I was blown away by the number of people responding to my survey last week. I'm very grateful to you for taking the time.
The response was so overwhelming that it might take me just a little longer to synthesize the results. I will absolutely report back here - and it may be in the form of another short survey to make sure I interpret things correctly.
Again, thank you very much.
Why do I need to change passwords after HeartBleed?
You may have noticed that I didn't jump on the HeartBleed bandwagon last week. I'm not a particularly reactive person, I'm not prone to panicking, and I felt that there was simply too much that wasn't known about the ramifications of the security issue.
Now that things have settled down a little, it's time to take a calmer look at what happened, to learn what you need to do, and to answer the most common question about HeartBleed: why?
But first things first: it's not on your machine. In fact, it doesn't affect your machine at all. This is all about the servers that you access on the internet.
Continue Reading: Why do I need to change passwords after HeartBleed?
Are you worried that someone can buy software to hack your cellphone, or that upgrading your XP machine is hard? Trying to find Windows ISO files, or a missing NTLDR? Curious about Moore's Law! All that and more in this Answercast from Ask Leo!
(Includes the raw transcript on which the articles below were based.)
Is there software that allows someone to track my emails and texts?
The bad guys can do anything they want to your computer if they can gain access.
Continue reading: Is there software that allows someone to track my emails and texts?
Whats the best way to upgrade from Windows XP to Windows 7?
A clean install is going to get you a cleaner operating system.
Continue reading: Whats the best way to upgrade from Windows XP to Windows 7?
What does NTLDR is missing mean?
You're missing your boot loader. This may mean serious hardware problems... or perhaps just something forgetful on your part!
Continue reading: What does NTLDR is missing mean?
Can I use Windows 8 ISO files I found on the internet?
It's becoming more and more difficult to buy a computer with installation media. Fortunately there is a solution to not having install discs.
Continue reading: Can I use Windows 8 ISO files I found on the internet?
Can I delete old updates?
It all really boils down to how updates are applied. Some you can delete, others you should not. I'll review the different types.
Continue reading: Can I delete old updates?
Is Moore's Law over?
CPUs may not be getting faster as quickly as they once did, but Moore's law isn't really about speed; it's about circuitry. We're still improving in many other ways.
Continue reading: Is Moore's Law over?
*** Our Sponsor
Saved! Backing Up with Macrium Reflect
*** Last Issue's Articles
- Ask Leo! #491 - MSE on XP is confusing, parental control, negative reviews and more...
- If we login to a site securely will our other activities be secure?
- Why are touch screen monitors so much more vivid?
- How do I tell who really sent an email?
- Someone is signing me up for newsletters I don't want - what can I do?
- Why I don't do negative reviews
- Why can't online services tell me what my password is?
- How do I Repair My System if the Registry Can't Be Loaded?
- Is Microsoft Security Essentials supported on XP or not?
- How do I control what sites my child can visit?
*** Featured Reader Comments
Phil Cowan writes:
On my XP, not only did I get the nonsupport message, but my machine started hanging. Would boot up, but not allow the mouse to do its work. My tech guy removed MSE and it works fine. He said a friend of his had the same problem last night. Is Microsoft doing something to deliberately sabotage XP?
I don't believe in conspiracy theories, so no, Microsoft isn't doing this deliberately. Considering that MSE works just fine on many, if not most, other Windows XP installations, it's more likely that there's something unique about your situation. Not that MSE might not be to blame, but I'd blame a bug or other configuration issue over a corporate conspiracy any day.
David Maxwell writes:
If I have understood correctly, (and I found your explanation brilliantly clear), every one of the major thefts of passwords which have been publicised over the years, (as well as the Heartbleed thefts), are actually a manifestation of the fact that the host is maintaining the actual passwords on their servers. If they were storing only the hash, the hackers could not steal them. This speaks volumes to the security services of the major sites we all subscribe to.
This is not quite correct.
First, most major thefts have not been "of passwords". They've been of account databases with hashed passwords. Nonetheless, common best practice after such a theft - even without passwords - is to encourage people to change their passwords "just in case". (Obviously if the theft was truly "of passwords", then yes, those were bad security setups. But as I said, if you read the accounts closely more are not.)
Second, the situation is more complex than I got into. (Remember, the question was only why a service couldn't tell you your password.) It can sometimes be possible to use tables of hashed passwords to break into accounts 1) if the hash is done "poorly", and 2) if poor passwords are used. I think someone else mentioned rainbow tables - compute, off-line, the hashes for all possible 8 character passwords, then just look up the hash to find the password. There are techniques to make this more secure both on the server (do hashes properly) and in your control (longer passwords being the one in your control).
Finally, poor password choice remains a serious issue. Very often simply knowing the account login ID, which is stored clearly in the database, and then just trying the top 1000 most popular passwords (slowly, over a few days on a distributed botnet) will break in to an alarming number of accounts.
*** Leo's Blog
Why I rarely panic
As I watched the HeartBleed issue unfold over the past couple of weeks, I kept looking around at all of the media reports that seemed to indicate that the end of the world (or at least the internet) was upon us. I kept feeling like I was supposed to be panicking.
But I didn't.
And neither the world nor the internet came to an end.
It's not in my nature to panic. That's just the kinda guy that I am. While I think panic is occasionally called for, it does more harm than good more often than not.
Continue Reading: Why I rarely panic
*** Leo's Books
Need more help with or have questions about the newsletter? Check out the newsletter administration page.
Help Ask Leo! Just forward this message, in its entirety (but without your unsubscribe link below) to your friends. Or, just point them at http://newsletter.askleo.com for their own FREE subscription!
Newsletter contents Copyright © 2013,
Leo A. Notenboom & Puget Sound Software, LLC.
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC