The Computer Security Consultant, Diamondkt

I have made many friends in Blogsville. Some I got to know very quickly because we are so much alike. Others are more mysterious. I wandered into Diamondkt's blog and spent a fascinating hour reading about computer stuff and learning a lot. I also had some chuckles along the way. So, I kept going back and commenting. I also had a blush or two from his article on Colin Ferrel and more recently on Jude Law. Setting all that aside, though, I found an intriguing young man who seemed to love what he does and he does it quite well. I had to ask him a few questions and asked him if I could interview him. He graciously said, "Yes." So here are my questions and his answers.



What one thing about computer security would you have computer users understand?

That technology is constantly changing and with that comes the constant need to protect yourself from the numerous amount of security issues facing computers today. It's important to stay informed about things such as viruses, software patches and spyware...but don't be too paranoid. Yes, the Internet can be a dangerous place, although for the average computer user, the chances that a hacker solely targets you is unlikely. A hacker is much more likely to go after a large corporation where the "pot of gold" on the other end is higher than the average Joe's home PC.


What is the most dangerous, or foolhardy, thing a person can do with their computer regarding security?

Use Windows straight out of the box. Ha-ha, tech joke that many probably won't get. Seriously though, connecting to the net without first turning on a firewall! Even the built-in Windows firewall is better than nothing. If you fail to turn on your firewall and connect to the net for the first time, literally within minutes you will be infected with MSBlast or another virus. That is just a fact and a scary one at that.


What is the first thing a person should get in the habit of doing to protect their computer?

There are a few things people should get into the habit of doing, but #1 would be to turn on your firewall. Then go to the Windows Update site and download/install the service packs and patches. Next I would install some anti-virus software (I like Norton AntiVirus) and allow it to run in the background to protect you. You may also want to install some anti-spyware software too (I like the free Ad-Aware SE). Lastly use good passwords for your router, Windows login, e-mail and any account you own. A good password should be at least 8 characters long and contain both upper and lower case letters, numbers and symbols. It also should not contain any words that could be found in a dictionary or could be easily tied to you - such as your spouse's name. The more random, the better.


Is it a good thing to have Windows automatically download updates?

Yes, definitely. By allowing Windows to automatically download updates, it saves you the hassle of going to their site and searching for new patches and fixes. Let your computer do the work for you. Then you can sit back and relax knowing your system is protected.


There are all kinds of tracking devices out there. Are there any dangers with these? What security level do you recommend with cookies?

Cookies get a bad rap. There are some "bad cookies", but most cookies aren't as harmful as the media plays them out to be. Basically a cookie just saves some preferences for you to speed up your surfing habits. For example, a cookie can hold your username and password for you on a message board. As long as you are the only person who uses that computer, then it's not a security concern. Most people don't realize that no matter where you go online, nearly every site tracks you to some extent. For the average user, I would suggest "medium" security level when it comes to cookies. You will find the option in IE by going to Internet Options and clicking on the Privacy tab.


Since the "average hacker" goes after the pot of gold at the big corporations, should we be wary of doing financial business over the internet with our credit card companies and our banks? What precautions should we take with that?

Well I know many people do their banking and other financial business online. However, I don't. I guess when it comes to my banking, mutual funds, stocks, ect I like to do it the old fashion way. It's very sensitive data and being in the line of work that I am in, I have seen so many banks and stock broker agencies get compromised. It doesn't happen that often and usually when it does it only affects a rather small percentage of accounts. Still, one is too many for me to take the risk on. Yes, virtually all of that data is stored on computers somewhere, I just don't want to be punching in my assets from another computer increasing the risk of someone intercepting the information during a transaction. Now that's just me and perhaps I am a little paranoid and overly cautious so it's a personal decision everyone has to make on their own. The risks are slim, but there is always a risk so don't be fooled thinking 100% secure.

Now I do use PayPal for money transactions online such as purchasing something on eBay. I've bought products from numerous sites, both small and large companies and I have never had a problem with my credit card information being misused. I do pay close attention to my credit card and bank statements that I get in the mail and I suggest everyone keep in eye on those to detect any fraudulent use that may occur. It's a good habit to get into whether you pay bills online or offline because cyber criminals may be the new breed of "bad guy", but the good old fashion offline crook still exists too. To keep safe, only shop with reputable businesses online. Even an online business should be listed with the BBB so if you have any doubt, check with them. Only enter personal information via a website that uses security certificates and encrypts their data. Never give your credit card or other personal information via an e-mail or IM. If you are asked to do that, be aware that you are probably being scammed. Get yourself a PayPal account. They are free , easy to use and widely accepted form of payment on just about every site.


Without getting too technical, what is the worst thing a virus can do? Since anti-virus software is not 100% effective, is there anything we should beware of contracting viruses?

A virus can do minor to major damage depending on what virus you have. Viruses can be as harmless as just changing your homepage in IE to a porn site or they can be as damaging in terms of erasing your entire hard drive or configuring your computer in a way that allows the hacker total control over your computer. A keylogger is another problem that many viruses carry. A keylogger collects every login (username/password) and every word you type. Some viruses can do so much damage that they can even cause problems with the hardware in your computer - changing the BIOS settings on your motherboard and literally frying your system. To stay away from viruses, it's a good idea to not download any file online that you know little about. Adult websites and file sharing sites are notorious for being infected with viruses. Stick with reputable websites and only download software from sources you trust.




I have noticed quite a bit of spam advertising in comments on different blogs. Is there anything we can do to prevent this? Is there anything a person can do to Outlook to make sure the real spam goes to the junk email bin and the good emails go to the inbox?

Yes and yes. For some, blog spam has become a real problem. Fortunately for me I have seen little of it on my own blog, but I have seen a ton of it on other blogs. I'm not sure why one person gets hammered with it and another does not, but I'm thinking it has more to do with the post topics. For instance, when I posted about anything medical, I saw my blog getting spam comments about diet pills or sexual enhancement drugs. Now that may just be a coincidence, but spammers in general use bots to send out their messages. Therefore, keywords are selected on a blog to make the spam more "topic specific" and first appear to be a relevant comment when in fact it's nothing more than an annoying form of an advertisement gimmick. Blogger has taken recent measures to help eliminate spam and give bloggers some control of who and how comments can be posted to their blogs. It's called "Word Verification for Comments" and more information can be found at http://buzz.blogger.com/2005/08/word-verification-for-comments.html

For e-mail spam in Outlook, you can adjust some settings to help filler out the junk. The best spam filter system is done on the network's server which would mean your ISP would need to help you out, but for the sake of your question, we are going to focus on filtering out spam on the users end using just the Outlook program. It can automatically move spam from your Inbox to your Deleted Items folder or to any other folder you specify. Outlook creates a folder called Junk Mail, where you can move junk e-mail and then review it before deleting. Or you can have junk e-mail delivered to your Inbox, but color coded so you can easily identify it. The list of terms that Outlook uses to filter suspected junk e-mail messages can be found in a file named Filters.txt. You can also filter messages based on the e-mail addresses of junk and adult content senders, allowing you to move or delete all future messages from a particular sender. You can review the Junk Senders list and add and remove e-mail addresses from it. For more information on this and the step-by-step instructions, just open Outlook and type in the keyword "spam filter" in the help section of Outlook.


What is a day in the life of a computer security consultant like?

It varies from day to day and depends on the client. Some clients require very basic security needs and routine work, while other clients request tighter security and are more demanding. No matter how big or small the client is, the initial consultation service is the same. I'll meet with them, listen to what their problems and needs are, then I'll give my advice on how I can help them. If they like what I have to say, then I will begin putting together a plan of what needs to be done, how often and of course the cost. After we reach an agreement, I get a contract signed and the job begins. What I do is quite different and much more involved than what a typical IT guy does. It is somewhat difficult to sum up or explain, but the best way I know how to say it is that I do reverse engineering. What that means is that I usually work from the outside in. A company may feel their network is secure, but they want to make certain, so they call on me. I will find their weaknesses and security holes for them before a hacker does. I find what needs to be secured or fixed and protect the company from a possible attack in the future. In some cases a company has already fallen victim to an attack, so I am called on to do the clean-up work and prevent a similar situation happening to the company again. Some days can be very stressful, especially when I work for the government. The best part is that everyday there is something new. I love to learn and "outsmart the bad guy". Technology always changes and for me, keeping up with it and ahead of hackers is a fun challenge. It's rewarding to know at the end of the day you may of helped protect a company from losing millions of dollars in damage. Better yet, that you help secure places like the Pentagon. Not too many people can say that at the end of a workday.


What do you consider the most interesting thing about what you do?

I guess if you are into technology at all, then a lot of what I do may be interesting to people. For the average computer user, what I do is probably over their head and I don't mean to say that to sound rude, but it can be confusing and hard to explain to someone who isn't up on all the terms and things of that nature. I'm not sure if this is really "interesting" as much as it is "shocking", but the public would be surprised at what information government keeps on you. It's also surprising to work for some well respected businesses and colleges and find out that they are central servers for kiddie porn rings! It's very disturbing and not something you can just pull someone aside and let them know they are caught and give a reprimanding too. Other interesting/shocking things include the unwavering amount of trust even security companies have in terms of believing that they are "un-hackable". Let me make it clear that there is no such thing as 100% secure. I lost count at the number of businesses that "secure" the most sensitive data with default logins such as admin/password.


You have an extremely successful blog. Any advice for us new Bloggers or even for those who have been blogging for a while?

Thanks, but I'm not sure it's as successful as some other blogs. I think the best advice I can give to a new or veteran blogger is...blog because you HAVE something to say, not because you WANT something to say. I see too many blogs with nonsense posts about nothing other than what the person ate for lunch. It doesn't make for good reading material. Personally I am more inclined to read and return to a blog that has some sort of theme or purpose. There are so many blogs out there which are just personal diaries and sometimes that can be entertaining to see, but unless I actually know the person, I tend to not care about their personal trials and tribulations of everyday life. I think you should blog about what you are passionate about. For me that is technology and of course I have other interests that I blog about too, but it really does show when a writer is passionate about what they are talking about. Their enthusiasm and energy comes thru to the reader in their words. That to me makes for a good blog. Plus creative post topics, a little humor and a hidden talent for writing also helps.

One of my own secret trips that I can give people is to link back to other bloggers. Be kind to them and open to their different points of views. You will see they will return that same respect and curtsey to you. I devote a section on my site for every person who stops by my blog and leaves a comment. As a thank you and a way to expand my "blog community", I add a link to their blog. It's also a good way for me to easily find their blog and visit there too. Lastly, keep in mind that it's "quality and not quantity" that makes a successful blog. If you can update your blog daily, that's great but if you feel obligated to post something/anything, then perhaps you are posting too frequently. For me, I never like to make blogging feel like a chore. I do it because I like it and I feel I have something to share. When blogging feels more like work and less like fun to me, then that is the day I quit.



Any other comment you'd like to make?

Most of the computer security advice and tips I gave above focused on Windows mostly because the majority of computer users are on Windows. I hope that this interview was bother informative and entertaining for everyone to read. In no way is a complete look at what I do or who I am as a person, but I think most people already know that a single interview can not reveal everything there is to know about someone. I know thru this interview at times I rambled and at other times I left things out, I apologize for that. Although generally it should give you a somewhat basic idea of what my job is about and a little inside look at who I am. Thanks to Gina for taking the time to write these questions up and I'm flattered that you felt I was a subject worthy of interviewing. It's been fun!