Phish are smarter with AI, more difficult to spot, but scammers are still relying on everyone who gets email to click and allow their hoaxes, because using non-Admin Windows accounts blocks most of the attachment malware they try to send. They rely on you to let them into your computer. Here’s how to spot a phish, in the new October PC Updater News. Or free subscriptions and back issues are online here.

The post Phish Spotting appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Phish Spotting.

OK, well then, would you click on this email? I don’t remember ordering a pricy server from Amazon, but it looks like I’m getting one. I guess I’d better look in there and see who ordered it for me; could be that my account was hacked. 

So what’s wrong with it? Here goes, most obvious and visible items first:

• I ordered no such thing.
• The sender’s email address has the wrong domain, ‘amazons.com’ which is also not the web address for Wonder Woman’s family island.
• The return address for Amazon orders is generally auto-confirm@amazon.com.
• The format of the email is simpler than the usual Amazon shipping confirmation, missing gray backgrounds, logos, and a picture of each item ordered. It looks a lot like an Amazon confirmation from ten years ago.
• The order number is not a text link in the email, and the last section has too many numbers.
• “it may take 24 hours for tracking information to be available in your account.” No, tracking shows up in Amazon before the email is sent; it’s Fedex and UPS that will just say ‘label printed’ until the next morning.
• Finally, not visible above, if you float your mouse over the ‘Order Details’ button, which is missing the orange logo that Amazon would normally use, you will see the link, which goes to usintecmedical_ com_br, not Amazon. That ‘com.br’ points to a site in Brazil, probably hacked.

What to do? Will this big Dell system show up at my door? No. I TYPED ‘amazon.com’ into my browser, didn’t follow the link, and checked. No surprises there. However, that medical address in Brazil would likely have looked like an Amazon page, asked for a login, which it would keep and use, and then forwarded you to the real Amazon. Or the site would attempt to install malware. Be suspicious. These fake confirmations can look like they come from nearly any large company.

The post Is That eMail for Real? appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Is That eMail for Real?.

Who wrote the rule that says that passwords should have “both upper and lower-case letters, a number, and special characters”? And that they should be changed every 90 days? And that it’s OK to verify a password change by asking questions that anyone on Facebook could look up?

Well, that was NIST, the National Institute of Standards and Technology. And they’ve removed those rules. They’re as obsolete as using ‘monkey’ for a password, and that’s good, as the rules and the monkey were both just nonsense.

Anyone who has done the math can tell you that a 16-character password of nothing but lower-case letters is basically one answer in a set that is 26 raised to the 16th power. That’s 4.36 x 10 22, or 401,906,756,202,070,000,000,000,000. Or you can use 6 characters that include that ‘all possible characters’ rule, and that would be around 72 characters, to the 6th power, or 139,314,069,504. That long-but-simple password is 2.8 quadrillion times harder to guess.

This is, of course, based on stupid. Lots of it. Here are the basic assumptions, all wrong:

• Humans can remember super-complex 8-character passwords. Yes, maybe one of them. Not one for each banking site, let alone all the trivial web sites that demand a password.
• Online attackers can try to guess passwords in groups of trillions. They can’t, even on websites dumb enough to allow it; it would stop the ‘Net just from the traffic alone. A badly-built website would allow a few thousand attempts per day before crashing. Brute force guessing isn’t how attacks succeed on properly-configured web sites. Attackers steal your passwords with spyware, or they guess the top 100 most-popular passwords. Like ‘querty’ or ‘password’. They don’t run through every possible letter & number combination; that won’t work.
• Changing passwords on a calendar basis does something useful. Nope. The assumption is that we use the same password everywhere, and once it’s lost, it will be used everywhere else after 90 days. Hackers don’t wait 90 days, and we can’t change passwords daily. But some users do repeat passwords. Don’t do that.
• Asking questions about our own history is security.
  Like ‘Pick your old address out of these 4 choices’ I’ve done it; they offered addresses of someone else I know that shares my name, my former address at an apartment, and my parents’ address, where I lived sometime in the prior century. I chose the answer of ‘Skip to next financial institution.’
• And finally, there’s the stupid assumption that attackers know that you mixed letters and numbers.

They don’t, and it changes the math. If you told them, “I only use upper case”, well yes, that speeds up guessing. But they don’t know if you used all available characters, or three of them. Forcing us to use ALL those character types doesn’t add any security–a brute force guessing program won’t know which characters to guess.

OK, so the new rules are sensible, by comparison. They’re here:
https://pages.nist.gov/800-63-3/sp800-63-3.html

Most of it is government lawyer-babble, an extreme case of what they call ‘terms of art’, and it spends a lot of pages on what standards and rules apply to what type of activity.

The recommendations include these items, all sensible:

• Password systems should reject dictionary words as passwords, along with the name of the service, or choosing a user name as the password.
• Passwords should be at least 8 characters, and should be allowed to be as long as 64 characters.
• Passwords will be stored as encrypted data, not as passwords, in a “one-way hash.” That means that a web site will ask for “the password that will encrypt to something we know”. In other words, they couldn’t tell anyone (or you) your password even if they wanted to, only if it matched what was entered when it was created. Not “it’s one letter off”, which is an answer I’ve gotten from a (former) bank, without even asking.

What does this mean for us?

Well, it means that “ZebraInTheCornfield” is a higher-security password than “f0OT6a11”, and it’s easier to remember and to type. And ‘monkey’ isn’t allowed, ever. Choose your passwords accordingly, with phrases of at least 16 characters that are easy to remember, but not something anyone else would know.

The post Long Passwords are better than Short C0mp1ex Passwords appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Long Passwords are better than Short C0mp1ex Passwords.