Two Factor Authentication...Problems?
I put the following post on Spiceworks for comments and discussion. We recommend two-factor authentication for more secure management of your online accounts. This post is a caution about managing those accounts.
2016, the year of the Ransonmware exploit
On October 23, 2013, Steve Gibson reported on his weekly security podcast "Security Now" on the twit.tv podcast network, that about three weeks prior a new exploit called "Cryptolocker" had been discovered infecting computers at an alarming rate.
In that podcast, Steve quoted another journalist, saying: "Dan Goodin at Ars Technica wrote said: 'You're infected. If you want to see your data again, pay us $300 in Bitcoins.' And the subhead was: 'Ransomware comes of age with unbreakable crypto and anonymous payments.' So, and if you want to [...] just put "CryptoLocker" into Google, and you will see, I mean, it is bad."
Three years later, what Steve and other security experts predicted about CryptoLocker and ransomware in general has come true. It is the main malware threat concern of all Information Technology security personnel around the globe: how do I prevent my users from getting infected with ransomware, and how do I respond to it if they do?
We at ABN have prepared a 30 minute presentation to help IT managers and personnel at any company or organization become aware of ransomware, and to become better equipped to avoid the exploits of Internet ransomware threats.  This is available to our monthly contract customers for free with their support agreements, and for a small fee for anyone else. 
 
The Unbelievable Awesomeness of JunkEmailFilter.com
I have to take a moment to call out a really extraordinary service that I have done business with for several years. The name of the business is "JunkEmailFilter.com", and it is run by one of the unknown soldiers for Internet integrity, Marc Perkel.
I became aware of this service because of the curmudgeonly rantings of John C. Dvorak, one of the most respected and longest running tech journalists still living. He famously ranted "I GET NO SPAM" several years ago on my favorite tech podcast, TWIT (go to twit.tv for more on that), and I never quite forgot it.
As a result, when I was a bit frustrated with my efforts to control spam for clients who were using their own hosted email, mostly set up by me on Microsoft Exchange, I tracked Marc down and found that I was dealing with him personally in setting up service, and that he responded with lightning speed and perfect accuracy in setting up filtering service for my accounts. The price for this service is amazingly low, and he can scale to whatever you need to support.
Furthermore, he is dedicated to our freedom and privacy on the Internet. If you are not hosting your own email, but you want a completely secure and uncompromising email hosting service for yourself or your small business, then Marc is your man. He provides that service also at similarly reasonable rates.
If you are still hosting email using Small Business Server or something similar like MDaemon, and you or your client cannot or will not migrate to a cloud service like Office 365 or Google Apps for Business, then you would be well served to put Marc's service in front of your own. His is an extremely effective filter, and as I mentioned above, he works very hard to deliver service and support immediately via email. It is very convenient to work with him.
Thanks to Marc for his help today, and lets hope that more like him step forward to eliminate spam and all of the nefarious cruft that crosses the Internet every day.
It Is Time To Choose a Password Manager
Dashlane and LastPass are the two major password keeper systems available, however there are quite a few and more coming every day.
I would recommend either Dashlane or Lastpass for the purpose of securely keeping your passwords in a reliable Internet based vault. Here are my tips:
Dashlane seems to be oriented more toward Apple computer and device users. David Pogue of Yahoo news recommends this service, and he has always been devoted to the Apple product side of things.
I found that the Dashlane program for Windows was a bit buggy, and LastPass wound up working better for me. Both of them impose some adaptation on the user, so you should not expect totally smooth sailing in using either program. Here are my main tips of the day for any of these programs:
1. Set a good strong password for the password manager and never, ever forget it.
2. Make sure that you understand how password recovery works on your password manager in case you can't adhere to tip #1.
3. Make sure that you know how to go into the password manager vault and just look up your credentials for a website or service.
Both programs are designed to automatically fill in user accounts and passwords for you, but sometimes they don't work with a particular website or service due to technical choices on the part of the service or website. In those cases, you need to open up your Dashlane or LastPass program and copy and paste your user name and password into the site, or look it up and type it in.
These are edge cases, and I don't have to do this often, but I know that if you just let LastPass or Dashlane take you along from their installation wizards, and you haven't really taken the time to learn to use them, you could be in for some frustration if they don't work on a site that you are under time pressure to log into.
Overall, they are great time savers, and both of them will generate new, very secure passwords for you that you would never have the ability to remember. Both of them will import all of your saved passwords from your web browsers and store them in your vault when you install them. After installation, they will ask if you want to do a security analysis, and they will offer to reset passwords for you that are heavily duplicated or very insecure (easy to hack/guess). I would take it slow with that process so that you don't get locked out of anything if there is a problem.
Sneaky sneaky!
At this time, I use a very fine service called "LogMeIn". Specifically, I use LogMeIn Central to manage remote desktops as part of my I.T. business. When an end-user has a problem that we need to resolve, I can just jump directly onto their desktop using a LogMeIn remote access session, and interact directly with the user on their computer screen. It is very nice.
This week, I received three messages that appeared to be from LogMeIn. The first email was thanking me for my LogMeIn renewal payment of $999, which contained a Microsoft Word Document attachment named "receipt", or something like that.
I actually started to open the document before I thought about it because I was so upset by this message. You see, LogMeIn has undergone a significant restructuring in the pricing in the last couple of years, and I reacted emotionally because I was keyed in to this information that has been discussed heatedly in user forums and elsewhere.
Then my senses came about me and I inspected the technical headers of the email to confirm where it came from, and sure enough, it was a phishing attack. So, I filed it in my "Scams" folder and went about my business.
A week later, I got a message with the same reply address that indicated that my credit card on file at LogMeIn had expired and that my service would be terminated in 72 hours. At that point, I second guessed my first conclusion because I DO have an expired credit card on file at LogMeIn, because I knew that at some point I would be using a less expensive service to replace LogMeIn.
So, I began to pro-actively migrate to the new service, but before I got to the tedious phase of updating my 200 supported computers with different remote support software, I took one last look at the last LogMeIn email. The technical headers revealed that the originating server was HLERHGFWZ (41.158.9.115), and the originating sender was peremptorilyhrs79@rexhongkong.com. So, after doing the smart thing and logging back into LogMeIn Central and checking my subscription status, I concluded that this was a sequential phishing attack with a very clever strategy. Knowing that there were many users like me out there who were playing out the string on their LogMeIn Central accounts, they used a 1-2 punch to try and get us to click on their malicious email attachment.
These are days to be wary, my friends, and pay attention to your mal-ware protections. The stakes are continually being raised, and even the experts can be played.
My phone, the mighty Moto-X.
https://www.motorola.com/us/motomaker?pid=FLEXR2
This is my long-awaited review of the Moto-X, second generation phone, with some words about my experience with the first generation Moto-X, and the general effort that Google is making with this class of phones.
First let me say that the Moto-X is my phone. I am an ex-iPhone user, and although I miss aspects of the iOS environment and the lovely hardware design and execution, I am not really looking back until someone answers this post anywhere with a complete user experience that matches or exceeds my results with Moto-X in the areas that I consider most important.
So, next let me state the priorities. My smartphone is a business tool that I happen to enjoy when I am not using it for business. There are many of us who approach this device this way. Most of us like me are not teenagers or even in our twenties. So to sum up my objective: I want a comprehensive communication tool with maximum Darwin award avoidance.
Communications: Texts, Phone calls, Emails, Tweets, WhatsApp messages, Instagram messages, Facebook posts, LinkedIn updates, weather alerts, news alerts, sports app alerts, and anything else the world wants to throw at me. My job is to capture them all, sort them out by importance and respond to the ones that matter. My hope is to enjoy a few of them that may not be important but provide fun or entertainment. This is the marvel of the smartphone which makes them so interesting to manage.
By the way, if you want my opinion of BYOD and how to control the smartphone in the workplace, here it is: Manage the person, not the device. Look for results and energy in your business enterprise from your employee/partner/associate. Make no attempt to control what they are doing with their smartphone other than to thank them for their service and take it away from them when you have fired them for not getting the results you expect. If the phone is theirs, make sure you have the right to wipe it and own the backup.
Back to Moto-X, I am dead serious about cell phone safety. Since the early nineties I have had a cell phone in my car, and I consider the whole point of mobile communications to be my ability to respond quickly to an opportunity or concern. Since I am an Information Technology provider, I spend too much time in my car to be cut off the whole time from communications, yet it has become abundantly clear that most forms of smartphone communication are lethal when driving, and sadly we have subjected this next generation to that experiment with some disastrous results. I am determined not to add to those statistics, but realistically, I am going to know what is coming and going on my phone when I am behind the wheel. That is where the Moto-X absolutely stands out.
When I am driving, if my wife texts me, my podcast pauses and my phone says to me "new text from Salma Hayek". (It actually says something else, but I don't think Salma will mind helping save a few more lives, and my wife didn't have the cash to be included in this post). Then the phone says "do you want me to read it to you?", and I say loudly and clearly "yes". Then the phone says "OK, Salma Hayak says: thanks for the lovely evening last night, I particularly like the way it ended. Let's do it again!" (This is the kind of text I receive after we have spent the evening cleaning out the goat pen. It's really fun and we just fall into bed exhausted!) Then the phone says "Do you want to reply to Salma Hayek?", and I say loudly and clearly "yes", and the phone says "OK, tell me what you want me to send to Salma Hayak", and I say loudly and clearly, "Me too, let's do it again tonight exclamation point", and then the phone says "OK, I think you said "Me too, let's do it again tonight!", is that correct?, and I say "yes", and then the phone says "OK, sending text to Salma Hayek", and I have just taken care of a text while I was on the road driving my car.
OK, I am going to acknowledge some of the criticism that I am inevitably going to get about this last paragraph. I hear you saying, "but Nate, ANY distracted driving is not appropriate, you should have 100% of your attention on your driving." I am glad that you can't see my face right now. The expression on it would offend you, but there is nothing I can do about that. I have been driving for 41 years, and I have certainly averaged well over 20,000 miles per year over that lifetime of driving. I am going to make an assertion here: "All driving is distracted driving". In my view, if there is a way that I can dispose of my distractions while keeping both eyes on the road and both hands on the steering wheel, then I am light-years ahead of those who are trapped in their distractions, unable to dispose of them and return their full attention to their driving.
Let's face it, if we all required ourselves to focus 100% on our driving, we would purchase cars equipped like taxicabs so that our passengers could be kept separate from us. Mothers would not talk to their children on the way to school or soccer practice. It's ridiculous. We must seek the most reasonable, expedient and effective compromise that we can find, and I find the Moto-X to be exactly that compromise.
There are so many other subtle features of this phone that impress me and make me love it. Most of them fall under the control of an app that they now call "Moto", and those features include "Assist", which I have been describing here, "Actions" when I wave my hand over the phone, or open the camera with a shake. "Voice" is the voice response system of the phone with is so much better than Siri that there is not room or time for that expression of distain here. With the new version, you can pick your own "Activation Phrase", which causes the phone to listen for your words and respond, so you could activate your phone with something iconic like "Frankly my dear, I don't give a Damn", or "Say hello to my stinky little friend". "Display" scavenges battery life by illuminating only the portion of the OLED display required to show the time, or a key alert.
Another unique app is "Connect", which I believe might have saved the whole Windows phone/Windows 8 fiasco for Microsoft if they had just focused on it and introduced it four years ago. Connect puts your phone activity on your computer screen via a Chrome browser plugin.
Beyond these, there is the whole Google-verse of apps and ecosystem which I enjoy and find effective. As I said above, there is some subtle integration that is unique to the Moto-X phones, the first one of which I got after it came out last spring on Verizon, and then having loved it so much upgraded to the right-sized 5.2 inch Moto-X 2nd gen phone. I am partial to the Nexus Android experience, which is unchanged from that which is spawned directly from the software engineers at Google, and you get that Nexus experience on the Moto-X phone. Interestingly, the giant Nexus 6 is made by Motorola and looks like a six inch Moto-X, yet it does not have the same processor and sensor architecture of the Moto-X phones, so it cannot do all of the same tricks.
When I had the original Moto-X phone, I bought a cool little add-on called "Skip" from Motorola, which allowed a small magnetic garment clip with an RFID chip in it to unlock the phone. I do keep a lock code on my phone because I don't want a phone thief to be able to get directly in to my personal information, so Skip was a real time saver, but it is not compatible with the 2nd gen phone, about which I am a little bitter. Something about the new NFC communications being incompatible with the old. NFC is "Near Field Communications", which is a technology to allow smartphones to interact intelligently with objects nearby that contain NFC compliant RFID chips. This is an emerging technology, and I thought Skip was a great use of it.
So, as a final note, the only downside for me about the Moto-X is that we have no way of gauging Google's enthusiasm for this phone, although we can say that it is successful enough that it was one of the five or six top smartphones of 2014 by most reckonings, and the only one that came directly from Google via their subsidiary, Motorola. But wait, Google has sold Motorola to Lenovo, which means this could be all completely up in the air, except that if Lenovo and Google don't continue to partner on the development of the Moto-X phone brand and functions, it will drop out of the top six, and why would Lenovo or Google want to let that happen? Google is a very tricky company to read because everything they do is a massive play on Internet traffic and search, the mother of all their businesses, and ostensibly the mother of all businesses. I feel that I have no choice but to still bet on the Moto-X, my mobile friend.
Heartbleed Recap
This is a recap of the Heartbleed bug issue. I have reviewed this issue over the past several weeks since it was disclosed, and I would like to take this opportunity to refine my message to clients, friends and followers in Social Media.
Initially, the risk associated with the “Heartbleed” vulnerability was widely overestimated in the media, but it is real, and the threat became more acute when the information about it went public while so many sites had the vulnerability.
 
As I understand it, the remediation process is mostly complete, but with some of the more extensive sites (meaning complex with many users, products, processes and connections), still not having patched the vulnerability.
 
Here is what I can say:
 
We will call the sites that you use most regularly, and for your most important stuff, i.e. banking, credit and investment, your “Class A” sites.  You should look for statements about the Heartbleed vulnerability on your Class A websites, and follow their recommendation exactly and right away.
 
We will call the sites that you shop at most regularly your “Class B” sites.  These might be Amazon.com, Walmart.com, Sears.com etc.  If you use any of them for significant purchases, or if you maintain current credit card information at any of them, you should do the same for them as you do for Class A sites.   You might want to check receipts for things that you have purchased in the last six months to help identify these sites.
 
If you use an online email service, such as Gmail, Yahoo mail, Hotmail, Microsoft Outlook.com, or anything like that, and you use that email account as the “password recovery” email address for a Class A or Class B site, then you should check your email service provider’s statement about Heartbleed, and follow their recommendations exactly.  Do this even if you use a desktop software program like Microsoft Outlook or Windows Mail to manage your email.  If the email service has a web portal, you must pay attention to Heartbleed.
In addition to these sites, if you have a Smartphone, and the smartphone comes with an associated account with Apple iCloud, Google Plus for Android, or Microsoft Outlook.com or Office 365,  include those account credentials in the Webmail category and treat them accordingly in the same way.  
 
Finally, you should be absolutely sure that none of the passwords that you use for these sites, Class A, Class B and Webmail, are the same.  Make sure that they are all strong and different.
 
I have recommended that you consider using a password manager such as LastPass to manage these passwords.  We, however, understand that many of our friends and acquaintances will find LastPass difficult to use because while we are fairly expert, there are areas where we have struggled using LastPass.  We have had to learn some special techniques that are part of the design of LastPass to deal with the various ways in which it sometimes fails to capture or incorrectly captures site information.  If for you, the number of these sites that I have described above is fewer than 20 or 30, then you may be able to maintain a manual list of your passwords, either on paper or in an electronic text file.  Remember that the existence of such a list is a security vulnerability in and of itself, and also, every time you change a password you must update your list.
We still strongly recommend that you adopt a password manager, and allot the requisite time and patience to become adept enough at using it that you don't get either locked out of your accounts, or get into a panic.
I think that this is the simplest message that I can give about password maintenance, and it is consistent with the best advice out there for creating and maintaining passwords. A day will come when we no longer will need passwords, but until then, we must be as wary as a jeweler walking the streets of Manhattan.
My Heart Bleeds, but not because of "Heartbleed"
In talking about Internet "threats", I have used the analogy of the great Wildebeest migration across the Serengeti plain in Africa. Most of us have seen the nature shows portraying the risks to the herd. Most of them make it across, but the weak, the young, and the infirm that fall behind the pack are vulnerable to the wild Cheetah or a pack of Hyenas.
Sadly, this is the case on the World Wide Web. Yes, you are the Wildebeest, and just how strong and fast are you? The recent "Heartbleed" infection is just the latest Cheetah, part of wave after wave of threat that have emerged continuously over the past decade or more. To learn more about this threat and get great advice, I recommend this article from NPR: http://n.pr/1jy7ZxA.
Many writers have pointed out the quietness and undetected persistence of this infection as a cause for serious alarm. Do they really think that infected websites have not been a problem up until now? What gets them frothing is that a chestnut of the open source community, OpenSSL is the attack vector, and it is very widely used on very respected websites. So, yes, it is substantially more pervasive and threatening than preceding threats. This changes nothing for most Internet users.
The NPR article concludes with five recommendations. I wholeheartedly recommend all of them plus one more: adopt and use a password manager. We use “LastPass”. There are some hassles getting used to managing your passwords with a password manager, but most of the process has been pretty well automated by them. I have tested “DashLane”, and many prefer that one. I found that the application hindered some aspects of my Windows computer’s performance, and so I discontinued the use of it. (It was publicly recommended by David Pogue of Yahoo Tech and formerly of the New York Times, who uses a Mac for his primary system, and who has written about Apple and the Macintosh extensively). DashLane (dashlane.com), works on Apple Macintosh, Windows, iOS, and Android devices and most browsers. LastPass (lastpass.com), works on those platforms plus Linux and Blackberry. Both are free to use on one device, but cost money to use on multiple devices with passwords syncing across all of your devices. We use the paid version of LastPass to get the sync function. Please take the time to learn how the password manager can help you be more secure by setting hard to crack passwords which you don't have to worry about remembering.
Finally, the NPR article includes tools to check the important sites that you visit, so you can tell whether the site is infected, or was vulnerable to the attack. Since most of us don't have time to chase all of that down, the advice of the NPR article is the thing to put your precious time into.
My wonderful wife has changed all of our personal and business financial service website passwords this week as a precaution. I recommend that you do the same.
CryptoLocker...Beware!
From time to time the threat landscape changes in a way that persuades me to contact my clients and let them know that heightened awareness and caution are needed. This is one of those times.
I will start this advisory with advice that must be passed around as thoroughly as possible to computer users everywhere.
Do not respond in any way to an email that proposes anything that you were not very specifically looking for.
Never click a link in an email unless you asked for the link from someone that you know, and they gave it to you directly.
If you receive a warning about a service that you use, go directly to the website of the service that you use in the way that you typically access it, such as using a bookmark or typing in the address into the address bar of your web browser. If the message is valid, the warning will be on the site.
If you receive a warning about a service or account that you don’t know about or know that you do not have or use, disregard the email and delete it.
Read Internet search results carefully when searching online for information. Only navigate your web browser to domains that you know and trust.
A relatively new form of malware, (read as a general term for “computer virus”), called CryptoLocker has been on the loose in the Internet for several weeks. It is a type of infection that we call “Ransomware”, because the attackers have designed the program to deprive you of access to the data on your own computer with the promise to restore your access once you pay them a certain amount of money. In the past, these types of attacks typically changed an attribute of your data file that made it invisible, but an experienced technician could easily restore access to the files after cleaning the infection off your computer.
Not so with CryptoLocker. The problem with CryptoLocker is that it actually puts all of your data files into an encrypted data file that is encrypted in a way not breakable by any means available outside of national security agencies. CryptoLocker starts to perform this encryption and removal of your data files immediately after your computer is infected, and once complete, a message arises that informs you that you have 72 hours and counting to pay $300 in BitCoin or MoneyPak, (untraceable payment methods). The screen contains a countdown timer that shows when your time is up, at which point the CryptoLocker servers delete the private key necessary to decrypt your data, and your data is lost.
If you see the window on your computer showing this message, it is very probably too late for ABN or anyone else to do anything about your data. The best thing to do is to shut down your computer by holding down the power button for five seconds, and then remove all network connections from the computer.
If your computer is connected to a network server sharing files, CryptoLocker will attempt to encrypt those files and it will succeed if you have read/write access rights to those files. Server data may be recovered from backup, however most personal computer hard drives are not backed up. If an external backup drive is connected to your computer at the time of infection, CryptoLocker will encrypt the backup, making it unavailable to you, as well as open DropBox, Google Drive, SkyDrive, or Jungle Disk connections.
There is no guarantee that you will receive your data back if you pay the $300 because law enforcement agencies are chasing the key server locations and shutting them down if they find them, which has the effect of canceling any outstanding ransoms in the process, and losing the data for those ransoms. In most cases, paying the ransom will unlock your data because the validity of the promise is what is making this threat so profitable.
Finally, because this threat has been so successful financially, it is likely that the number and type of threats similar to CryptoLocker will grow.
On an upbeat note, no clients of ABN have yet experienced this infection. We are doing our best to maintain your antivirus software at current revisions and updates if you are relying on us for that service. At this time, this is the best effort that we can make, along advisories like this one.
Cyberkey - TNO for YOU
Nate Abbott
Abbott Business Networks
(All Rights Reserved)
Today I was introduced to a new security product that will shortly be released to market called Cyberkey (http://cyberkey.com). The concept is simple:
1. Download Cyberkey.
2. Install Cyberkey (after installing one prerequisite),
3. Plug two USB sticks into your computer successively as directed, which converts them into special USB keys.
Result: An encrypted folder appears on your hard drive, Google Drive folder, or DropBox folder, that is locked with the best available encryption and only when you insert your "personal" USB key into your computer. When you remove the personal USB key from your computer, the folder disappears into a vault that is practically inaccessible to the most powerful super computers in existence.
The USB key that makes your data appear is the second USB stick processed in step 3 above. The first USB key is your master key, and it allows you to produce replacement keys. Here is the explanation from the Cyberkey website: "The Master Key holds the keys needed to unlock your Vault. The Personal Key holds scrambled versions of those keys - descrambling requires a PIN that you choose during setup. You keep the Master Key someplace safe - in case you lose your Personal Key - and carry the Personal Key with you."
The secret sauce that makes Cyberkey work is TrueCrypt, which is an open source encryption package that many of us in the industry know and have used to secure data for years. That is the “prerequisite” that is easily installed before Cyberkey can run. It is a package that Information Technology professionals, engineers and the like find accessible and easy to use, but average computer users may find baffling. Cyberkey leverages TrueCrypt's strength, very strong encryption based on the most advanced and reliable crypto in circulation anywhere, and wraps it in a simplifying package that makes it very easy for anyone to use, and to understand the rules about.
The key acronym here is "TNO", or "Trust No One". If you are in any way concerned about data on your computer becoming known at any time by people who you do not know or trust, then what you want is TNO security. If you rely on a third party to secure your data, either on your hard drive or in "the cloud", then you are subject to not only the laws governing search and seizure under probable cause, but also the potentially unconstitutional searches that our National Security Agency may conduct. If you are using truly "TNO" security, then it doesn't matter who gets your data, or who gets access to your data on a third-party storage platform. Nobody can look at your data because the keys are required to unencrypt the data. If you destroy the keys, you remove access to the data. Only your passphrase and TrueCrypt can open the data vault back up, and arguably you cannot be compelled to testify against yourself and give up a thing that you know, such as a passphrase. As the encryption guru Bruce Schneier says, "Trust the Math".
Such is the extreme reasoning that some of us think about when we consider privacy, however there has been a broader discussion about the new surveillance state that has arisen since 9/11 in the United States and elsewhere in the world. Democracies are for the first time organizing totalitarian-regime-like surveillance capability that involves intensive analysis of signals as well as data. Signals would be the stuff that the law permits government agencies to look at without any court approval: TCP/IP addresses, email header information such as "from" and "to" email addresses, time-stamps, cell phone numbers and routing data. These signals can tell a great deal about us, and they are used by the agencies to establish a cause of further investigation, which may include examining the contents of email messages, text messages, and communications that would be protected under the constitution, but are available to agencies that are engaged in national security protection and anti-terrorism. Most of my readers will be aware that this discussion has escalated since the defection of Edward Snowden and his revelation of secret NSA documents published by The Guardian and other newspapers internationally.
Regardless of what you feel about our security state and the legitimacy of the Snowden activity, we are affected deeply by the idea that we are being watched. We need to know that things we want to maintain privately may remain private. It is our right as citizens of the USA. There may also be quite a few good business and personal security reasons. The business opportunities are fairly obvious: Law firms dealing with sensitive case material that opponents might be eager to compromise. Business partners planning a merger, acquisition or sensitive product development effort with valuable intellectual property. Small business owners with personnel trouble. All could find this useful.
For this reason, I am enthusiastic about Cyberkey and its accessibility to common computer users, not just the geeky ones who have known and loved TrueCrypt. If you have two spare USB flash drives of any capacity, including small capacity ones that cost less than $7.00 at Staples or Walmart, and if you have a computer running Windows 7 or later, you can try out Cyberkey for free like I did. Just go to the Cyberkey website at www.cyberkey.com and follow the simple prompts.
I spoke to Fred Federspiel, the developer, and he is planning some great extensions to the product once it gets launched and off the ground, including Apple Macintosh support. Fred has a long background as an engineer and inventor, and I think he is onto something here, bringing Crypto to the masses in a very accessible way. Give it a try and let Fred know what you think.
 
                        