Securing your Personal Work

My last post on securing the online classes for your kids drew in a lot of interest. I got a lot of friends also call me up / ping me offline about their own work/home place security. As one friend commented "an adapted version of this for adults would be useful". 

In this post, I go over all the discussions that I had with people for their own personal setups.

There are still 2 parts to ensuring that your personal work is secure. 

1. The technology that we can use
2. The behavioral changes

1. Technology

Working from home when the pandemic started was awesome - wasn't it ? No more long commutes. No more getting ready early. Learn the stuff you most like doing (which apparently for the large majority was cooking). 

Its also been awesome for the criminally minded people. Spam related to covid response is quite prevalent. Here is a snapshot of the Covid response dashboard from McAfee: 

And that's just the new threats from COVID related spam. All the existing threats still exist. Companies are still getting hacked and your data is still getting out there. The most recent one I know of is the Dr Reddy's data breach. 

So, now lets talk about the tech needed for making your life a bit easier. 

Which Anti-Virus to use ?

As always, if you are on Windows, an antivirus is a necessity. You could go with Windows Defender, as it has become quite robust, but 3rd party security vendors are much more focused on the security aspects. For instance, if I need some clarification on the WD scanning, how do I contact them. OTOH, with a vendor like McAfee or QuickHeal or Kaspersky etc, I know I can call their customers support to resolve issues I have. 

How does one decide on which AV to use Vibhu ? The most commonly asked question. 

The tests done by 3rd parties like AV-Test are a pretty good indicator of what to use. Here's the comparison for Windows tests and what you are looking at is the protection rating, followed by protection, followed by usability. As you can see, there are a lot products with full ratings on all 3 parameters.

 

 But ... Vibhu, this is so confusing still ! There are too many choices ! What do I do ?

I would suggest you on this parameter - have a look at your existing AV - are you happy with it ? Does it compare well in the listing above ? Keep it. 

If you are looking for a new AV, then check which is the current market leader in your country. Its better to get something which has a good spread in your local markets as they have got there. 

Now, that the basics are set. You now have narrowed down to the product and you visit the website and the store. Oh Gosh ! What a lot of  different products there are ! Hey, I just wanted something for my PC - how the heck am I supposed to make sense of this confusion ! 

First things first - look at all the devices you have at home. Many products now provide protection for multiple devices - and if you have a lot ( your laptop, your wife's, your kids, phones etc), you want a solution which can install on all with just one subscription. 

Secondly, you do not want the base AV. The days of just having an antivirus is over. You want something that protects the internet also. Most AV products have a "Internet Protection" or equivalent. Thats the base you are shooting for. 

Ok. The product is out of the way. 

But there is still more. Passwords. 

Most of the hacks these days happen due to weak passwords. You have no idea how much. You also probably have no idea in which all breaches your passwords have been exposed. The point to start here to figure out where your passwords are. Trust me, unless you have a very new email , your details are out there on some corner of the Dark Web. 

Start with going to https://haveibeenpwned.com/ . Check by entering your email. See where all the breaches were and when. Now you have to do 2 things:

1. Check if you have changed your password after the hack. Most companies do send out intimations to you to change the password in case of any such breach. 
2. Check if you have used the same password anywhere else. If so, change it. 

There are many password managers out there. You should really consider using one. Most of us have issues with remembering more than a few passwords. The tools generate random passwords and store them securely, so you don't need to remember them all.

2. Behavioral

Tech gets you so far. And yet it won't help if you are not careful about a few things. Here are a few things you really need to start doing:

Check those URLs !

You get a lot of emails. And in scanning them you suddenly see something that gives you pause. The Tax department has sent you a mail with a link. You click that. It opens a site which looks just like the tax website and you need to log in. Hang on there cowboy. Give it a a pause.

Most Scam mails work in the same way - they entice you by fear or greed. The first thing you need to do is check if the email is coming from a legitimate location. Usually the emails are shown with the name, not the email address. You need to check if the email is correct. A tax email from a @gmail domain name is for sure a fraudulent one. Next, you need to check the link you are supposed to click on. On the desktop its easy - just hover above the link and you can see where it goes to. 

Lets do this by example. What do you see the below link as ? 

Let search on www.google.com 

It goes to google.com - right ? But now if you hover over it, you will see it is actually going to this blog. That's a very friendly example of how this works. Scammers are not so friendly. 

Many AV products provide web or URL protection. Make sure that your product has that. Even better, be suspicious of such mails and do not click links. Instead, for example, in this case, go to the tax website directly, not by clicking the link, and then log in.

But maybe something happened and you did click the link. Now you are on the website. Check the location of the URL bar for a few things : 

a. Does it have the lock symbol ? Most fraud sites do not. If it does, click it to see where it is registered to. E.g. the one form reddit is :

 

Scammers do not usually spend any effort for such security. 

b.  check if the URL is the correct one for your tax/bank/etc. e.g. the url could be www.redditcom.com . This is suspicious. Note the site is redditcom.com. That's the modus operandi used by scammers. Make something so similar to the real thing that you get fooled into thinking its the correct one. Some variations of this could be: 

•  reddit-com.com.  Notice the change in the address by adding a simple - symbol. Nope, not going to enter the details there. 
• It may be ending in something other than the .com you are used to. e.g. instead of reddit.com it may be pointing to reddit.xyz . 
• It could also be something that may be prefixed to another website address - e.g. reddit.wordpress.com 

Make a note of the websites you use. Check every time you get a mail that you are going to the correct website. Its good too err on the side of caution.

Passwords Again

Finally, I would come to the passwords used. Although I covered it in the tech section, its still a behavioral change. We are not used to thinking of so many passwords. Nowadays it seems like that whichever site we go to, we need to create a login. Unfortunately, that's how it is. 

So, at the bare minimum, you need to have a different password for each website you go to. There are various ways that you can use to generate the passwords:

1. Use a password manager tool to generate and store the password as outlined in the tech section. 
2. Make a password using phrases. XKCD has a good post on it. Check it out. https://xkcd.com/936/ 
3. Use a random password generator like the one on : https://passwordsgenerator.net/ . However its going to be difficult to memorize it.  

It's become a rather long post already, so I am going to leave it here for you to digest it.

-- 

I would love to hear your thoughts on what you think. Let me know in the comments below or reach out to me on twitter @vibhurishi

Securing Online Classes

I recently got asked a question - with Zoom providing end-to-end encryption, is there anything else that is required to be done from the viewpoint of security ? 

And that set off a long discussion. Which has lead to this blog post. 

tl;dr : Yes ! 

The longer answer:

There are 2 parts to ensuring that School From Home is safe. 

1. The technology that we can use
2. The behavioral changes

1. Technology

Lets take the current question where it all began. It is about the popular Zoom video conferencing software, which has really taken off during this pandemic. Initially Zoom was not going to provide encrypted calls for the free use. However, they changed that for all users - free or paid. 

So, first step - look at if the applications being used for the classes are having encryption. If not, flag that with the school authorities. 

But that is not the end of it all. It is usual for the teachers and kids to share links - be it for online videos of the subject, or links to assignments or maybe kids sharing some other link. These links could be malicious. And the way to get around this is to use an antivirus program. e.g. the one from McAfee (you can get a free trial here ) If you are already using some other AV program, you should check out its effectiveness on AV Comparatives , a third party site which tests various AV software for both the laptops and the phones. Full Disclosure - as of the writing of this post, I work in McAfee. 

The antivirus protects against links which are malicious, any files which get downloaded which may have viruses, or even seemingly legit apps which have some trojans or keyloggers in it. 

Going another step ahead, you can also install a parental controls product ( E.g. the McAfee Safe Family ). These product can help you limit what stuff the kids can access on their devices. They also allow you to get notifications for activities that your kids do online, block access to apps on the mobile etc. 

Finally, take care of the passwords. You should not be using the same password everywhere. It is also impossible to keep thinking about and remembering different passwords for all the different websites. There are some good password management tools that you can get to be able to generate passwords - a different one for each site. Nowadays even browsers like chrome and firefox provide a way to generate passwords which are not easy to crack. Use them. 

All this is the automation part. And that is only half the work. 

2. Behavioral

Technology is great as it automates all the boring stuff. But there are some things it cannot catch for which we have to update our behaviors. If you click on every link that is being sent your way without thinking about who is sending it - you are going to get into trouble sometime or later. 

Kids are smarter than parents tend to believe. I have found it really useful to educate my son on the dos and don'ts of being online. The most basic ones are:

• Do you know the person in real life ? If not, be wary of what they are chatting with you about. It could be a scam. 
• For any online activity ( e.g. my son loves to play Roblox) have an online identity which is different from the real world identity. Kids are really creative in coming up with names for their online personas. 
• Do not give any details online which can help the person track you to your house. e.g if they ask where do you live, just say your country. If they insist on anything more, contact me (as a parent) to see what is being asked. So far this has worked really well. My son shows me links / questions that people are asking online. I take the time to explain what is ok and what is not, and then he takes over from there. I am getting pleasantly surprised when my son sometimes shows me links/asks and says - "This is so obviously a scam" ! 
• The side effect of the kids understanding about the online behavior is also that they share it with their friends and in turn educating them also. 
• Put on a background for all your zoom calls. The purpose of this is so that others do not see what is in your home - its my personal privacy issue. My son came up one day to tell me that his music teacher has said not to put in the background. I told him to tell his teacher that if there is an issue , then he needs to talk to me. Kids need to know you have got their back. 

I would love to hear your thoughts on what you think. Do you have more tips for making this whole School From Home thing more secure ? Let me know in the comments below or reach out to me on twitter @vibhurishi 

Additional helpful links: 

• Interland - An initiative by Google to help kids figure out whats safe in an online world. Thanks to my friend @free_rider for the tip.
• HaveIBeenPwned : A quick way to check in which breaches you have had your information leaked. As its said - There are 2 types of people : 1. Those who know they have been hacked, and 2. Those who don't know they have been hacked. 

News Website : Milestone : 1000 articles

Last night, I reached a milestone on my hobby website at https://vibhurishi.pythonanywhere.com/

1000 + news items.

Thanks to everyone who sent in suggestions to improve it. Thanks to everyone who have started sending me news items to add that I may have missed ! I am glad you are finding it useful too !

When I had started to code it, I had the idea to have a chronological view of news. If you go to any news website, you see the current news, but its not easy to find out a timeline view of news. For some major events, news sites painstakingly piece together the news. But these are far in between.

Around the end of 2019, I was looking for a means to find out what's happened over the last year. Unfortunately, I could not find any good source. I initially started searching and putting news in an excel. That's when I got the idea - why not try to put it up on a website.

I keep coding a bit on the side - mostly trying to automate bits and pieces in my work line. This was going to be a bit bigger. I have a pretty decent understanding of python programming, and using the django framework, I created the first cut. This is how it looked :

Woohoo! I have a working website now ! Minimalist. @ https://t.co/EOvPF8HQ3v

Thanks to @shantanugoel for pointing me to @pythonanywhere . cc @nileshgr

Now, RT and help me fill it up ! Send me links to major happenings in 2019 and I will fill up this page ! https://t.co/8sZEo1wA1v pic.twitter.com/LLZT4RFRIx

— V. (@vibhurishi) December 27, 2019

The site has come a long way from that time. Things have been added. Things have been removed. I had to work with a database wipe that happened during the early days. etc.

In the course of last few months, working weekends, I have added :

• Categories to track big ticket items like Coronavirus or Science. All this is color coded so I can easily see what where.
  
• Tags : Initially I had thought that categories would suffice - but there is a lot of different things around the world. It may overlap. A single news item can be categorized under different headings. And hence the tags - which are at the end of each news item. Some cool ones I think are :
  
• SpaceX
  
• What's happening on the Vaccine front
• Cyclones that are battering India.
  
• Coronavirus tracking - this was the most asked for by my friends. I was quite reluctant to do so because so many sites are tracking the disease. So, instead of going all out - I stuck to the minimalist philosophy and put in just a stacked bar chart. Finally added a full list view of all the countries. One nifty thing I leveraged here is the tagging. If you click on the name of a country in the tags at the end of a news link, the page will reload with the covid details of only that country. E.g. India, China, USA etc.
  

1000 news items may look small, but this has been built up with a few items added every day for the last few months.

Its been an interesting hobby project so far. I am now thinking of how to automate things even further so that not just the viewer, but I also get a readily made news feed. This requires quite a lot of thought and learning newer stuff ! Feel free to send me suggestions in the comments below, on twitter or on LinkedIn !

WFH : Working From Home

As the #Coronavirus epidemic spreads and the WHO is of the view that a #Pandemic is now quite a real possibility, a lot of places are going into lockdown mode. A lot of events are cancelled. A lot of offices are asking their staff to work from home. ( You can go over my coverage at https://vibhurishi.pythonanywhere.com/CoronaVirus/ )

Here are some tips and tricks that I have picked up over the last few years to work from home:

1. Most important : Designate a place for your work. 
• Allocate a room as your work room. If you have an extra room ( e.g. a study room, guest room, etc. ) make that your work room. 
• Allocate a desk for your work. You may be tempted to just lounge on your bed or the sofa, but that's now how you get work done. If you have a computer table - use that. If you have a dinging table - use that. Have a proper desk and chair setup. 
2. Stick to a routine :
• Make sure you get up at the same time every day of the weekday. 
• Make sure you take a bath every day as is normal if you were going to the office. 
• Make sure you have lunch at the sametime every day. 
• If you get home cooked food - its awesome. 
• If not, order or get a tiffin. Or learn to cook. 
• If you find out that your meal time is getting erratic, put in a calendar event which blocks the lunchtime for you. Not only will you get a notification to have lunch, but also it will block your calendar so that people don't inadvertently put in meetings during that time. 
3. Upgrade your broadband
• Working for home is really easy in this connected world. However, the tools of your trade now covers being connected. I see many people crib about working from home and they use their mobile to tether for broadband. Bad move. Get a dedicated broadband. You are anyways saving a lot on petrol and diesel. 
• Check your office policies - in most cases you can get reimbursement for your broadband and phone bills. Utilize it. 
4. Ergonomics
• Stretch: Its easy to be sitting for long stretches working on your laptop. You need to get up every hour and stretch. Set a timer for the hour. Get up , drink water, stretch. Get back and work. 
• Get a monitor: Laptops are very bad for ergonomics. You will get neck strain by tilting your head down for long stretches of time. Get a monitor and hook it to your laptop. I recommend a 24" Monitor with a matte (non glossy) screen and atleast 1080p resolution. If your laptop supports it, go for a 4k monitor. 
• Get a good keyboard and mouse: The laptops keboard is cramped. It will put strain on your shoulders. Get a good keyboard and mouse - or at the very least a mouse. I recommend gaming keyboards and mouse e.g. the ones from Logitech. 
5. Take calls while walking : 
• This is a life hack I have found to be quite useful. Walk and talk. It gets your out of the chair and also makes you focus more on the call rather than whats on your screen. 
6. Talk to your family about work from home.
• One of the biggest complaints that people have is that they get distracted by their kids and family a lot. This is why I recommend a separate work space. However, if you do not have that luxury, you will be making use of the common area. In whichever case, you have to have a talk with your kids and family that this is your work time, and if possible, they should not make too much noise during that time. 

I have found that WFH has been a great facility I have availed. It saves me around 3 hours in a day for traveling, parking etc. I end up finishing my work faster also as there is less chit-chat happening. 

Hope these tips help you in setting up your WFH scenarios. 

The Culture is the Product

Why is it that no other company can make a phone as desirable as the iPhone ?

Why is it that no other company can make an electric car like the Tesla ?

Why is it that no other company can make that fast a search engine as Google ?

Its not that other companies do not have smart people. It is not that other companies do not have a ‘vision’ (or even a vision statement). It is not that the other companies do not have deep pockets.

Then why ?

I believe that the reason is the culture of the company. The ‘culture’ or ‘dna’ is a much bandied about word — but rather not much understood , even by the people throwing it around. Each company has a different culture. That culture defines the product.

Apple has a culture of finesse. They concentrate on the user experience. From the top management to the bottom. The product becomes one about user experience.

Google has a culture of speed. They concentrate on the speed of the products with everything else taking a backseat. The product becomes one about how fast can the user get access to the information.

Tesla has a culture of futurism. They concentrate on the next thing in the car industry. Be it making an electric vehicle when everyone has killed their own products of a similar nature. Or it be about autonomous driving.

And the culture is defined by the person at the helm. Once he moves away, his successor needs to carry on the culture. Sometimes this transfer works, but many a times, this doesn’t. Because the person at the helm defines a different culture than the one before it. And that culture seeps into the product. And that product is no longer what it used to be.

No amount of Product Development workshops will get over this hump. Getting the correct person at the top is much more important than just achieving the next quarters numbers.

If you want to make a product different from the culture of the company, you need to change the culture of the company.