• Not paying as much attention to the "recent activity" on your credit card's website
• Not paying as much attention to "who's doing what" on your computer
• Not being as paranoid about "greeting cards" in you email
• Not being as paranoid about verifying the integrity of the online merchant that you're about to get that hard-to-get gift from
• Not being as cautious about using your credit card(s) at online retailers
• Using paper money a tad more than usual and being prone to leaving your debit card in the ATM
• Being away from phones and cellphone connectivity and the Internet, and thus being out of reach to credit card fraud departments
• Buying a lot of stuff and not being as cautious about storing / destroying all your receipts that bear little snippets of your personal / financial information

And a lot more. Worried yet? Its probably just a tad overkill on the paranoia, but then again -the holiday season leads itself to extremes.

Thus, the following tips to help make for a safe holiday season:

Computer safety

• Holidays bring people. People need to do email. "Can I use your computer?" usually gets an "Of course!" and the firewall usually gets turned off because "Its getting in the way!"
  
  Multiply that by people getting their own computers into your home and getting onto your wireless network. Suddenly your WEP / WPA key is posted up on the refrigerator door and you're getting "Can we just turn the wireless security off till everyone's here?" murmurs from the spouse.
  
  Multiply that by kids who visit "children's websites" and have interesting little "free games" on interesting little websites that want to market interesting little toys by dropping interesting little bits of spyware. Very interesting indeed.
  
  Multiply that by next-room questions like "Can I download this?" during a conversation that gets hurriedly answered with "Yes, do whatever you like" by an adult, or even you.
  
  End state: There's more to clean up after the party ends than you expected.
  
  
• Tips:
• Create "Guest" accounts on all your computers, lock them down with respect to software-installation rights and download locations
  
• Change your wireless network's WEP / WPA key before everyone arrives, to a relatively easy-to-remember value. This is VERY insecure, but it could serve as a reminder for you to change it after everyone leaves.
  
  At worst, you're going to be the neighborhood freebie ISP for a while - and you may even be a conduit for some illegal file sharing and music piracy. At worst, this could have you being subpoenaed talking "settlement" with the MPAA and the RIAA after the turn of the year.
  
  Don't like the sound of that? Make it a hard-to-crack-yet-easy-to-remember password. This is a fundamental paradox. Good luck with that.
  
  Oh, and before you get asked to do so - post it up on the refrigerator door yourself.
  
• Set up spyware / adware  (what's the difference?) scans for really late hours of the night. Assume that there's going to be a lot of it coming in during the day, and set up your scanners to detect and delete all the bad stuff silently when everyone's sleeping.
  
• Tune your firewall down to an acceptable-yet-unintrusive level. This, again, is a fundamental paradox - but often possible. Have it be tweaked to stop the "really bad stuff" and let the "suspect stuff" slide. While this does pose a threat to your computer and your network, it does keep you from the knee-jerk "turn it off" response.
  
  And while you're at it - tweak that "Guest" account so that it can't turn off any startup software applications. Kids are a lot more computer-savvy today than you were at their age!

Credit card safety

• You're going to shop...a lot. Face that truth square in the face and you'll ease into the rest a lot easier. The holiday season is notorious for hacks and scams because everyone from the security-savvy consumer to the paranoid security administrator have people to see and places to go, and thus, have to spend time away from their well-worn keyboards.
  
  In addition, you're going to a have a lot less time (and strength) to spend scanning your credit card statements.
  
  End state: Its Friday night for the hackerati, and they ain't staying in!
  
  
• Tips:
• If your credit cards allow it, sign up for their "fraud protection" service. I normally abhor such things, but if your schedule's not going to allow you to be as watchful over potentially fraudulent financial activity, its best that you pay someone to do it.
  
  Ideally, drop the service after life returns to normal. You'll have to check if you can, in fact, bale out like this. If the service is a take-it-or-leave-it annual subscription, then you just may have to cross your fingers...
  
  
• I've seen this be done but haven't tried it out myself. Check with your credit card companies if they can require additional authorization (by you / registered cardholders) for any purchase above a certain amount. Not only will this stop the spur-of-the-moment purchase of a new 50-inch plasma screen, but it will also stop big-ticket purchases that happen "without your knowledge".
  
  There's more to this than meets the eye, which is probably why I've never mustered up the courage to try it. What happens when a card protected by this process is slid through a card reader for an amount exceeding the "glass ceiling"? Does it stay "stolen"? Would you hold up the checkout line? Would it be too embarrassing at a public place, especially when group meals can easily cross $500 if they're done right?
  
  All in all, a good security control that I haven't played with yet. If you do go through with it, do let me know how it works out.
  
  
• Call your credit card's fraud protection service ahead of time if you're going to make a big-ticket purchase and/or are going abroad.
  
  Many credit card companies are now doing an excellent job of monitoring their cardholder's credit card usage (Five stars to Discover for this!). I remember getting calls from Discover Fraud Protection within 15 minutes of buying a new cellphone, and within 30 minutes of paying for gas at an out-of-town gas station while on a road trip. Kudos to them for their diligence.
  
  However, that could go against you if you're out of cellphone range and the purchase authorization gets held up. Thus,  I would recommend calling them ahead of time and letting them know.
  
  This would help a lot when its international travel. They wouldn't block your international purchasing activity, and would block activity from any other place - or so I think it would work. As with everything else here, check with the credit card company beforehand.
  
  
• Red flags:
  
• Small charges on your credit card statement. $30 charges easily get missed as meals and the sort, especially when its a huge group. Check everything!
  
• Vendor names on your credit card statement. If you don't recognize the name of the vendor on the statement, give them a call. You may think its one when its someone completely different, and potentially someone you don't know.
  
• Slight differences in your posted charges. If you paid $20, then expect $20 to be posted. This may seem obvious, but there's been chatter about some "offshore" online sites that make you incur an extra percentage on their charge because your credit card perceives the transaction as an international / foreign currency transaction.
  
  In such cases, you can't really "reverse" the transaction, but you will know that your credit card company charges you a percentage for "international" transactions and you could alter your future purchasing habits accordingly, if necessary.

Home / physical security

• Nightclubs have bouncers. Your home doesn't. If it does, skip this section.
  
  With additional people comes additional risk. Open doors, open windows, open basements and open attic portholes. Burglars love this.
  
  Tip:
  
• With the increased foot traffic over the various thresholds, you're probably going to end up turning your home security system down and/or off for the day. If so, have it be configured to do a "self-test" at a predetermined reasonable hour of the evening that will have it powering on and telling you what's open and what's not.
  
• Recharge the batteries for all the flashlights, and keep a few by the bedside.
  
• Have your security patrol's number(s) handy.

That's all, for now. I'll update this with more tips / scenarios as I think of them, and your input is always most welcome and much appreciated.

Have a safe and happy holiday season!

I imagine this is getting to be a common experience: One walks into a hotel / coffee shop / anyplace that lets you sit at a table for a while where the only interruption is the serving staff's polite requests about if they can be of assistance. One proceeds to extract one's laptop from whereever one stows it, boots up, and watches in glee as your operating system indicates that there is an "open" wireless access point in the area.

Falling prey to the "Have access, will surf" syndrome, one quickly fires up one's browser and heads over to check one's email, only to be surprised by a pay-for-use webpage that seems to consume every aspect of Internet use from your laptop.

"Ah, so its not free...@#$@#$@#$!!!"

Yes, it ain't free. Wake up and smell the smog. Nothing's free, other than the smog. Either pony up the approximately-ten-quid towards the wireless access, or play Solitaire instead. Alternatively, you could consider using your computer without being connected to the Internet if that isn't a truly horrifying thought.

Or...

You could try using a VPN. I can already feel the traffic and the hate mail that this blog post is going to attract, but being (in)famous never bothered me before and I don't see why I should have a change of heart now..

So, what's this about using a VPN? Well, its quite simple, actually. The average "open wireless access point at a public place" setup is designed such that it grabs the "popular" ports for Internet access and routes all network traffic to their "Please pay first!" page.

However, if you pay close attention, there are some applications that slip through. Some instant messengers, for example. They use non-standard ports for their communication with their servers, and you see that although your browser and most other Web-ified applications cough up the "Please pay first!" page, tools like these IM clients work just fine.

Translated, if you could somehow use some non-standard port to get to Google and all those "other" websites that you're just dying to get to, things would work just fine. However, as most things go, this is usually easier said than done.

Usually.

There are two ways to translate that theoretical blah into a practical hurrah. One assumes that you work for a company that has an existing corporate virtual private networking setup and has you using a laptop with a VPN client installed on it that you could use to "tunnel" back to your corporate network. The other assumes that you are reasonably tech-savvy and could set up a freebie VPN installation yourself, and have an always-on computer at your place of residence / otherwise that is connected to the Internet.

If the first possibility seems closer to home, then things get really simple. Whenever you see an "open" wireless access point show up that demands payment for use, fire up your corporate VPN client and do your bit as always. In fact, I would recommend this even if the open access point doesn't demand payment. Sending authentication credentials (usernames, passwords and other data) over a public wireless network doesn't leave a good aftertaste...

The above should work for most "average" open wireless networks that demand pay-per-use. If this post gets too popular, that volume may dwindle down over time, but then again - so is the ozone layer.

The reason it works is because your VPN client takes all your network traffic over an encrypted tunnel over a non-standard port, over the available wireless network to a server in your workplace datacenter - and then sends it out to the Internet to anyplace you desire. To you, all this is transparent, and may translate into an acceptable network delay. In addition, as I mentioned before, this keeps you a lot more secure over a publicly-accessible wireless network since it encrypts all your data and sends it back to your corporate network, and then to the Internet, and stops any attemps by any wannabe-hackers to try and get your data as it flies over the air at that coffee shop.

Alternatively, the other way is to set up a VPN on your always-on and always-connected home / residence computer. In theory, this would work in the exact same way as described above, if you were to change all instances of "corporate" and "workplace" to "home" in the above paragraph.

And where would you get a free VPN setup to install on your home computer? Here ,or you could try this.

I haven't used either, but am seriously considering setting one up. I'll post some follow-up after I do.

And for the lawyers scribbling furiously, here's the interesting caveat - this was intended to be a method of securing one's data as it travels over a publicly-accessible wireless network, and was not intended to be a method that could be misused to defraud wireless network service providers of their client charges. In addition, this text was meant to be for solely educational purposes and not meant to be practised in any manner that would be deemed illegal and/or harmful to any person, place or organization, commercial or otherwise. Any interpretations contradictory to the above are solely that of the reader and unintentional from the author's perspective.

Gotta love the law.

I recently read a Skippy post about how a Dell rep stated the Patriot Act as a reason for asking why a server was being purchased by a small business.

I would be curious to read this rep's script. Would it run something like this?

• Ask customer the purpose of purchase
• State that the US Patriot Act requires you to do so, if customer asks for a reason for your nosiness
• Listen carefully if the customer stammers or states a reason that seems dishonest
• Probe for additional details if you feel that the customer is being dishonest
• Probe for additional details if you feel that the customer's response warrants additional questions
• Look at your watch and make a decision about if you should continue this nonsense versus answering the next call and meeting your monthly quota for answered calls and sales commissions
• Chat with your supervisor and colleagues at the water cooler about the number of customers you've surprised and offended during your shift so far..

Jokes aside, I'm curious - WHY would this work over a verbal medium? It would totally make sense, from a seller's "due diligence" perspective, if the customer were asked to state the reason for purchase through some sort of customer-signed medium, i.e. a Web form, a faxed form or perhaps even a real form with real ink. Having a customer state the reason for purchase over a potentially-recorded phone call doesn't really seem like the Patriot Act is being translated into action in the right way...

Technically, every computer can be used to do a lot of things that can have damaging repercussions on a wide section of society. Technically, so can a chainsaw purchased a hardware store, a car purchased at a neighborhood lot and a gallon of gas filled into a jerry can. Nothing's right in the wrong hands.

If this goes on, perhaps I'll be asked to state and sign a reason for purchasing a timer that automatically turns on (and turns off) the lights by the time Santa flies in this year. Perhaps I'll make my most curious face and stammer out a response in a heavy accent just to see the store manager scurry around the corner with a cellphone. It'll be even more fun if I actually see an unmarked van park nearby over the next few days!

There's a fine line between "paranoid" and "delusional" that's often blurred by those in the dark world of security. This, unfortunately, just smells like another colossal waste of tax dollars and security-agency manpower...