Windows viruses are getting more sophisticated and much more difficult to deal with. Each form of malware being brought to light is more malicious than the last, harder to detect, and even harder to remove. I’m still astonished at how many home users are still using Windows, especially Vista, which has not at all improved even after its latest Service Pack release.

I’ve always touted the benefits of a Mac, but today I’d like to discuss a free operating system, that even looks like the Mac OS, and is both easy to use and inherently far more secure than Windows. Yes, it’s Linux, but you’ve probably never heard of this version. gOS is the name of this Linux version, and after trying it out for the last while, I highly recommend it to Windows users who are sick of dealing with all the Microsoft nonsense. If you’re looking for an alternative that can be easily installed as an addition to your Windows computer (as a dual boot system – so you can still keep Windows) then this distribution may be for you.

As you can tell from the graphic accompanying this article, the desktop shares a lot of similarities with Mac OS X, which is never a bad thing. Using gOS is very easy, and does not require too much of a learning curve. I’ve been following the many faces of Linux for years and I’ve got to say that this one has probably got the greatest chance of attaining mainstream acceptance.

Back in November in 2007, Wal-Mart began selling a 200-dollar PC with gOS under the hood, and they were sold out in a matter of hours! It was a huge hit. The hardware running the PC was not exactly great, but people were still impressed – in all likelihood the hardware on your PC is more robust and will run gOS very well. The system requirements are incredibly low. Almost any PC made in the last eight years will run it.

From a security perspective, gOS, like any other Linux distribution, is far less of a hassle than Windows. I’m not suggesting that Linux is infallible, but it is not nearly as susceptible to the overwhelming malware issues that plague Windows. And did I mention it’s free? Yes, there is a learning curve, and for novice users it will likely never outright replace your Windows experience. But, why not give it a try? You have nothing to lose. And much to gain – like being able to rest easy knowing that if your Windows installation gets hijacked by malware (and it’s only a matter of time), you will have a reliable operating system on your PC that will keep you working and keep you on the Internet.

Good news: you don't have to make any major commitment to try out gOS, since it comes in the form of a bootable Live CD. Go here:

thinkgos

Download the Live CD image, then burn it to a CD. If you’re not sure how to burn it to CD, this program will help:

imgburn

After ejecting the burned CD, reboot your computer with the new CD in the drive and gOS will automatically boot up. You can now get a feel for whether or not you like the look, feel and idea behind gOS. It’s also time to find out if gOS supports your hardware. I’ve found that almost all configurations work fine, but Linux is known for its quirky hardware support. (Vista, anyone?) gOS will run significantly slower off the Live CD than it would if it were installed on your hard drive because it has to read everything from the CD, which is like those snails on the Shaw commercials – very slow.

But when you decide that you’ve had enough of waiting for the CD drive, and you’re ready to install gOS on your hard drive, just double-click the Install icon on the desktop and follow the simple installation instructions. The installer can create a new partition for gOS when you install it, which will allow you to boot into either Windows or gOS upon turning on your PC. Once you’ve completed the intuitive setup, gOS will start copying files and the installation should be complete in about 15 minutes or so.

I realize this may be quite a huge step for many, but I promise that the experience is time well spent. The security picture for Windows is getting gloomier and gloomier, and the more we do to minimize our risk by embracing other operating systems, the better off we’ll be.

My column this week is devoted to one of computer security’s greatest institutions, SANS. Based out of Bethesda, Maryland, SANS (SysAdmin, Audit, Networking and Security) is the largest provider of information security training, certification and research in the world. In efforts to bring their world-class training to as many locations as possible, SANS offers a program called Community SANS. This program allows students in smaller markets like Kelowna the opportunity to take part in one of their renowned courses, normally offered in large cities.

Having SANS bring their training to Kelowna is a wonderful opportunity for anyone interested in learning the fundamentals of computer security. The offering for Kelowna is Security 401: SANS Security Essentials, which is taught in their signature boot camp style, taking place April 21-26, 2008 at the Coast Hotel.  This is SANS first event in the Okanagan with the SANS Security Essentials course taught by Western Canada's own Kenton Smith.

I was lucky enough to attend a SANS course a few years ago. Although I did not take the Security Essentials course, most of my colleagues were in that class. When SANS says boot camp, they mean it. Each and every person I talked to who took this class told me what an incredible learning experience it was. The course I took was also a six-day affair, and I was amazed at how much information they could cram into such a short period of time. Despite the time crunch, the quality of the course materials, the lab work, and especially the instruction, was remarkable. If you are at all interested in learning about computer security, there has never been a better time to get a great start.

I am not at all trying to take away from the strong network security offerings at our local institutions. UBC Okanagan, Okanagan College and the Centre for Arts and Technology in particular all have very good courses in computer security. SANS offering is much different, as it is presented boot camp style. It provides a great jump-start, or even complements one’s knowledge of computer security. I’m always impressed by how many computer security professionals who take the course end up coming out of it not realizing how much more there was to learn.

For complete course description, event details, and to register, you can visit:

sans

To get more information, the following link, which features the course’s founder Eric Cole, is quite helpful:

youtube

I realize that my column may come across like an advertisement for SANS, but that is not my intention. I have no affiliation with them whatsoever. They truly are a world-class organization, and I have nothing but great things to say about them. I am thrilled that they are bringing their “show” to Kelowna. Yes, the course is expensive, but it’s worth every penny. Anyone who has gone through the SANS experience would agree. Their evening events are always tremendous fun and great lengths are taken to ensure the attendees’ enjoyment. Some even say that the SANS evening events are what keeps them coming back! But their true reputation is based on the training, which can’t be beat.

I’m a Facebook junkie. I’ll admit it again. I’ve written about Facebook’s privacy issues before, but since then there’s even more information that has come to light that everyone should be aware of. This stuff is just a nightmare for privacy advocates.

Before last week, it seemed that all I needed to worry about in order to protect my privacy was to ensure I don’t install too many (if any) of those third-party applications that so many Facebook users love to add to their profile. This is because Facebook shares all of our personal information with all of the developers of the applications we’re addicted to.

Scrabulous, anyone? Oh yes, and as I’ve spoken about before, we must ensure we don’t provide too much personal information on our profiles. But now, it seems like anything we do to maintain our privacy is pretty much out the window. Facebook's Web site, as well as their overlong application terms of service, conveniently fail to mention something rather important. Along with providing the application developer access to most of your private profile data, you also agree to allow the developer to see private data on all of your friends too.

Most Facebook users set their profiles to private, which stops anyone but their friends from seeing their profile details. This is a great privacy feature that can protect users from cyber stalkers. Great! But this activity is rendered completely useless by the application system. To reiterate: if you set your profile to private, and any one of your friends adds an application, most of your profile information that is visible to your friend is also available to that application developer, even if you yourself have not installed the application.

The (maybe) good news is that Facebook lets you configure how much of your own private data that your friend's applications can see. The bad news is not only is it hidden away, requiring several clicks through menus to find a page listing specific privacy settings (Privacy/Applications/Other Applications), but to most users, it’s not even accessible. It’s greyed out! Ouch. Worse, the default values are extremely lax, where any user who has yet to discover the preference page is essentially sharing their entire profile by default.

This friend data-sharing element, and the ability to protect against it, isn't mentioned anywhere else on Facebook's site, nor are users informed about it when they install an application. Chris Kelly, Facebook’s Chief Privacy Officer, was actually quoted as saying: "We have made things very clear to users, and they understand it very well." In the interview I read, Facebook was being very evasive about any of these privacy issues. I also recall an episode of Sixty Minutes last month where Facebook’s CEO, Mark Zuckerberg. When asked about previous privacy concerns, he as well was very ambiguous with his responses.

I get the feeling Facebook doesn’t take these privacy issues seriously. But their reasons for not doing so are not at all malicious. Their attitude is probably something like: “If our customers really don’t care about privacy, why should we?” And they wouldn’t be at all mistaken. People add applications with no regard whatsoever for their privacy. Hey, if something’s really cool, who cares what they have to give up to get that immediate satisfaction?

Yes, Facebook is evil, but not evil enough to stop me from using it. Plus, all my silly-application loving friends have already inadvertently shared my information, which is (thankfully) quite limited. I just can’t give up my online Scrabble games!

Last week, a serious security flaw in the official website for Passport Canada was exposed. This wasn’t just a minor incident. Data that was easily accessible, comprised of personal information, including social insurance numbers, dates of birth and driver's license numbers, all belonging to those applying for new passports, were accessible.

The breach was discovered by an Ontario man filling in information for his own passport application. He realized that he could easily view the applications of others by simply altering one character in the Internet address displayed by his Web browser. The individual who discovered the glaring flaw, Jamie Laning, informed Passport Canada of the problem and they quickly closed off the site last Friday. The site resumed operation on Monday afternoon and strangely, with only a few keystrokes, the same data was still exposed.

This is not at all promising. A flaw like this is just an example of lazy programming and really doesn’t have anything to do with how ‘secure’ the site is. This programming oversight by Passport Canada is a colossal nightmare for Canadians applying online. What I’m saying is: if you’re thinking of applying for a passport online – don’t. For a long time. If Passport Canada is unable to secure our data and allow a massive breach like this, I would be weary of things changing anytime soon.

Am I saying that the whole passport process is completely inept? Not at all. In fact, Passport Canada should be commended for being able to somehow process the overwhelming number of applications that have come their way. Personally, when my wife and I applied for our passports back in October, our experience couldn’t have been any less painless. Plus our passports were in our hands in less time than anticipated!

I wonder though, if our personal information is as insecure as it appears to be, is there really much point to even have passports as a means of security? Security experts have always maintained that passports are not exactly the answer to national security. I tend to agree. Combine this with the absolutely ineffective measures of liquid banning on airplanes and I’d say our country has some serious security re-thinking to do. More on this at,

Interview with Kip Hawley

This great interview with Kip Hawley, the head of the Transportation Security Administration (TSA) is a highly recommended reading.

This massive breach just raises many more questions about the overall state of security online. Not just with Passport Canada, but with how much of our data is out there. The problems lie with the fact that security is so often overlooked in its implementation. Security must be a serious consideration in every aspect of an application, especially where personal information is concerned. Until that day, the onus is unfortunately on us to be extremely selective in to whom we provide our private data. So, right now is certainly not a good time to use Passport Canada's website for your passport application.

Link: Passport applicant finds massive privacy breach