Websites

The Internet is not only web-sites and web-pages. That’s like saying there are only fish in the sea. The Internet is, and is only, that ever-growing network around the world of computers and devices that people use to send and receive data, or information. The Internet is in itself incredibly stupid, though devices that reside on the Internet working in concert make it seem ridiculously smart. If anything, the Internet is a system of interconnected systems all running to published standards. Cutting the technical rubbish away and looking at the very core of ‘What it is’, we can see that every singe device on the Internet has an ‘Internet Protocol’ Address or simply IP Address’, (like 203.12.160.35 or fe80::1189:7d80:d484:965d) and every (working) device communicates with any number of other devices using a variety of mediums, like copper cables, glass fibre or microwave radiation, using very simple rules. Devices on the Internet use these IP addresses, very similarly to how you and I might make a consecutive series of phone calls. Lets imagine you and I load up your favorite website on your computer, ‘the Internet’ will then find that webserver and notify your system of its IP Address. (more on that in DNS below). Your Computer then connects directly to the webserver over the Internet by sending information, in this case a request for the default webpage to the webserver’s IP Address. The webserver receives your request and starts sending its response to your system, breaking it into parts that every device between the webserver and you can pass on without error. The responding device always sends it information one point closer to your system, the next device sends it one point closer and so on until your system receives that data, or it is announced lost after a period of time (a timeout). Note that not all parts of the whole message must travel the same path to arrive at the destination. The individual parts of the message, known as packets, or sometimes frames, may travel very different routes depending on network conditions between you and the target server. It is the sending system’s role to number and send the packets to the destination. It is the receiving point’s role to acknowledge receipt of the message, reorder the packets as they arrive and request retransmission of lost packets. Your system would usually receive and then display that information, whatever it may be. The whole process happens at such a rate that we barely notice any delay most times and become frustrated when there are even small delays of a second or two or even ten. When you think about the scale of the operation and remember that at any point in time there are literally billions of devices connected to the Internet, its incredible that people can logically sort and manage all these devices. How does it all happen? Enter: The Domain Name System.

Domain Name Servers or the Domain Name System (both referred to as DNS) are the Internet’s equivalent of a phone book. These servers maintain a directory of domain names and translate them to Internet Protocol (IP) addresses. This is necessary because, although domain names are easy for people to remember, computers or machines access websites only based on IP addresses. When the Internet was very young, all the computers connected to it could be listed by name and address in a single file, which was simply copied from host to host. As new hosts appeared in their multitudes and old hosts were removed, the list became impossible to manage in a single file and the domain name system was implemented. Every .com address you have ever heard of, was once in the DNS or is still in there. Highly recognisable domain names like microsoft.com, google.com and hp.com are closely guarded and exorbitantly expensive to obtain from their current owners. Major regions, such as North America, Europe and Asia-Pacific specifically, have local domain registries that look after our .com.au, .net.au and the .nz domains. The hierarchical nature of the DNS means that an unlimited number of systems can be arranged downwards from the root (denoted simply by a dot: . ) into .com and .net and .org for COMmercial, NETwork and (Charitable) ORGanisations. Also, .au, .nz, .us and .uk etc for country code specific registrations. Inside each of those country codes, a registrar is managing how that country issues its web addresses. Over time, more industry specific ‘Top Level Domains’ or TLDs have been released, like .info, .biz and .xxx and no doubt the number of these TLDs will continue to expand over time.

The major requirement for registering a domain name in the .com.au namespace is that you must be able to prove that you are an authorised representative of one of the following entity types:
a) an Australian registered company; or
b) trading under a registered business name in any Australian State or Territory; or
c) an Australian partnership or sole trader; or
d) a foreign company licensed to trade in Australia; or
e) an owner of an Australian Registered Trade Mark; or
f) an applicant for an Australian Registered Trade Mark; or
g) an association incorporated in any Australian State or Territory; or
h) an Australian commercial statutory body.

Similarly for .net.au and .org.au. Full details on eligibility were once available here, though may have moved. The AUDA will likely be here for a while and all those rules and their interpretation are their bag.

When we register your domain name, we’ll usually automatically configure the system’s mail server to carry mail for your domain and host mailboxes for you. Email mailboxes are best thought of in comparison to their real world equivalent: a PO Box at the local Post Office. You don’t send mail from your PO Box, if you do, it just sits there ignored by the staff on the inside. No, you put it in the mailbox at the Post Office or down the street, and there it enters the mail system. You could possibly make an arrangement with the postie to carry your mail from the mailbox at your house to the post office and onwards if you were quick enough to catch him, though he could refuse and tell you to use the mailbox, as picking up outgoing mail is not really his function.

Similarly, electronic mail or email doesn’t always leave by the same method it arrives or the same server. Separate server processes handle the reception and sending of mail. The Serial Mail Transport Protocol (or SMTP) server is the electronic equivalent of the mailbox at the post office or down the street. Its role is to receive messages and send them on to the destination, any destination. Not caring, only sending. Any form of error that prevents it delivering its message will prompt it to throw a Non Delivery Report to the Postmaster for you. That SMTP server and all the other SMTP servers working around the world are analogous to the Australia Post mail system, there’s one everywhere that’s important, or likely to receive traffic in the form of mail.

The other side of the equation for electronic mail is a Post Office Protocol 3 or POP3 server. This is probably analogous to the Postmaster back at the local Post Office. He’s the guy that issues you your key to your PO Box (electronically, a username and password combination can be thought of as your ‘key’ … see below) and ensuring that mail that arrives addressed for you is inserted into the right mailbox. He also turns away mail that can’t be delivered, usually marking each envelope as he does so. If you forget to empty your mailbox and it becomes too full, the electronic Postmaster will stop receiving messages for you, but he won’t call and complain, which is nice. So every email address is almost exactly like a PO Box. We might leave an instruction for the postmaster to forward our mail to another address and he will do just that. We could ask him to leave a copy in the postbox as he does so, and being an electronic process, he’s more than happy to run your mail through a photocopier and put a copy in BOTH mailboxes, in a prcoess known as Email forwarding. Putting a message in both mailboxes is actually easier for the electronic postmaster, as he doesn’t have to come back and ‘clear’ the message from the original mailbox, like he may have if he was leaving only one copy.

 

You might have your partner check a shared PO Box and leave the mail in there (for whatever reason). That would be similar to when you send two devices to check a single POP3 mailbox. If either of the devices removes the message from the mailbox before the other sees it, it won’t be available for who or whatever comes next to check the mailbox, same as a letter at the PO Box that’s already been collected. If you cant find that piece of mail you expected and two people had access to your PO Box, you would likely ask them if they had gotten it before long. Having a policy that you’ll remove mail after a month, means that the mailbox won’t usually overfill, and every device connected to the account has a month to get any message before anything removes it.

If a message gets sent from your street address to an address that doesn’t exist, the mail system notifies you. In real life, this is in the form of the letter returned to you with a short description of the problem, “Not at this address”, “Unknown Recipient”,”Insufficient Postage Applied” or whatever. In an electronic mail system this type of message is called a Non-Delivery Report or NDA. Being that the electronic postmaster is terribly efficient and has an awful lot of data on hand about any given message, the report is somewhat longer than just ‘Return to Sender’ and will contain almost everything that has happened to the message since it left the sender. In some gobbly-de-gook code that could possibly be deciphered by the FBI and a hefty budget increase. Some times the error isn’t fatal, but the mail system marks the message in an invisible header and moves it on anyway, maybe it was a suspected Spam message. If the message was checked for viruses, the header will be marked with the result.

Those nasty spammers have found that they can exploit the usual handling of a non-delivery report and they post their message exactly as if you had sent it and a receiving server had rejected it. This gets around a lot of ‘Sender Restrictions’ that are applied at the server level to restrict spam. The spammers attitude is: If you can build a higher wall, I can build a higher ladder.

If you lose the key to your real world PO Box, its rarely the end of the world. You go to the counter and tell them and they (charge you, but) issue you a new key. Similarly, if your password becomes lost on a mail account or a computer system, an administrator ‘resets’ your password, by putting a new one in its place, just like issuing you a new key. Most administrators will tell you that they keep no record of your password, so can’t use that to reset it, which is all very confusing, because thats what you have to tell them every time to log in, c’mon guys… WHATS GOING ON?

So if a password is like a key that gets you into a system, what is letting you in is synonymous to a lock. They’re telling you the truth (probably), that they don’t keep a copy of your password anywhere. What they do keep is a long chain of data, just like this:

$6$gYkLHQAZ$NqkVNMGJvC0qe9CkcLdo8B5WZ4dUT51/8JRYb1PYPctfSYX813UxUOJM0xFJ0QWFGh9SaBXJLnW/Yt6mcYctn/:16847:0:99999:7:::

which is produced by a special ‘hashing’ algorithm. Your password goes in, gets ‘hashed’ and a uniquely related code like that pops out. They then store it in their whatever system as your ‘password’. Each time you supply your actual password, they ‘hash’ what you’ve supplied for a password and compare the result with what they’ve already got stored. If the two hash codes match exactly, you’re a winner and you’re allowed in (to whatever). This mechanism is the ‘lock’ that your password ‘key’ is unlocking. There are different methods of hashing your password and differing levels of encryption built into the lock, but the principle is roughly the same everywhere. Like the tumblers set into your front door lock, we may not be able to tell what the key is that opens it, only that when the right key goes in, all the tumblers are lifted so they’re unobstructed, and the lock turns.

Once the new key works, no surprise that everything in the mailbox (or whatever you logged in to) is exactly as it was left, plus any new messages the postmaster has delivered since we last looked.

One of the dangers of any password or PIN protected system is that an attacker can keep trying all the possible passwords until the correct one is entered and entry is gained. One of the defences we have against that is to use a complex password. Consider a 4 digit PIN. The first position in the PIN can be any of 10 possible combinations, 0-9. Multiply that by the number of positions available in the second, third and fourth positions and you can see that to break a PIN, they’re going to need, on average around 5000 attempts (assuming people use a roughly average distribution of numbers between 0 and 9999) to get past the PIN. So one combination in a possible ten-thousand unlocks most people’s credit or debit cards. Most banks are happy to accept those odds and don’t impose a stricter PIN policy. They just absolve themselves of any use of your PIN by their terms and conditions and off they go. A six letter password that requires the use of at least one upper and lower case character, a number and a special character means that every position in the password could be one of around 140 characters now, so even a two character complex password with its 140 x 140 possible combinations is far superior than a PIN. After you’ve typed the seventh character in a complex password, you’ve essentially pinned down one possible password option of around 130 Billion possible combinations.

One of the challenges a lot of people face is how to manage so many passwords to so many systems. Agreed, it is difficult. You don’t want to use the same password to sign in to different websites, in case one site is compromised and that common password is then used to gain access to the other sites.

I use a password system. Each site I access or password that I have to store should have a password unique to that site or system, so I use the name of that site or system name to make a standard modification to my standard password and it means that I can then ‘calculate’ my password for any site.

Lets assume my ‘base’ password is MyP@ss123. This is the sort of password that rarely fails for not complex enough. Its got upper and lower case letters, a number and a special character. It’s 9 letters long. If you require a shorter password, just truncate it, in six character password fields, its simply MyP@ss, for 8 characters it’s MyP@ss12.

If I sign up for a hotmail account, I’ll set the hotmail password to be MyP@ss123hotmail

For news.com.au, the password would be MyP@ss123news.com.au

For Internet Banking, because it involves a more secure login, I might use an extra dollar sign ($). MyP@ss123$NAB

Some logins require you to change your password regularly, if that’s the case, then you can use a number on the end of your password, giving you a limitless supply of new passwords without too much indecision. When you come back from leave and you’ve forgotten your password, within two or three tries, you’ll remember where you were up to, MyP@ss12305 –> MyP@ss12306 –> MyP@ss12307 and so on. When I come back to a site where I once recorded a different password that I’ve since lost, I always reset the password with the password that the policy would produce to make that login consistent. In this manner I can ‘remember’ no less than 150 passwords accurately. There are no doubt a few out there where old passwords are stuck in the system somewhere, but over time they become less relevant. As I go forward, if a password can’t be reset, then one option may be to open a new account with the same site and the correct password used going forward.

Passwords are meant to serve us. If your wireless router has a 23 digit code that takes 4 attempts to put in each time a new device joins the network, then CHANGE IT. The five or ten minutes of abject fear you may experience from having to login to your router, find the wireless password and change it – Will pale into significance at Christmas when you can boldly say to your cousin Charlie and his 4 1/2 tween children: “12345qwert, our wireless password is, as easy as can be” and you can get back to Christmas dinner or your egg-nog and mistletoe or such. Using patterns on the keyboard, especially integrating the shift key into the pattern can produce some very secure and quite easy to remember passwords. Type some of these ‘hard’ passwords to see what I mean.

:LKJpoiu

)(*&6543

ZXCV!@#$

zxasQW!@

ZaQ1XsW2

If you were to take one of the original Model-T Fords onto a modern German autobahn today, you would likely not survive. Old technology is fantastic. They used excellent materials, everything was over-engineered and built to last, everything was reliable and cheap and… eventually got replaced by something Better and Cheaper and New. Which got replaced by something Cheaper, New and only a little bit Better, sometimes less reliable, as you’re about to see. Take your apparently steam-driven laptop from 1996 for example. Some 2 or 300 computer engineering generations later, here we are. You can’t expect that device to keep up with the software technology that websites are producing today. As computers have gotten faster and faster, software developers have placed more and more demands on the hardware of the day. If your computer was built before 2010 and you haven’t paid much attention to its software or hardware maintenance and you’re here reading the website anyway, it’s a minor miracle. Software is updated at an infuriating rate, mostly. No sooner have you finished installing all the updates required, than something else needs another update.

Most computing gear is ridiculously constrained by cost. To remain competitve, manufacturers save money by using parts that are engineered to last sometimes considerably less longer, at a marginally lower cost for them to purchase. There are such slim margins out there on electronics generally that most consumer electronics manufacturers understand that there will be a number of failures in every batch of equipment made and put in place a strategy to resolve problems by replacement rather than repair, (the old 10% overrun on a production, 10% is boxed and stored as replacement stock for the rest). Its very hard for a consumer to put a finger on what is good and will last and what won’t. I get an idea when I hold a device for the first time of how long I think it will survive. More often than not, if I bought it as a standard consumer, I’m disappointed. Consumer electronics is mostly designed to last 24 months and not a day more. Anecdotally, you hear of so many items that lasted 12 months and 2 weeks and failed, or two years and 3 days and failed. Consumer law in Australia has particular standards for equipment and most will be designed to exactly meet a load of those minimum specifications. Each component in a PC system has a Mean Time Between Failures rating or MTBF. This figure is the average amount of time an average example of this device will run for and is usually expressed in hours of use. A product with a 10000 hr MTBF can be expected to fail pretty much exactly 10000hrs after you start using it constantly. When you combine hundreds or thousands of parts to create a PC or a tablet or phone etc, the whole device effectively inherits the same MTBF as the lowest MTBF of any component inside it. Sometimes paying a little more gets you proportionally more for your money, computing and electronic goods are certainly like that.

Business grade systems are a little different. Manufacturers understand that reliability is more key to business than price, unlike the consumer market. Big Business sees IT spending in terms of investment, not expense. Suppose a new fleet of computer systems costs the company $14M, but the corresponding boost in efficiency of 12% across 1200 workers nets the company a $46M gain in a financial year. Big business drools at figures like that. Similar effects can be achieved with efficiencies in back-end systems, so business is keen to gobble up anything that can squeeze any more efficiency out of their existing cost base.

The hardware vendors realise this and produce a much higher quality system for the Business end of town, at a significant premium. You will get at least three years use out of a Business system, except on the very rarest of occasions and more usually five years solid use. Multi-million dollar deals are leveraged by a company’s percieved ‘reliability’, so it’s very important for hardware vendors to get the Business market and any systems sold to it well squared away. HP and Lenovo are good examples of companies that operate in both the consumer and Business market.

Software moves at a similar rate. Microsoft finally let go of ‘Good ‘ol’ Windows XP a couple of years ago. Version 2002, mind you, 14 yrs ago, at time of writing. It was testament to the widespread acceptance of Windows XP and its near ubiquitous place in the PC market. But times move on. After all, the 15 or 20 thousand software developers at Microsoft don’t all sit on their hands all day, year after year. So lets recount since Windows 98 (yay). We’ve seen Windows Millenium (bleh), Windows XP (yayayay), Windows Vista (bleh), Windows 7 (yay!) Windows 8 (bleh) and now Windows 10 (Yay!). All along the way, these busy little beavers at Redmond have been studying you, and your couple of billion mates, to see what you do on your computer and how you do it. Some poor schmuck still turns up on Monday morning at Microsoft with an inbox full of crash reports about random systems around the world that spat it and dumped their whole system memory into a file and sent it to Microsoft. They’ve done some really neat things with Windows 10 and I like it unreservedly. I predicted pre-release that Windows 8 was going to be a flop because  someone who bashes a keyboard and mouse for a living on Windows, Linux and yes, even Mac systems since DOS 5.2 (OK, thats 20 years plus for you non-geeks) shouldn’t have to go and get another computer to google how to shut your new Windows 8 down. – Fail Microsoft, Shame on You… Rant over. Windows 10 thankfully joined the long Windows tradition of every second release being AwesomE and every other release being cRUd.

If you’re worried that chief big brother, Bill Gates, is going to somehow know that you want that Cornetto in the freezer you bought at the corner store for $3.25 at 10 past two this afternoon, you can go through Windows 10 privacy settings and turn all that reporting nonsense off. I did, noticed absolutely no difference and just continued. I have no great fear of any monitoring undertaken by Microsoft but prefer to keep any information ‘leakage’ to such corporations to a minimum.

The short answer is yes. The whole point of software developers issuing updates is to make software safer for the broader user group (you). Denying a piece of software the ability to update itself cuts it off from any further improvements made to the product and also how that software interacts with everything else. The most common thread that runs through systems that are attacked and compromised is that they were almost all missing important operating system updates that if applied, would have prevented the compromise in the first place. Set a schedule to install updates. I like Wednesday night, for some reason. If I set someone’s system to update automatically, its almost always on Wednesday evening. People tend to be out on the weekends, and the start and the ends of the week are often busy. Another reason to do it on Wednesday night is the fact that Microsoft release security and regular updates on the second Tuesday of every month in the morning US time. Systems set to update on Wednesday night in Australia update with all the latest released updates included, giving them a leg up.

For a long time, many IT professionals would advise against running Windows Updates as they would occasionally cause problems with the system and cause easily preventable difficulties. Since that era, Microsoft has released patches on a monthly basis for over a decade. The number of updates that cause issues like in the past has fallen away in recent times to nearly zero. By the time you’re getting ready to install your updates on Wednesday evening, any rogue patch has been in the wild in America for around 6 -10 hours. Microsoft take this type of incident very seriously and will pull a ‘poison’ patch down within minutes and replace it within a couple of hours with a working, updated patch. The odds of a system in Australia being adversely affected by a broken Windows Update is very small.