the past six months, my main PCs have been online 24/7 and my two portables have logged over 20,000 miles (32,000 kilometers) of use in hotels, coffee shops, cars, planes, ships, and other assorted public venues.

All the machines have remained clean. They’ve suffered no malware or virus infections whatsoever.

Figure 1. Microsoft Security Essentials kept nine PCs malware-free under wide-ranging, real-world conditions.

Initially, I checked each PC’s health and security every few days, using a variety of on-demand AV scanners from vendors such as McAfee (Freescan), Trendmicro (HouseCall), and Symantec (Security Check). The scans never found anything.

Over time, as it became clear that MSE was doing exactly what it was supposed to, I reduced the frequency of these just-in-case backup scans to once or twice a month. (That’s good practice with any security tool. As the saying goes, “Trust, but verify.”)

I also scan my portables after trips. For example, I just got back from Canada, where I used my netbook for about a week in a wide-open, unsecured hotel hotspot. Once I got home, I scanned my netbook with the third-party scanners, and they found nothing. MSE kept the machine clean, even in potentially hostile public environments.

MSE is free and is available for every version of Windows (download/info). It’s small and fast and consumes very little by way of system resources. I can detect no MSE-induced slowdowns on any of my PCs — even the low-horsepower netbook.

Very simply, it works.

So I highly recommend MSE. Combine it with a firewall (such as the one built into Windows), and verify it with periodic just-in-case scans with free third-party software (as listed earlier), and you’ll have a free, efficient, and self-maintaining security solution.

Make a clean ‘copy’ of Windows in seconds

Reader Nancy Todd wants to set up several PCs to revert to a known-good state after each use.

• “I have a couple of unused machines with XP on them. I would like to be able to use them for one-time use and then during shutdown erase anything that was entered during use, like the PCs I see at the library or in secured networked workstations. Is there a way for a home user to do this on a single machine?”

Absolutely! Microsoft’s free SteadyState (for XP and Vista) does exactly what you want. SteadyState is designed for places such as libraries — to make their highly used and highly abused public PCs self-healing. After each use, SteadyState returns the PC’s software to a known-good condition.

You can grab a copy of SteadyState from Microsoft’s Shared Access download page through Dec. 31, 2010. Read more about SteadyState in Windows Secrets’ April 8 Top Story.

But there’s a much more environmentally friendly way to do this, if your aim is to build a self-healing setup just for yourself or other private use. Instead of running SteadyState on a separate, standalone and dedicated PC, just fire up a virtual PC inside the machine you use every day.

A virtual PC is a hardware system that’s fully emulated by software and is run as an application inside Windows. Inside the virtual PC, you can install and run the OS of your choice, along with other software; you can go online and do just about everything you can do on a real PC.

I use Oracle’s free VirtualBox all the time. To write this column, I’m constantly testing techniques and apps — and sometimes things go badly. So rather than risk my daily-use production system (or wastefully running a bank of separate, standalone test machines), I’ve set up a number of virtual PCs (VPCs) in my machine for testing.

Creating a VPC can take time. It requires a full setup, same as with a real system. But VirtualBox has a handy feature called snapshots — fully functional clones of the virtual system. Setting up one or more snapshots takes only seconds. You can then use the snapshot like a fully functional PC — except that when you’re done, you can simply delete the snapshot along with whatever happened inside it. The original VPC and my production system remain unaffected, ready for another test.

For more information on VirtualBox, check out its online documentation.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praises, or constructive criticisms in the WS Columns forum.

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.