JT Evans on Computer Security for Writers (Part 3) by DeAnna Knippling

Editor’s Note: This is the third in a three-part series. You can read Part 1 here and Part 2 here.

JT Evans, as well as being a writer, is a computer security expert who started programming at the age of seven and has been a Certified Ethical Hacker since 2009. During his June Write Brain talk, he covered three main topics: how writers should take care of their computers, computer security basics for writers, and what the bad guys are doing with computers.

What the Bad Guys Are Doing with Computers

The bad guys are violating one of three principles of computer security when they go after someone’s computer:

Confidentiality. For example, sending your personal information without authorization.

Integrity. For example, changing test scores or introducing a virus onto your system.

Accessibility. For example, taking down a website or server.

These are known as the CIA triad of computer security.

What methods can the bad guys use?

Denial of Service (DOS) or Distributed Denial of Service (DDOS) attack. This kind of attack blocks user access of a computer, website, or network. The DOS too advantage of a particular vulnerability in the Windows 95/ME/XP operating systems that let a bad guy crash your computer (a division by zero error was involved). DOS vulnerabilities are mostly closed now. DDOS attacks are a technique using botnets to send so many requests to a webpage or server that the server is unable to provide access all the requests--effectively taking down the webpage or server for a time.

Weak password vulnerabilities. A computer program can guess a lot of passwords using dictionary files, very quickly. Because a lot of people have easily guessed passwords (from things like “password” to their spouse’s name), a lot of people are vulnerable to this kind of attack. Here are some password tips:

Use at least eight characters.

Use a mix of lowercase, uppercase, and symbols whenever possible.

Don’t depend on replacing letters with numbers (as in p@ssw0rd), because those types of replacements are in the programs’ dictionaries now, too.

Don’t use an easily guessed word or code as a password (password, 123456, qwerty, letmein, etc).

Use a phrase that you can easily remember (like a book title) to build a password, using the initial letters of each word in the phrase (e.g., TQBFJOTLD for “The quick brown fox jumps over the lazy dog”).

Don’t use the same password everywhere; in some cases, if a computer or website is hacked, then all the passwords on it are vulnerable (as in the recent LinkedIn hacking). You don’t want your password at your bank to be hacked just because someone hacked into a social networking site, do you?

A good way to store passwords is to have one really good password that you don’t use anywhere else that you save for a GPG-encrypted text file that stores all your other passwords (including user names and websites).

Buffer overflows. When you’re inputting data into a field, if the field is, say, 10 characters long for a phone number, and if the field isn’t protected from someone typing in too many characters, then the extra information (after the first ten characters, in our example) can be used to reprogram the software. In the past, this was the most common way to attack a system; now, with more protection being developed, it’s moving to #2 after...

SQL injection. Structured Query Language (SQL) is the programming language used in relational databases. It’s like a buffer overflow in that you type extra information to force the database to do something it wasn’t supposed to do, but the techniques are specific to SQL databases.

Social engineering. This is using clever tricks to get people to give you information. If someone ever asks you for personal information, and you didn’t initiate the request by asking for something first, it’s probably social engineering (for example, phishing emails or even fake antivirus software).

Cross Site Scripting (XSS). This takes over your browser by injecting code into a website, then letting the website do naughty things to your browser. This can be used to create a browser-based botnet.

Cross Site Request Forgery (CSRF). This uses HTML to trick your browser into turning one action into doing a different action instead. For example, if you clicked anywhere on an Amazon page, a bad guy might use CSRF to force the click to work on the “Buy now with 1-Click” button instead.

Lack of encryption. An unsecured wireless network can be used to do many things, include monitoring every action on your desktop. You should use a Virtual Private Network (VPN) if you have one, if you’re on unsecured wifi, and use Secure Socket Layer (SSL) (that is, a site that starts with https:// rather than http://) when possible. Also, when you’re choosing the encryption for your wireless network, use WPA, rather than the WEP or WEP2 options, which are easily broken.

Network/Host scanning. There are a wealth of tools available that will scan for vulnerabilities. These are used by both the bad guys and the good guys: the bad guys to try to break into systems; the good guys to make sure it won’t be easy to break in. Some examples are nmap, Nessus/OpenVAS, Metasploit, and kismet.

If you need more information, you can go to JT’s website, jtevans.net.

If you’d like a copy of his handouts, click here.

About the Writer:  DeAnna Knippling is a freelance writer, editor, and formatter married to a Network Administrator, and she was still embarrassed about some of her personal security practices after hearing JT's talk.  Check out her personal blog at www.DeAnnaKnippling.com or her small press at www.WonderlandPress.com.

Quote

What you have to do now is work. There’s no right way to start. – Anna Held Audette

The Business of Writing: Self-Publishing Versus Traditional Publishing by Linda Rohrbough

I find it disturbing when someone says, “You should publish yourself because then you get to keep all the money.” When I hear this, I think what are they smokin’?

Can you publish yourself and make money? Yes. Absolutely.

But that begs the question:  Why is it that successful self-publishers end up in the traditional publishing route? In the twenty years that I've been in this business, I only know of one self-published book that is still being self-published and that's The Complete Guide to Self-Publishing by Marilyn Ross. (Marilyn is a Coloradoan, by the way. She co-authored with Tom, her husband, but sadly, he died not too long ago.)

Now, there may be those who'd say to me, “Linda, you've never self-published so how would you know?” Au contraire. I started my own press and self-published my first book. Three divisions of Baker & Taylor, a major U.S. distributor, picked it up. I didn't know at the time what that meant, but I do now. Bottom line is this: When you self-publish, you deliberately put on several hats to wear. And many of those hats are heavy, awkward, and don’t fit well together. Some hats carry a stigma that’s tough to live with. I love to write and I didn’t care for the other hats, so I dropped self-publishing and pursued the traditional route.

But back to the subject at hand, which is self-publishing versus traditional publishing. There are two things you need to have a successful book: exposure and distribution. What I mean by exposure is to get information to the right people about the existence of the book and its benefits. What I mean by distribution is getting the book into a position where the right people can easily buy it once they find out about it.

You've got to have both exposure and distribution in order to sell books – and I mean sell enough books that it makes a difference in your lifestyle. Both of those things require a team. Which is why all the authors’ books I know about that have successfully self-published, like Harvey McKay (Swim With the Sharks Without Being Eaten Alive), Jack Canfield (Chicken Soup for the Soul), and most recently Amanda Hocking (whose paranormal romances were initially published as Kindle e-books) are all now traditionally published. These authors realized they could do better with a team that understands distribution and has tools in place to get both exposure and distribution.

I can tell you that in most cases, these authors approached the traditional publisher about their projects, not the other way around. Right now, there’s a glut of authors. Publishers have so many authors come to them through agents that they don't have to beat the bushes. So the idea that some big house is going to come knocking at your door is not reality. Some smart agents who saw an opportunity have approached authors, but then they had to turn around and sell those authors to the publishing houses.

I said all that to say it scares me to watch newbees get suckered in by promises of quick glory if they'll just spring their hard earned bucks for whatever deal a self-publisher is offering them. Just bypass the whole painful process, skip the frustration and rejection. Wouldn’t that be nice? I love that idea. But I can tell you that’s not going to happen. Finally, one of the worst offenders at taking newbees to the cleaners is finally getting called on the carpet:  Publish America. The Writer Beware® blog, by the Science Fiction and Fantasy Writers of America, just published a piece on the class action suit that’s been filed against PA. The post outlines much better than I can the “problems” the suit addresses. But there’s a lot of money out there to be had from authors who don’t understand the business and a number of houses have gotten into self-publishing following PA’s model.

Does this mean I'm saying don't self-publish? Not at all. I am saying know what you're getting yourself into. The press loves the rags to riches stories out there of self-published authors who’ve made it. Just notice, though, that the ones who do make it team up with a publisher.

There are short cuts, sure. But none of them have to do with bypassing patience and hard work. The most critical component is to first make sure the writing has that emotional appeal that draws readers, whether it's fiction or non-fiction. And reading this means you have a leg up because you're probably a member of Pikes Peak Writers – which is great because this group specializes in helping writers get published and stay published. If you're reading this and you’re not a member, why not sign up? It's free, and I can't think of a better investment of your time than to join.

So can you self-publish and make money? Yes. Absolutely. But that’s like asking if you can buy a lottery ticket and win the lotto. Sure. You can. But there are better odds in other avenues if your goal is to be a millionaire.

That's my two cents. The bottom line is writers write and there’s always room for good writing no matter how it’s published. Writing – and honing your craft – is the most important thing you can be doing no matter which publishing route you decide to take. There’s no substitute for a well-told, well-crafted story.

About the Writer:  Linda Rohrbough has been writing since 1989, and has more than 5,000 articles and seven books to her credit along with national awards for her fiction and non-fiction. New York Times #1 bestselling author Debbie Macomber said about Linda’s new novel: "This is fast-paced, thrilling, edge-of-the-seat reading. The Prophetess One: At Risk had me flipping the pages and holding my breath." The Prophetess One: At Risk recently won three national awards: the 2012 International Book Award, the 2011 Global eBook Award and the 2011 Millennium Star Publishing Award. An iPhone App of her popular “Pitch Your Book” workshop is available in the Apple iTunes store. Visit her website: www.LindaRohrbough.com.

Community Doesn’t Burn by Chris Mandeville

Those words have been shared a lot here in Colorado Springs recently.  I don’t know who came up with the saying, but I’ve been spreading it because I believe it.  Our community has responded to the Waldo Canyon Fire with an outpouring of love, support and generosity like I’ve never seen.  Our community of writers has been a big part of this.  Seeing writers reach out with offers of help, donations of books, and words of encouragement makes me so proud to be part of this incredible group.



Though Pikes Peak Writers is a global community, our headquarters is in Colorado Springs and many of our volunteers and members live in or near the burn area.  While it’s a blessing that physically all are okay, I’m sad to report that at least one experienced the total loss of her home, and several others’ homes were damaged.  But just as our city’s beloved FLYING W RANCH has promised to rebuild from the ashes, the members of PPW affected by the fire are in the process of combing treasures from the wreckage, rebuilding homes, offices and libraries, and putting their worlds back together so they can get back to the business of living…and writing.



Our recent Write Brain workshop was graciously presented by author and Colorado Springs resident Robert Spiller on the topic of HUMOR.  We thought this was a good choice because bringing humor into your life –or the life of a character– during a time of crisis can help bring levity and perspective.  Judging by the nods, smiles and laughter during this event, it appears to have brought at least a small measure of joy and insight during this difficult time – Thank you, Mr. Spiller!



For our next event, long-time members of PPW, Brandon Meyers and Bryan Pedas, will talk about BLOGGING.  Blogging can be a great journaling process to work though emotions, a way to reach out to seek and/or provide information, as well as an important part of a writer’s “outreach” plan.  Whatever your interest in blogging, we hope you’ll join us for this Write Brain workshop – as always, it’s FREE and OPEN TO THE PUBLIC.  Click here for details and to rsvp.



Thank you to all the firefighters, police officers and other first responders for working so hard to keep us safe.  Thank you to all those individual citizens who stepped up to help others when they saw a need.  And thank you especially to the community of Pikes Peak Writers who has shown me first-hand that community doesn’t burn.

About Ruh...

You may have seen some postings on Facebook or the Yahoo loop about PPW's unofficial mascot, Ruh. For those who haven't heard the news, Ruh has a bone tumor in his right hind leg. Preliminary tests indicate osteosarcoma, which is very serious, but Ruh and his family remain hopeful that it's been detected early. 

Today, Ruh and his human, PPW President Chris Mandeville, are headed to the Colorado State University veterinary hospital in Fort Collins for more extensive testing to see if the cancer has spread. If it appears to be contained in the leg, and if his other leg appears strong and healthy, and if Ruh meets other medical criteria, his leg will be amputated and he will undergo chemotherapy and radiation treatment. 

News about Ruh's condition will be posted regularly at www.FriendsofRuh.com and on Ruh's Facebook pages: 

www.facebook.com/pages/Ruh/45872678717?ref=mf

www.facebook.com/ruh.mandeville

Please keep Ruh and the Mandeville family in your thoughts and prayers.

JT Evans on Computer Security for Writers (Part 2) by DeAnna Knippling

Editor’s Note: This is the second in a three-part series. You can read Part 1 here. Look for the final installment on Monday, June 30.

JT Evans, as well as being a writer, is a computer security expert who started programming at the age of seven and has been a Certified Ethical Hacker since 2009. During his June Write Brain talk, he covered three main topics: how writers should take care of their computers, computer security basics for writers, and what the bad guys are doing with computers.

Computer Security Basics for Writers

JT encourages writers to think about computer security as though it were an onion: the best security has lots of layers, so that if one vulnerability is found, the bad guys can only get through one layer.

Basic terminology:

Hardware. Physical objects, such as a keyboard, a monitor, or a hard drive.

Software. Programs that run on your computer; you can’t touch software (you can only touch the DVD that it comes on, if applicable).

Malware. Malicious software. Some current types:

Virus. Software that alters other software without permission in order to replicate itself as well as other functions. You have to take some action for a virus to act (like opening a file); it can’t spread itself automatically.

Worm. Software that alters other software without permission in order to replicate itself as well as other functions. Worms spread through system vulnerabilities; they can infect your computer and spread automatically.

Trojan. Software that looks harmless but really isn’t; it can deliver a virus onto your system. You have to run the software in order for it to do harm (as in playing a game).

Rootkit. Software that installs unauthorized access onto your computer, right down to the root level.

Botnet. A network of computers that secretly have been infected (often using a rootkit) and now take actions that their owners don’t know about, like sending spam. (JT noted that some spammers get $.03 per spam email they send...using your computer.)

Spyware. Software that breaks into your cookies and steals your personally identifiable information, like passwords, SSN, address, etc.

Adware. Popups these days are usually blocked by your Internet browser. So if you’re seeing popup ads on your computer, it’s likely a virus infection made to look like a browser popup.

Ransomware. Software that, once it gets control of your computer, encrypts all your data and demands money before they (hypothetically) give you the password.

Network. Multiple computers linked together (can be linked in a number of different ways).

Intranet. An isolated network of computers (as in “My company’s intranet”).

internet (small “i”). A network of networks, usually over a wide area. For example, a college might have an intranet connecting their computers together, but they might have internets that connect them regionally or nationally, too.

Internet (big “I”). The network of networks, that spans the globe and includes the World Wide Web, email, Usenet, etc. Use Internet as a proper noun--use it as you would a country’s name (e.g., “Internet security” talks about security on the Internet, much the same way “American security” talks about security in America).

Intrusion Detection System (IDS). A burglar alarm for computers; it monitors unusual activity that gets past the firewall. You must first start an IDS in learning mode to teach the AI what is normal. If you’re attacked during the learning period, then you have to reset the IDS and start over.

Intrusion Protection System (IPS). Like an IDS, it monitors your system for unusual activity that gets past the firewall. However, it can stop the activity as well as provide an alarm; it can send email updates and ban users from your system either temporarily or permanently.

For the average user (e.g., not running a server of some kind), you don’t need either an IDS or IPS; a good personal firewall is just fine.

If you need more information, you can go to JT’s website, jtevans.net.

If you’d like a copy of his handouts, click here.

About the Writer:  DeAnna Knippling is a freelance writer, editor, and formatter married to a Network Administrator, and she was still embarrassed about some of her personal security practices after hearing JT's talk.  Check out her personal blog at www.DeAnnaKnippling.com or her small press at www.WonderlandPress.com.