Security Mistakes [1]

We are constantly told that the most insecure password is one that relates to us directly and is easily remembered. That is not true, the most insecure password is the one that is written down in plain sight.

The only reason to write down a password and make it easily retrievable ( on a postit note stuck under the lid of a closed laptop is common ) is if it is too complicated for you to remember. One way to guarantee you won’t remember it is if it has to conform to someone else’s rules, for example:

stevencholerton.com

This is a screen grab from the installation of Windows 8. 

This from one of the worlds biggest software companies. Scary. This restriction very possibly causes the following issues for their customers:

  • A difficult to remember password, so written down and insecure
  • A password structure that is some would take as literal, ie: XXxx00## – again, less secure
  • A password structure now standard across gazillions of Windows systems – again, less secure
 
stevencholerton.com
stevencholerton.com
 
 
To summarise, well done Microsoft for participating in ‘Security Theatre’ – On the surface a higher security password is enforced, job done.  In reality, not really !

@stevechol

The R10Cipher Story

Product: R10Cipher

Purpose: Email and File Encryption and Privacy Software

Website: http://www.r10cipher.com

Online: http://www.webappdevelopments.com/artenscience/r10online/r10online.cgi

r10cipher

Overview

A Simple and Easy Method to Safely Encrypt your Email Correspondence and Document Files. It’s like your emails and documents are carried by a SWAT team rather than being written on a Postcard ! R10Cipher is for Individuals. For Businesses. For You. For Me. For Mum and Dad. For Teachers. For Professionals. For Journalists. For Executives. For Everybody. Because our Privacy and Security have never been more important.

Innovation

R10Cipher is unique in that this is the first cross platform end to end encryption product that real people can and will use for day to day encryption purposes.  R10Cipher does not attempt to encrypt a complete volume, R10Cipher does not try and involve the user with complex Public Key encryption, R10Cipher does not need a complicated install, in fact R10Cipher does not need installing at all.  R10Cipher concentrates on being the easiest to use and most reliable End to End, Text and File Encryption software.

The lack of an installation makes R10Cipher unique in that you can copy the Windows (XP, Vista and 7), Mac OSX and Linux versions of R10Cipher to a USB drive or external device, along with your documents and carry your data about with you knowing that a) You can access that data on any computer and b) It is secure, so if you lose it or leave it in a taxi then the information is unreadable and no harm is done.

Because of it’s simplicity and ease of use R10Cipher pioneers new ways of working.  Backup your important data to the web, iCloud, Dropbox or similar – encrypted by R10Cipher, and retrieve the information later,  wherever you happen to be.  Your data is secure – secured by you not by your web hosting company.  If your hosting company is enforced by law to hand over your information, that information is useless to the recipient unless *you* agree to provide access.

The recipient of an R10Cipher encrypted document or file has to do nothing more advanced than double clicking the file and entering the ‘Shared Secret’.  The document or file is decrypted and saved to the recipients desktop using the original file name.  Again, this is one of the features of R10Cipher that helps make R10Cipher an encryption product that can and will be used by ‘Mum and Dad’.

The main innovation of R10Cipher therefore is not in the technology but the way in which the product is designed to be easy and simple to use for everybody – not just IT Professionals.

r10cipher

Success

From an initial release in early 2008 R10Cipher is now at Version 5 which was released July 2012.  Version 1 was build because we needed it and I decided that if we did, then so did others.  Version 1 sold a few dozen copies and using the feedback from these early customers Version 2 was released with some significant enhancements including drag and drop batch encryption of files and documents.

When Version 2 was released, Version 1 was featured as a free edition on the DVD Cover Disks for the UK editions of MacFormat and MacWorld, on consecutive months.  Since then I have agreed for it to be distributed on several foreign editions of the magazines.  Hundreds of new users were gained through the distribution of the free edition, and many of those went on to pay for an upgrade to Version 2.

Direct Sales of Version 2 were excellent, with good feedback and testimonials.  New customers means new ideas and feature requests and so Version 3 was scheduled.

Version 3 released 2nd August 2009 was a major new version that addressed all user requests from Versions 1 and 2.  The main advantages of Version 3 were an increase in encryption strength to 384 Bit, an encryption strength indicator and a full Key Management capability which creates an encrypted local database which contains the ‘Shared Secrets’ that you use to communicate with your different contacts.

With an appropriate password you can recall these and use them for encryption and decryption quickly and easily.

Interest in Version 3 was phenomenal, it far exceeded our expectations.  We have had many upgrades from Version 2 to Version 3 and as we offered an upgrade policy even from the free edition, we have had a few upgrade from Version 1 to Version 3 also.

For Version 3 the decision was made to give NFR, Free of Charge, copies of R10Cipher to employees of Apple Computer Inc.  We also offered our desktop security product MonitorMyMac http://www.monitormymac.co.uk/ on the same terms.  Interest from Apple employees has been excellent with over 1000 licenses already applied for and sent.  Who knows how many licenses sold since have been a result on recommendations from Apple employees ?

In April 2010 in conjunction with MacFormat Magazine we offered a free Version 2.5 SE on the DVD Cover Disk with a discounted upgrade to Version 3.  This promotion was not as successful as earlier promotions, possibly because 2.5 SE was a ‘designed to be free’ product, rather than an actual previously sold version.  In addition Version 3 had at this stage been out for a while.

June 2010 brought R10Cipher IV.  An exciting new release of R10Cipher. Fast becoming a standard for cross-platform text and file encryption.

This brings us neatly to July 2012 and R10Cipher 5.  Many new features including automation.  You can read about these changes on the website.

Commercially R10Cipher has been a great success for Arten Science with several thousand users and it is a product I am very proud of.  Just as importantly, our customers have had immediate and measurable benefits through the use of R10Cipher, previously they knew they needed something to protect their communication and documents, but they could not find a product that seemed easy and simple enough for them to use.

IT Security and Data Protection are high on many peoples agendas at the moment, or at least they should be, and yet the majority of people are left exposed because until R10Cipher came along there was not a product simple and easy and complete enough for them to consider using it.

Customer Satisfaction

Some of the feedback we have received for R10Cipher recently:

R10Cipher is a fantastic cross platform tool which has given us the peace of mind that our patient sensitive research data can be transmitted electronically in a secure manner on site or with collaborators around the world.  The ability to encrypt and attach files to emails or simply encrypt the email text between Apple Macs and Windows PCs without the need for complicated software installations means that our users are happy to use this great bit of software.  The developer’s proactive approach to their software development requesting and rapidly incorporating users feedback has turned a good encryption tool into and excellent one.  Paul McGrath, Computer Manager, Cancer Research UK Clinical Centre

 

My Sony USB Microvault is so much easier than lugging my laptop through airport security, yet again.  The nightmare of the lost or stolen USB stick is only too real, with the Staff Salary Reviews and the Acquisition Financials modeled in embarrassing detail.  I use R10Cipher for Mac as a simple and reliable way of exchanging financial models and private placement memorandums across platforms as well as for secure storage on my USB sticks and portable hard drives.  Simple, reliable and easy to use. Karl Mattingly, Partner, slowCapital

 

R10Cipher is simple, easy to use and powerful. It is the best encryption program for the Mac we have found.  Paul, OnTravel.Com

 

R10Cipher has been an excellent product for ensuring the safe and secure transmission of files in a cross platform environment.  As an independent Strategy Consultant using Apple Mac, but with a client base using mostly PC platforms, I need to find a way to easily send sensitive market and financial data to clients with no hassle for my clients.  R10Cipher does the job simply, easily, and with no problems at all, and causes no difficulties with clients firewalls. Enough said!… great product.  Peter M. Scott

 

For NetFoos I am lucky enough to travel around the USA and parts of Europe to bring live streaming foosball tournaments to the foosball community. For the live streaming there is a lot of information needed to keep the server running and secure. Now, while on the road with R10Cipher, receiving this information from the home office is much easier as we can simply encrypt and email it while feeling confident that our data remains private. Although we are constantly finding new uses for the software, this one capability has made R10Cipher a great investment for us.  Mark Winker, NetFoos.com

 

If you need to make company or private info available on a need to know basis, them R10Cipher is the tool for you. There are other encryption packages but I haven’t found an easier to use cross platform software than this one.  Paulo Pires

 

Developed in the UK

R10Cipher was designed and developed entirely in the UK by Steven Cholerton, a Chartered Information Technology Professional awarded by the BCS, Fellow of the Institution of Analysts and Programmers, Certified Ethical Hacker and holder of several Security and Technology certifications.  http://www.stevencholerton.com

The encryption technology used by R10Cipher was also developed in the UK.  Blowfish is a keyed symmetric block cipher which was invented by ‘Security Guru’ and renowned author, Bruce Schneier, Chief Security Technical Officer at British Telecom, in 1993.  It provides excellent encryption and will continue to do so for the foreseeable future.  Blowfish is free of patents, and back doors, and Bruce has placed Blowfish in the public domain. 

Availability

The publisher of R10Cipher is Arten Science, a small Derbyshire based enterprise dedicated to providing quality and innovative software, security and business solutions.  http://www.artenscience.com

Award

r10cipher

r10cipher

Summary

The success of R10Cipher is primarily down to one thing:

The fact that R10Cipher provides much needed security and encryption functionality in a way that makes it accessible to anybody and everybody. Having listened to the users and let them guide the development of the product has meant that R10Cipher does what it needs to do and no more.

The R10Cipher website states:  ‘Security For All. It Just Works’ and goes on to say ‘It’s like your emails and documents are carried by a SWAT team rather than being written on a Postcard !’.  Those two statements mention nothing about 384 Bits or Blowfish or Symmetric Block Ciphers, instead they appeal directly to the man in the street who has information that needs protecting.

The fact that we listen to our users and incorporate their changes as well as the ability of R10Cipher to work on all popular computer platforms without requiring installation, that is all icing on the cake.  Very tasty icing we think.

r10cipher

@stevechol

Xfile #365: IT Projects

I recently posted this on Twitter:

stevencholerton.com

IT Projects do not exist, hence the title of this post. Mulder and Sculley can investigate all they like but they won’t find evidence to the contrary.

This is something I believe and have believed for many years now. Technology has reached the stage where it is so involved in almost everything we see and do, that the need to segregate it and treat as a separate entity, no longer makes any sense.

Do you know any company that has an Electricity Department, or a Water Department ? Do they have Electricity Projects and Water Projects ? Yet we find many companies still have an IT Department and along with – IT Projects. I was the head of an IT Department for 9 years so I do have firsthand knowledge of this. Specialisation and Focus are two areas in which companies need to put their efforts in order to remain competitive. If you run a bakery then you understand bread and cakes and your focus should be on them, not on your IT. Leave that to the experts and call them when needed, do you really need to employ them full time ? Wouldn’t your time and money be better spent on making and selling bread and cakes ?

Companies still need some of the skills onsite that have traditionally been supplied by the IT Department. Firstly the staff need to ‘man up’ and stop pretending that IT is something that they don’t need to be concerned with, after all ‘We are in the Production/Sales/Accounts/Marketing Department. (Delete as appropriate!)’ The technology in use within that department is not going away, it will only increase – the staff need to embrace and understand their new tools. Up to a point.

Beyond that point is where outside help is needed. For example, I can temporarily stop a leak, turn the water supply off and mop up – but beyond that I call a plumber. I don’t have one on staff – that would be an unnecessary waste of resources – I contact a third party whose Specialises and Focuses on plumbing.

Businesses also need to accept responsibility for ensuring that their staff have the necessary training to properly understand and use the tools that they are given. Training is now available from many sources, for a very reasonable cost and if selected with care – will pay dividends.

Technology is so much a part of everyday life now that we all need to have at least a basic understanding of the technology that surrounds us. I’m sure that 150 years ago the Victorians who used an inkwell, knew how to fill it, 50 years ago if you used a Fountain Pen, then you knew how to change the cartridge – now if we have the need of a printer, we should be more than capable of filling with paper, fixing a jam or replacing the toner.

Most procedures that happen within a modern business involves technology to some degree. That makes any enhancements to that procedure or process a Business Project. Accept it as such – utilise IT as just another resource, otherwise if you leave the IT people to do all the design and implementation, and take all the responsibility, the chances of getting the result you wanted are very slim.

We need to turn technology on it’s head, stop being afraid of it as though it was a form of arcane power controllable only by the anti-social and unwashed Pizza and Coke brigade, and start treating technology as just another enabler, in the same way a horse and cart was once an enabler for a farmer bringing his crops to market. Very Important and Totally Necessary but the farmer didn’t have and didn’t need a Horse and Cart Department.

@stevechol 

CRM: What’s Needed [1]

Data in general  is not particularly useful until you turn it into information,  ie: apply Structure and Context.

Your contact database can be your biggest asset. You need to maintain it, religiously, you need it accurate and you need it available. It needs to be simple to use and have the most important (ie: most often used or needed) details and actions Easily and Quickly available.

Generally it is so much easier to sell to an existing customer than to find a new one. For example: if you know which of your contacts are customers, know what they bought from you and when, you can contact them at an appropriate time and offer appropriate extras or upgrades.

Nowadays, to stay in business, stay relevant, stay informed and stay on top of your game, your contact database needs so be much more than just an address book.

CRM: What’s Needed [1]  – Fields

Here is an example of some of the information that you should be storing for each contact. I have split it into two sections, Mandatory and Desirable:

MANDATORY

  • Name, Company, Address and Postcode
  • Position
  • Industry
  • Type (Customer, Prospect, Personal, Network, Competitor, Member)
  • Status
  • Favourite Flag
  • Reference
  • Account Manager
  • Connections (Referred By, Associate, Group Company, Family, Competitor etc.)
  • Links (Website, Blog)
  • Social Media Links (Facebook, Twitter, LinkedIn)
  • Instant Messaging Links (Skype, iChat etc.)
  • Multiple Email Accounts
  • Multiple Telephone Numbers
  • Static Notes
  • Historical Notes
  • Allowable Contact Flag – Email
  • Allowable Contact Flag – Telephone
  • User Definable Categories
  • User Definable Tags
  • User Defined Custom Fields

DESIRABLE

  • Photograph
  • Logo Image
  • Multiple Addresses
  • Synced Addresses
  • Travel Code (LOCAL, HALF DAY, FULL DAY etc.)
  • Birthday (Day and Month Only)
  • Send Birthday Card Flag
  • Send Christmas Card Flag
  • Additional Reference
  • Allowable Contact Flag – SMS
  • Allowable Contact Flag – Post
  • Colour Coded Current Relationship Indicator 
  • User Definable Classifications
  • User Definable Ratings
  • Unlimited User Defined Custom Fields
  • Shared Secret for Encrypted 1:1 Communications

In another post I will discuss what I think are Mandatory and Desirable Features and Functionality  that you should consider when deciding where and how to store your contacts information.

@stevechol

Yamaha XT660R: Review

From the Archives, originally published: 13th January 2008

The Yamaha XT660R, and it’s supermoto sister the XT660X were released in 2004. The model reviewed here is a 2006 model I bought and registered in May 2007. 

Steven Cholerton

The XT660R is not a real ‘offroad’ bike. It is too heavy and unwieldy to be your first choice if you need to regularly hustle quickly through severe terrain. Having said that it is more than capable of tackling green lanes and gravel roads. In fact I think it would be the perfect bike for some overland expeditions due in no small part to its simplicity, comfort and reasonable build quality.
 
In my eyes the ‘offroad’ styling is also very attractive and looks a lot meaner and meatier than many bikes, it’s more Mad Max than World Superbike but all the better for it in my opinion. Not everybody is a fan of the styling but in my eyes, especially on the model shown, with some additional modifications fitted, it looks great.
 
Where this bike excels is as a day to day bike for commuting and generally having fun. It features a single cylinder engine which although only giving around 45 bhp, is very torquey and capable of propelling the bike up the motorway autobahn at an indicated 110 mph.

Steven Cholerton

On the motorway with the standard screen it is hard work at anything over 80 mph. The addition of a larger screen and hand-guards makes it much more bearable at speed and in wet weather conditions. 
 
Being a big single it does vibrate quite considerably but this is only really noticeable on longer trips and I don’t find it unacceptable.
 
The seat is high and the riding position is very upright giving a commanding view of the road. Even with my 6ft and 200 lbs this bike still feels quite large and comfortable, and although the seat can feel slightly hard after 50 miles or so, I have easily completed several 330 mile runs, only stopping twice for fuel.
 

Steven Cholerton

The bike shown averages around 57 mpg and around 120 miles can be done before the fuel light comes on and the digital display starts counting up the miles you are doing on your reserve fuel. Approximately another gallon is available after the fuel light comes on.
 
The instrument cluster is pretty good, especially for this type of bike, and features two trip counters as well as a digital speedometer, a clock and all the appropriate warning lights. What would be nice is a rev counter and gear indicator, it’s probably just me but I often find myself trying to kick it up into a higher gear, even when running in top !

Steven Cholerton

The single biggest fault of this bike is the low speed fuelling. At low speeds around town the throttle is very much either on or off and a lot of clutch slipping can be necessary to make smooth progress. Wet roundabouts are not much fun either. This is a well documented fault with this model and the guys and gals on www.xt660.com have come up with some simple modifications that can help with this problem. Ultimately though I think it is necessary to invest in a Power Commander and some dyno time to cure this properly.
 
Speaking of the www.xt660.com forum, this is a great, informative, international and high volume forum that is almost worth buying an XT for. Highly recommended for anyone who has either of the XT660 models.

In my opinion another area in which the XT660R suffers is the front brake. This uses standard rubber hoses mated to a single disc. It seems to stop ok although the brakes are not at all re-assuring, with a lot of lever movement and suspension that seems to sink to the floor with only the slightest pressure on the brakes, no kidding this suspension is softer than a blind man in a porn shop.

If the front suspension wasn’t so weak then the brakes would not feel so bad. Braided Hoses, decent pads and upgraded front suspension is on my list of upgrades as the bike is so much fun to ride that not having confidence in it’s stopping abilities is a bit of a downer.

Steven Cholerton

The bike is a lot of fun to ride. The high position, wide bars and responsive motor mean that it is difficult not to thrash it point to point, especially on the nice bendy B roads that are so often seen in Derbyshire. The suspension means that it will handle the worse roads without too much trouble and as long as you don’t expect sports bike cornering abilities you will have a whole lot of fun 

@stevechol

It’s Only An App …

There has been some very interesting articles just lately on some of the LinkedIn groups that I am a member of, as well as sites such as Reddit.  People posting and asking ‘How can I get a Good Developer?’  The answer is simply to be prepared to pay them the going rate.  It couldn’t be any more simple.

The problem is that MrX has an idea that he thinks is worth Millions.  *All* they need is a Developer to make it happen.  They are prepared for the Developer to do all the work for free on the promise of a % of profits, or a few shares.  It’s only fair – they have contributed an idea and the Developer is expected to contribute a few hundred hours …

There are some serious flaws in that idea, here’s a couple:

1. An idea is worth exactly £0.00.  If MrX thinks differently then he can invest the money in paying a Developer to produce the app and keep all the profits himself.  He’ll still be drowning in cash.  Or maybe he isn’t *that* sure that the idea is worth anything …  Here’s another test he can do; Attempt to sell his idea on Ebay – let me know how that goes …

2. For every application that makes serious money, there are thousands that don’t.  Even if the app is great and you have actually built a better mousetrap, who is going to invest the money needed to tell the world about it ?  Who is going to ensure the venture works as a business ?

Assuming MrX realises that Developers don’t work for free, how much should their time be worth ? MrX will baulk at £2000 to develop an app, even if that £2000 means the developer is actually only getting paid minimum wage when the time required to build the app is realised.  It’s only an app after all – how long can it really take ?

MrX may then look at some of the job boards and decide that $20 an hour is a reasonable rate and he’ll get someone from India or China who guarantees him that they will create something fantastic for him.  Technically there are many Developers from the East who are more than capable of creating great software – however can MrX make himself understood to someone who is not only the other side of a language barrier but also the other side of a culture barrier.  And let’s not forget spelling, management, time zone issues, copyright etc. etc.

If for example a Developer charges £60 per hour that is about half what a main dealer Range Rover mechanic is charged out at.  It’s on a par with an Electrician or Plumber.  Is that unreasonable ?

Some people know the cost of everything and the value of nothing.  This is not helped by the various ‘app stores’ where the race to the bottom in terms of pricing, has been ridiculous.  If you are an experienced Developer, then hang in there – the current situation is not sustainable – your knowledge, expertise and experience have a value.

@stevechol