Using someone else's computer

When using a computer that's not my own - at the library, hotel lobby, an internet cafe, or even a friend's house - I exercise caution and usually avoid entering in passwords or any sensitive information. Do I have trouble trusting people? No. (My friends are awesome!) But what I can't be sure of is whether they've maintained their computer adequately enough to avoid any security holes.

Maintaining a secure computer takes a bit of work - you need to have a firewall, run virus scan every so often, download new updates to your operating system, internet browser, or other software... Can I trust the owner of the computer has taken care of that?

Can I trust that the computer I am using is clean? Many people download and install various programs (people especially like free software) on their computers all the time. That software might have had some spyware bundled with it. Lots of people also like to open cute little email attachments not knowing something else is also attached. It's so easy to have some spyware/virus put on your machine. If you click on a malicious pop-up ad or surf to some bad site, something might get installed without you knowing.

Can I trust that the computer administrators have used strong enough passwords and maintained their computers sufficiently to protect their accounts from being hacked? Can I trust that some smart kid didn't install some spyware on the library or hotel computer without anyone knowing?

If there is some spyware installed on the computer, information about me - where I surf, what I type (including passwords, account numbers...) - could be recorded and sent to Mr. Stranger.

Hopefully one day, they (computer makers/software developers) make it easier to keep your computer secure.

When using not-my-own computer, I typically just surf and avoid tasks that involve me entering in sensitive information (like logging into email, online banking...) If I'm traveling and I don't have my own computer or Blackberry, and I really have to check email, I'll usually change my password when I get home, just to be safe.

Avoid phishermen. Don't get tricked!

According to various sources (such as Symantec), spam accounts for 90% of all email. Pretty crazy, huh? Luckily my email providers have pretty good spam filters, so I don't have to deal with junk mail too much. (BTW, looks like spam makes up about 45% of my mail, so I guess I'm doing pretty well..?)

Whether you have a good spam filter or not, it is a useful skill to be able to tell whether an email is "real" or "fake." There are some people who send emails that look like they are from some trustworthy entity (such as your bank), in order to try to get you to enter sensitive information, such as your password, credit card number...
This is called "phishing." Don't get caught! Think twice before clicking on any link or entering in sensitive information.

Try taking SonicWALL's Phishing and Spam IQ Test.

Do I REALLY know you?

If you received an email or friend request from Mickey Mouse, you wouldn't automatically assume it was Mickey right? You'd know that perhaps it's a jokester, or Disney trying to get you to buy tickets to Disneyland or something.

Say you have a friend, and her name is Lynda Little. One day you log into your email account, and you see a message "LyndaLittle wants to follow you on Twitter!" (Or Lynda Little requests to add you as a friend on Facebook. Or you receive an email from a new address lyndal@somewhere.com.)
Many people, if they see a friend's name, will automatically assume the person really is their friend and immediately approve the request.

One thing to remember is: you don't really have any proof that the person is who he or she claims to be (unless your friend told you personally)! Anyone can create a Twitter account (or Facebook account, email address, etc.) with any name.

On Twitter, I've received a number of requests from people whose accounts were closed by Twitter because of "suspicious" activity. Some of those people even had account names that included my last name (I guess to try to seem like a family member?)

On Facebook, if your friend has listed his or her (verifiable) email address, updated his or her profile, posted recent pictures, etc., you may have enough proof that the person is really your friend. But if not, you don't really know! Unlike a telephone call where you can hear your friend's voice, or a letter, where you can see the handwriting and writing style, an online request doesn't reveal anything distinctly unique about a person.
It's also pretty easy for Mr. Stranger to create a fake account that looks really believable - say your friend has a public MySpace page but no Facebook account, what's to stop Mr. Stranger from copying your friend's picture and other public details from MySpace, then creating an Facebook account with that info, and adding similar people as friends listed on your friend's MySpace page. Your friend's Facebook account will look like it was created by your friend... but it wasn't!

If there is a person whose real identity I can't really verify, I'll either wait until there's more information posted to his or her profile, or I'll just mention it when talking to him or her (in person, on the phone, or some verifiable online method of contact) to double-check it was really him or her who created the account.

If you confirm Mr. Stranger as a friend, he'll have access to your personal information when he shouldn't. But actually, you shouldn't put ANYTHING really confidential on these web sites in the first place.

I'm sure most of the people who request to be your friend really are your friends.
But just something to think about before you approve your next friend request.

How can I tell if my connection to this web site is encrypted?

As mentioned before, just because you are sending information through your computer (versus a physical form like a letter) does not mean it is completely private. And just because you use a password to log into a site does not mean the information you send/receive is completely private. In my last post, we looked at the importance of having an encrypted connection when using wireless internet, especially the free public kind.

How can you tell that your connection with a certain web site is secure and private?

Encrypted web sites have the URL "https://yourwebsite.com" instead of "http://yourwebsite.com". Note the extra 's' in "https". This shows that you are connected using secure http (and not just regular http).

Most web browsers show a picture of a padlock in the lower right-hand corner of the browser if your connection is encrypted. Note that a web page can display any pictures that it wants, including a picture of a padlock - but that doesn't necessarily mean anything. You must look for the browser's padlock picture. Below are pictures highlighting the "https" and the padlock in Internet Explorer 6 and in Firefox 3.







Even if you have an encrypted session, you should make sure you have an encrypted session to the right site. Are you connected to "https://www.amazon.com" or are you connected to "https://www.amazon.org"? Are you connected to "https://www.paypal.com" or are you connected to "https://www.paypal.online-site.com"?
Someone could set up a fake web site that looks like the web site you want to go to, and just wait for you to enter and send him your username and password.

If you log into a web site using regular http, your username and password is sent unencrypted, and anyone trying to "overhear" what you said will be able to know your username and password. So, to be sure, use https when possible. (Windows Hotmail uses http by default unless you click on "Use enhanced security" to use https.) Some web sites where security is a priority (such as any online banking web site) will automatically switch you over from http to https when you go to their site. (Try going to http://www.bankofamerica.com and you'll see this happen.)

Many online webmail sites use https to log you in (so your username and password are kept secret), but switch to regular http afterwards (which means someone can eavesdrop on the mail you send/receive at the very least.) Yahoo! mail does this, and so does Gmail by default, unless you turn on the https setting mentioned before.

Not all web sites are set up to use https. But if you had a choice, would you choose to use http or https? Hopefully you answered https! Make it a habit and type in https://...!

More on how you can tell a site is who it says it is later.