 Good morning and welcome to this week's edition of Encompass Live. I am your host, Krista Burns, here at the Nebraska Library Commission. Encompass Live is the commission's weekly online event. We are a webinar, a webcast, an online show. The terminology of what these things are actually called is up for debate. That could be a show someday. But whatever we are, whatever you want to call us, we're here live online every Wednesday morning at 10 a.m. central time. Call us what you like. The show and our recordings are free and open for anyone to watch. So you can go to our website, which I'll show you at the end here, to see your upcoming shows and to watch any of our previous recordings. All of our shows are posted to the Library Commission's YouTube account, along with any slides that maybe have been used and any websites that were shared. We put all that together into some after-show notes so that you have access to all that information later. We do a mixture of things here. Presentations, book reviews, mini-training sessions. Basically anything library-related, we are happy to have it on the show. And we do have a commission, Nebraska Library Commission staff, that come on and do presentations sometimes. But we also do bring in guest speakers as we have this morning. On the line with us is Blake Carver. Hi, Blake. Hello, Kristen. Hello, who is, well, he's a couple of things. He is the owner of LIS Host, the best library web hosting company out there. If you're a library person and you want to have a website, call Blake. He'll get you set up. He's also just recently within the last year. I can't remember exactly. Become staff at Lyrasys, the network. What is your title there? I don't recall what you're doing with it. I am the Systems Administrator for Lyrasys, where we host Archive Space and Island Dora in Collection Space. Cool, yeah. All right, so Blake was on the show, I believe it was in 2012, talking to us about IT security in libraries, specifically what you need to be aware of, things that can go wrong, that will keep things secure. But it's been quite a few years, and of course, things changed, so we decided it was time for an update. So got in touch with Blake, and he is on the line with us remotely from up in Northwestern New York State. Yep, Buffalo, yep, my home state. So I'll just hand over to you, Blake, you can take it away and tell us everything we need to know about IT security. OK, thanks, Christoph. No pressure, no pressure. So I definitely won't say everything we need to know that I could cover in an hour. I'll squeeze in as much as I can. I could very easily, in having the past, talk about this stuff for an entire day. But I think everyone is going to pass out if I do an eight hour webinar. So we'll just give it to about an hour. OK. So I always like to start with this quote from Bruce Schneier. He's probably the most well-known IT security and security guy out there. He's a rock star in this field. And he did a talk at TEDx Penn State a few years ago. And he said, security is two different things. It's a feeling and it's a reality. And you can feel secure and not be secure, but you can also feel insecure. And in reality, you are pretty secure. So today my goal is to make you feel less secure about IT security and computers and phones and everything else than you feel right now. I want to start you thinking differently about anything that you plug into the internet, a phone, a computer, a desktop, laptop, a tablet, whatever. I want you to start thinking like a hacker and start thinking more securely, both at home and in library, wherever you use any of your devices. And really, especially in an hour, we can't lock everything down in our lives. But in general, it's just impossible to keep everything locked down all the time. It's not about making things unhackable. It's about making it much more difficult. And just making things safer, making them more difficult to hack makes them much, much better in general. It's just important that everyone in a library, anyone who has a computer at home, if you have kids, if you have patrons coming in your library and touching your stuff, we all need to take it a little bit more seriously and just pay attention to things that are really easy to ignore. Because there are an unbelievable number of bad guys on the web, and it's not necessarily that they're guys or women, men or women. The really bad things are automated. There's just an increasing number of automated things called bots. They're basically like evil Google search, the Google bots. They're just always out there scanning the internet. And all of these different bad guys are after different things. But there's really three general classes of bad guys out there, criminals. And that's probably what you think of when you think hackers, in a dark room wearing a ski mask typing over their keyboard. Criminals are trying to break in your computer, steal your credit card information. They're breaking into Blue Cross and downloading everyone's information, or they're breaking into the IRS and stealing all your information there. They're activists doing slightly less damaging things. They want to deface websites and get their messages out there. And then, of course, government agents, which are one group that I recently started leaving off of these presentations. Because I think, at my opinion, at least on the NSA and all the other big security government agencies, it's really kind of a political thing more than anything else right now. And really, the NSA has a budget of billions of dollars, and they have thousands of employees. And I don't know how to defend against that. And realistically, there's probably no way to do that. But they're out there doing things they shouldn't. Where are all these bad guys working? Well, they're where we are. They're trying to get in your email. They're on Facebook. They're on Twitter. They're trying to get in web servers. They are everywhere and anywhere. There is a thing with an IP address. And there seems to be a pretty common misconception that the bad guys, the hackers, whatever we want to call them, are a bunch of kids sitting in the basement chatting away on 4chan and finding ways to annoy people. But there's an entire industry out there of, this is their job. People sit out there 8, 10, 12 hours a day, and they just try to break into things. They try to steal things. They have an army of bots that never go to sleep. Someone called us malware incorporated. It's mature and everywhere. They work in the hard to reach places. They do their best to hide their tracks and remain anonymous. So these are some pretty common tools that are out there that you could download and become evil yourself. The incognito rat means remote access tool. It's just sort of a general term for these kind of things. And as you can see, they are pretty nice looking. They're things that any of us could download and figure out. This one, spy eye, this is sort of an old version of it, but you can see it has dedicated things for Bank of America and credit cards and FTPs. This'll do just about anything you want. It comes with a nice manual even. Here's another one that lets you scan a bunch of things at once. And another one that has eBay and Facebook and Amazon, everything built right in. It's points and click, very easy to use, very user friendly. Most of these things use old vulnerabilities. One of the most important things you can do is keep everything that has an IP address updated at all times. And another interesting step that I found is that most of these come out of Russia. Not exactly sure. I guess there's probably many reasons for that, but most of the really interesting work in this area is coming out of Russia or the countries around Russia there. And here's a really big reason why bad guys are doing what they're doing. This is from a website called Krebs on Security. Brian Krebs is another rock star in the industry. And he made this nice infographic a couple years ago, and I think it's probably three years ago now, and really it hasn't changed at all. It's called The Value of a Hacked PC, and one of the biggest things that people are after is your personal computer, either the one sitting under your desk at home, or the 50 or 20 public access machines you have in the library. If someone can get into one of these, they can either use it themselves to do all sorts of different things, or they can add it to their inventory and they sell it. There's people who specialize in just breaking into PCs, taking them over. They get control and then they hide. They're very good at hiding in there, and then they sell it. A couple bucks, you can go to a website and rent a botnet or buy hacked PCs and take them over, and then you can do whatever you want with them. So there are after all the things that you can imagine. Your PINs, your passwords, your contact lists, your phone numbers, basically anything that you could find out a computer has a value to someone. This personal information is a currency of the underground economy. It's bought and sold and traded. There's websites devoted to it. There's groups of people who do nothing but buy and sell this kind of stuff. And really, there's, if someone targets you, if someone targets your PCs or your library network, they're probably going to find a way in. There's just too many holes out there, but that's not really what we can talk about today, but what we want to do is just make it more difficult. We want these bots to just kind of take a look at our computer and say, this is not worth the effort, we'll just keep going. And sooner or later, if you manage enough PCs, if you manage a large number of servers, something's going to happen. And you just need to make sure that you have some kind of plan in place to make recovery and getting everything back online and fixed easy. So, we're gonna talk about privacy for a little while and then passwords, how to choose a good password, what makes a bad password. And then staying safe, just in general on our desktops and laptops and everything else that we use on them. Now we'll talk about security in libraries for a little while, about training and how to lock things down a little bit. And then I'll finish up with server-side security since that is, well, that's pretty much my life. I spend every waking moment taking care of about 100 servers and making sure they're as safe and secure as possible. So, when it comes to privacy, I think we all know probably most of you are out there librarians and we are guardians of this kind of thing. We haven't baked into our DNA. It's probably a reason why we became a librarian in the first place. And out on the internet, there isn't much privacy to be had. And we all know that privacy, being private, trying to hide our tracks, trying to not let people know what we're doing. It's not necessarily that we're doing anything wrong. It's that maybe we don't know what's gonna happen if people find out what we're doing. And all of our privacy troubles are, especially on the web, they're very sort of small and we don't really notice. We install maybe Facebook Messenger on our phone and we don't really pay attention to what it has access to and we just kind of click through and don't really worry about that. They just downloaded our address book and it has access to our camera and everything else. But unfortunately, once this stuff is out there, you can't get it back. Who knows where our address books went to? Who knows what's stored where and if they're safe and if they're being hacked? We don't know where it's stored. We don't know who has access to it. And we don't know if it's safe. We hope that especially Google and Facebook and Twitter, they probably have huge security departments and all the best of everything they can to keep that stuff safe. But you can believe that every single talented bad guy, whether it's NSA or any random other people are going after them constantly. So in general, don't overshare when it's free, things like Google and Facebook and Twitter. The cost there is our privacy. Make sure you just sort of keep an eye on things. Don't overshare, lock things down as much as you can. There's a lot of, especially if Facebook has a ton of privacy settings that default to being not very private. Robert X. Kringley, the been writing about security technology and that stuff for years and years. He had this great quote. He says, the company's entrusted to keep our personal data safe are invariably the ones who have the most to gain from not doing so. In the same article, he said, every privacy policy starts with we value your privacy and then it goes on for pages and pages and pages about how they are not being very private and they don't value our privacy, they really value our information. If you're feeling so motivated, it's not a bad idea to sort of keep an eye out for your own stuff online. Maybe conduct a search of your user names. Have a couple of different, maybe Twitter accounts where one nobody knows who you are and the other one is your professional account. Check the privacy settings on any social networking thing. Twitter does a pretty good job most of the time. Facebook has a lot of settings in there. Anything else, Instagram, all the other big ones. Now, of course, don't share your passwords with anyone. I really like this quote from Woodrow Herzog. He talks about being obscure rather than private. And if someone's going after you, whether you're trying to break into things or trying to get your information, if you can work to make it more obscure, that goes a long way sometimes. And there are services out there and also just big lists of how to remove yourself from all the big data broker websites. And you probably can never scrub all these databases of all of your information, but you might be able to make yourself just obscure enough to make it too difficult for the bad guys and they'll just kind of move on to someone else. So that was a really brief discussion about privacy. There's obviously a lot more to it. I'll be talking about that a little bit more at ALA if you're gonna be there next month on Saturday evening. And I'll be talking with Alison Mercarina and she'll be talking mostly about that kind of stuff. But if you have any questions about privacy or anything else as we're going along, I think I can see it in the interface here. Probably not. I've got the, since you're just as a presenter, you don't have the, you can't view the questions. It's okay, I'll triage them. So yeah, if anybody has any questions, type in the question section there. I did like your comment there about the privacy being obscure. I know some people go a little extreme as far as being private on the internet and going to the extreme of don't share anything. Don't do anything because, oh my gosh, it's gonna be terrible when horrible things happen to you. But I like your concept of be obscure about what you're doing and be, but don't be completely, not there. Yeah, and I'm gonna come around to the concept a couple more times going when we talk about passwords and we talk about something else towards the end. And I think that's sort of a good middle road to take where don't lock yourself in the basement in a bunker and never do anything, but just kind of look at things differently and try to be a little more careful in general. Oh, we do have a question, a librarian from our home state, David Rothman wants to know, could we hear some practical examples of security through obscurity? Yes, that would have been great if I had an answer for that question. Well, there's a bunch of services companies that can automatically unsubscribe you from all the big data brokers like Intelus and there's a whole bunch of big ones, just probably three or four. So if you're really dedicated, there's huge lists, I just saw one on Reddit recently, huge list of all the places that buy and sell your private information and they all have ways to opt out. I don't know how successful that really is in general, but then there's- It doesn't hurt to do it though, to just make sure you've done that. Just like the do not call list, I did that for our phones and it's worked pretty well, but there's still some that will get through, but imagine if you hadn't done it, how much would get through? Yeah. And then there's just the general use a couple of different Twitter accounts. I think Facebook kind of frowns on that kind of thing. If you have the real David Rothman and the secret David Rothman on Facebook. Last I knew they wanted the whole real identity thing, but I think maybe they- I think they're realizing that there are gonna be cases where that can't happen and they need to deal with the real world for people. Yeah. Another question, are you going to talk about browser plugins or extensions and how the security with them? Yes. Okay, cool. Wait till you get to that in the session. Okay. Okay, so passwords. The two big, big no-nos of passwords, don't reuse them and don't use weak passwords. My slide will go forward up there. So the problems with passwords are huge. They, you know, everything about passwords is the worst thing that you can imagine. The time it takes to crack a password is the only true measure of its worth. And we'll talk about how they get cracked and how people get their hands on them. But this really is, everything comes back to this. If someone either gets your password or gets an encrypted version of it, you want it to be the most difficult password on that list to crack and they'll never get it. So there's really, really powerful, fast, easy to use, user-friendly tools out there to crack passwords. And when I say crack passwords, I mean encrypted, in a database, your password turns from, you know, whatever. Monkey turns into a string of 30 random looking numbers and letters. So what happens is someone, bad guy, breaks into, let's say, just recently we found out, bad guy broke into adult friend finder and downloaded some huge number of email addresses and user names and passwords. User names and email addresses were just there in the database, you can read them. But the passwords are usually encrypted in some way so that you look at them and they're just random looking garbage. But what they do is they run them through these programs. The big one is called OCL hash cat and you can download it, it's open source, you can download it and run it on anything. It's kinda neat to watch it work. And basically it just keeps guessing. It's called the brute force attack. But you can also do things called dictionary attacks where you feed it real words and then you combine those real words and then you switch them around and you make them uppercase and lowercase. And it guesses millions and millions of times very, very quickly. There's also stuff called rainbow tables which is pre-decrypted things that are stored in a database to make it faster. And then all sorts of other fancy things that are kind of above, not quite so trivial as things like OCL hash cat and other things. So let's say your password does get taken. How did they get it? Well, maybe you gave it to them. Usually through phishing, P-H-I-S-H-I-N-G where you get an email and it looks like it's from like your systems administrator or someone who works in the IT department and they say, hey, I need your password and you're not thinking and you hit reply and send them your password. They either stole it, guessed it or brute forced it. That is they downloaded it from some data breach and you used the same password for, that was another big data breach recently. Blue Cross as you use for work and as you use for everything else. Or someone else gave it or sold it to them. You can go out and buy huge numbers of usernames and passwords and logins. This is part of that personal information that is the currency of the underground but sold and traded all the time. So there are data breach after data breach after data breach and it's always the same story. People use the same passwords everywhere and people use really bad passwords. And because all these are out there, the crackers and the password guessers gets easier because we have these huge word lists. People use them and massage them and combine them. They use them as templates. So the bad guys have a really good idea of what easy to guess passwords are, the most frequent ones and not only that but how people build passwords and they use these patterns and they can break these tables very, very quickly now. So it makes a good password. It's unique, it's strong, it's long and I used to say it's easy to remember but those three things together make it nearly impossible to remember because you need it to be as long as possible. That's the most important thing. Which of course makes it much harder to remember. So this is the federal desktop core configuration which has a huge long list of all the different things that go into a password that is required, I think, on all the federal government desktop website or at computers. So you end up using a password like this which is really, really good. It's super random, it's super long but you're never, ever gonna be able to remember that and you probably can't even take that much time in the morning typing in every morning. So I'm in sort of a unique position where I have very frequent needs for people's real passwords. I have to look at their email, I have to get into their website, I have to do all sorts of things for them and they're usually librarians and very frequently they give me their password and it's something like library123 or the name of the library123. I used to have a slide on here that had a list of common, like I just made up a bunch of passwords like Dewey01 and a name of the library and I was giving a talk downstate and somebody raised their hand and said, hey, that's my password. So if I'm making up fake passwords and I end up guessing your password, that's probably a good hint that it's a really bad password. And I know this is all, it makes your life much more difficult to have a huge password that's impossible to remember, it's super complex, it's just, it's not convenient. So make it as long as you can. Do not reuse it on multiple websites, don't use numbers in place of letters because that's what everybody does and the password guessers know that and they just burn right through those. You know, use some letters, some upper and lower case, throw some numbers in there, maybe some other random symbols. Bad passwords are the default passwords. As I look over on my new router sitting here, I know that my pass, I have the default password sitting on this still. Dictionary and common words, predictable patterns, passwords from password lists. If you ever, you know, just search password lists and you can download lists of passwords from all sorts of different data breaches and just take a look at them. You know, people use monkey, the most common password is monkey for some reason. And other personal details that are obvious like your pet's names, that kind of thing. So maybe you could think about how likely your password is, how obscure it is, how likely it is to appear anywhere else, how likely is someone else to have ever used that password. One piece of advice that people always give out is change your password every so many number of months or weeks, my last job, we had to change it every three months and it felt like it was every three days. But I don't know. My advice is I don't know that you need to change all your passwords every so often but I think the good way to think about it is if it is something that someone could get into and you never know it, that's maybe a password that you wanna change, I don't know, every few months or a couple times a year. Someone has your email password, you might not know it. If someone has your bank account password, you'll know it because your bank account will be empty. Things like servers and routers and things you just forget about, maybe change those every so often. Really, we've gotten to the point where we just can't remember all our passwords. Maybe you can have a strategy, there's all these tools out there to make up good passwords. I use a password manager, actually I use two password managers, one for my work at Lyrasys and one for everything else. So I have, I can't even imagine how many passwords I have and they are all huge. They're all like 20 characters long. I don't know any of them. I know some of them, the most important one being the one for my password manager. So just remember, any password you use, it should be at least unique to the website or the service that you're using. So password policies, if you happen to be in charge of the password policy or wherever you work or you have an annoying password policy, I don't know, it's one of those things where as systems administrators or security people, we have to do something and when things go wrong, we have to be able to say, well, look at this great password policy that I have, people aren't following it. But people tend to respond to these things in really bad ways where they use predictable patterns and really easy to guess passwords that fit into these very common patterns. So I thought about it and I think that if it was up to me, I would just say, everyone has to use a 20 character password, which I know sounds absolutely horrible, but it fits in with everything that makes a strong password because it's long, no one has a 20 character password anywhere. So it's gonna be unique and it's gonna fit those two important things and maybe it's really, really mean to have this as a password policy, but it's no worse than any other password policy out there and it's gonna be a good password. You just need to assume that your password's gonna be stolen. Anytime I sign up for a new website, whether it's another, I switched health insurance and I just thought, my last one, Blue Cross got hacked, mine was part of that group. So they got my password and far more valuable stuff out of them. So just assume that password's gonna be stolen and you'll start to think about passwords differently. You have to remember that no one is immune from being hacked. We hope that big things like Google and Amazon and Twitter and Facebook and our bank, we hope, we pray that they will not be hacked because when things like that start falling apart, we're all gonna be in trouble. But really it's not in a case of if this website gets hacked, it's really when. There's all sorts of new things people keep saying that they're inventing the password killer, biometrics and facial scans and your voice and your DNA. I don't know, I don't know if any of these are ever gonna take off, they're confusing, they're harder to use. The two factor authentication is something that's pretty useful. A lot of different places have that as an option and that's when you can have a text message sent to your phone and you use that to log in along with your normal password. Then there's things like OpenID and Facebook and the single sign on from Google and Twitter. This isn't a quote that I have but I came up with but I really like it. I don't know what the answer is to these, these all these sign in problems but having a single point of failure when it comes to logging in is probably not the best answer. Okay, so that's it with passwords. Okay, like, make sure they're long and unique. Yes. Where'd it go? Oh, what about on mobile? Do you know any good password managers that work on mobile? Cause long complex passwords are impossible to type in on mobile keyboards. It's something. Oh, that's horrible. Is there like a mobile version of something like a LastPass? I haven't looked into that for myself. So LastPass has a built in browser that I don't even know what it's based on. I think Chromium that will log you in using the stuff in LastPass. Okay, and someone just did say that LastPass does actually have a mobile app. So there's an actual app. I have that on my phone. So for all these password managing sites look for a mobile app version of them and then you can use those to get into everything on your smaller devices. Yeah, I like LastPass. The browser on the phone seems a little buggy sometimes but it does a good enough job most of the time. And what about the safety of them? Someone is obviously concerned about the password managers being safe themselves. Right, you wanna talk about a single point of failure? Yeah, you're putting all of your passwords into them. I know. I don't have a good answer to that. It is a big, huge single point of failure. We just hope that the people who write them really knew what they were doing and hope that no one gets your password to log into your password manager. But the alternative of using a single weak password on all your websites is definitely worse. So it's one of those things where it's, there is no perfect option. It's kind of the least bad option out of all of our things. And so far, those sites have today, and I know this could change tomorrow, been secure and they're not the hackers and the bad people running them. The known ones. Yeah, they're doing a good thing. So far that I know of last pass and one password in the big one so far, there hasn't been any big trouble with them. And now here's the last, I think we'll do the last question for this. What do you think about the idea of giving false answers that you can remember to security questions? So when did they have those? Yes, if you can remember it, then that is definitely the preferred way to do it. Remember the fake answer you gave? Yeah, that's the problem with those security questions is you don't go back to them much. And when you do, if you gave it a fake answer and you can't remember it, because that's exactly what happens to me. But that's another good reason to have the password manager because you can drop just the fake answers to them in your password manager and you don't have them. Oh, there you go. Okay, cool. All right, go ahead onto your next topic. We're good. Okay, sort of general sting, safe online things. Two biggest takeaways here, keep everything updated always and don't trust anyone or anything ever. Beware the tyranny of the defaults. Everything that you install on your phone or computer, there's all these settings in there for keeping it secure and private. Usually they default to being too open and too easy to use and abuse. So just always when you install something new, especially on your phone, pay attention to those, that little window that pops up and says what you're giving it access to. These things are designed to fail open. There's a really famous case from a couple years ago where someone had his Apple account taken over. So this is a case of where it was just a bunch of kids in the basement. They went through incredible lengths to get this guy's Twitter account and in doing so, it just shows how everyone, especially at the time a few years ago, everyone was designed to fail open. Apple and they went through Apple and Amazon and I think it's credit card company and they socially engineered people to get his passwords and user names and just the chain that they went through was just, it was really impressive. And all of these things just sort of failed open and that they were able to chain them all together and find their way in. So, hey, this slide is totally broken. So how do you know if your computer is infected? Well, there's all these things that your computer does and this is things that my computer just does sometimes. You think, why is the fan suddenly spinning or why is there weird things happening? But really, most bad guys don't want you to know that they have your computer. They want to hide out there, they want to be able to sell it or they want to be able to do something with it and they want to be able to keep it for as long as possible. Other than people who do something called ransomware which is the biggest trend in hacking PCs where they completely take over your computer and hold it hostage. And if you pay them, I think it's maybe $400 or $500 now you can get everything back. So I get asked that a lot. Is my computer infected? Have I been hacked? And my answer is always, there's almost no way to know for sure. But in general, look for weird things that are in the startup menu. Weird new browser plugins, unexplained network connections. And frequently, but not always, your anti-virus, anti-malware stuff, make sure that it's running and enabled and checking things. It does a pretty good job most of the time. So this is how the bad guys find their way into your computer. The biggest way is you're just surfing the web and you search for something completely innocent on Google and land on an infected website and something gets downloaded and suddenly starts up and bam, they have your computer. Same kind of thing can happen on your phone. I just recently read about a website that had been hacked and someone had put in some malware that was targeted at Android phones. So that was kind of interesting. It's the first time I've seen that sort of out in the wild where a phone operating system was being targeted. Anti-virus software, anti-malware, the firewall, everything else on your computer, it doesn't always work. Think of it as a seatbelt, not a force field. This is a quote from someone at Symantec who makes all that stuff and it concludes with anti-virus software alone is not enough. And really, the important thing is, especially if you're at a library and you have 20 or 50 or 100 PCs, you can't rely on just anti-virus software. There needs to be other things in front of it and behind it. This research is from a few years ago, there was a big worm called Carburp and most of the computers that they found it on had some kind of anti-virus software on it. In general, the exploits that people use are just sort of well known. They're in those kits that we looked at before. Everybody is after the same thing and every once in a while, something called a zero day pops up and starts getting used and that's when a bad guy finds something that no one else has and there's actually a market for these things. There's companies that specialize in finding new security flaws and they sell them and buy them and trade them but that's still relatively rare in the sort of the general world. You're probably not gonna be targeted by a zero day. So when it comes to your desktop and laptops, make sure everything is updated and patched all the time. Don't trust anything. Links, downloads, emails, messages, instant messages, anywhere. People do their best to take over email accounts and social media accounts for this reason because you see something from someone you know and you're likely to trust it. And of course when all else fails, make sure you have backups. If your computer, I mean even if you just drop your laptop, you wanna make sure everything's backed up. With mobile things, think about if I grabbed your laptop or iPad now, what would I have access to? The answer really should be nothing. It should be locked and it should have a password on it or a pass code and I should not be able to get into it. So on your laptop, there's things called Prey and Lowjack. There's a lot of other different ones. Basically it's find my laptop kind of thing like your phone, whether it's Android or an iPhone. Make sure that you have a password on your laptop, on your phone and everything else. And in general, this is one of these convenience over security things and I don't follow this advice. Sign out of everything and do not save form data because if somebody does get your laptop or your phone or whatever and you're signed in everything and you have all your passwords saved in your browser anyway, you just gave them access to everything. I love this carry a safe, not a suitcase. And it is sure far more convenient to carry a suitcase than a safe. So which one of your accounts is the most valuable? Is it Facebook or Twitter or your bank? Maybe your health insurance login. I can't hear anybody talking to me but I hope everybody's saying, because everybody does always say email. And I think that's true because everything goes through your email account, right? If you think about it, all your password resets go to your email, all of your statements, your monthly statements, everything goes in your email. If you own the email, you own the person. So do your best to keep your email as secure as possible. Don't trust anything, a link, especially if it looks weird, if there's an attachment, you weren't expecting it. Just hit reply and ask, is this real? Don't leave yourself logged in. Second factor authentication, I think all the major email providers have this as an option where you can either get a little app on your phone or you can get a text message sent to you. And of course we all know what a good password is. Your email password should be one of your best if not the best. And this is one that I don't have in my password manager. It is fairly long, it is definitely unique. And I just, I don't know, that single point of failure, it's one of the few that I keep out of my password manager. Still a good password, but I'm able to remember it and I do change it up every once in a while a little bit. So here's a perfect example of never trust an email. This is an email from three years ago, the date's covered up on my computer here, but I think it's from 2012. This went out to the PubLib, however you say it, listserv, which last I knew was several thousand people. And all it is is a link to kingsgardenrestaurant.com and I can tell by looking at it, it's a hacked WordPress site. And if you follow me on Twitter at all, I'm always screaming about updating WordPress. And this is exactly well, so why? And so this email went out to what, five, 8,000 people and you better believe that at least a couple of them thought, oh, what is this? And clicked on it and very bad things happen. So web browsers, somebody asked about web browsers and plugins. This is maybe the most important security decision to make. I think all three are all however many web browsers you wanna say there are now. Internet Explorer, Firefox, Chrome, and Safari. They all do a pretty good job. It's securities front and center for all of them. Firefox, I think does a pretty good job. Maybe they focus on especially the privacy things more than the others because that's their big thing. And of course, the plugins. This is the common, the single point of failure that all of our web browsers have in them. This is, if you think like a bad guy, if you're gonna write an exploit, you could write one for Chrome and one for Firefox, one for Internet Explorer and one for Safari, but that's a lot of work. But you know that all of those browsers have flash in them or they all have Java in them. And so if you wanna go after something, then you're gonna focus. You're gonna say, I'm just gonna focus on flash exploits. I'm just gonna write Java exploits and then I'll be able to get into anyone's computer. Java especially, although the last year or two they've been doing a much, much better job of being more secure. I just recently, last week had to run a Java tool to get into one of my servers and I ran it on my Mac and it was such a pain to get it going. I was really impressed. So especially I think OS, the Mac OS does a really good job of really blocking Java things. So general browser advice, if you can use two, keep them both updated, have one locked down to a ridiculous degree and use that one if you're just kind of searching and just sort of surfing the web. Know your settings, make sure all the important updates and that kind of thing are all updated. If you can limit JavaScript running, if you shut off JavaScript, it makes the web browser and browsing the web extremely safe. That'll block out so many, such a huge percentage of exploits. And it also breaks just about half of the websites you go to. So there are plugins that allow you to flip that on and off. In general, try to use secure connections, HTTPS and something to block ads. So this is something that I don't recommend lightly but ads have gotten pretty evil lately. And since we're talking security, I think it's important to think about running an ad blocker, which I know Google and everyone who has ads on their site absolutely hate and so I don't recommend this without some discussion but there are a ton of bad ads out there and they either lead to bad places or better yet, someone has fallen away to embed something evil in the ad itself. Google admitted to blocking 50 or 524 million ads and removed a quarter of a million sites from spreading malware last year and that's 50% more than the year before. So there's a lot of bad stuff hiding in ads out there. This is a great quote. This Mozilla just recently put in this neat little blocker that doesn't necessarily block ads but it blocks trackers. So it blocks a lot of cookies and little images that are used for tracking and that kind of stuff. And I thought this was really interesting. She said, advertising does not make content free. It merely externalizes the costs in a way that incentivizes malicious or incompetent players to build things like SuperFish, which was on Lenovo's and maybe other laptops where it was just sort of spyware built right into the laptop. So I don't know, I run an ad blocker because it speeds things up and makes things nicer and chances are I will never want whatever it is they're trying to sell me. And I think it just, it makes things safer but I don't do it without realizing that I'm blocking a lot of income or a lot of possible income for people. Yeah, I actually do ad blocker on everything I use as well just cause I, not, well partially for this safety reason but just for the annoyance. I just don't want all, like you said, it's not anything that's gonna ever be relevant to me or I'm never going to click on any ad I see online to get to something. If I'm interested in something, I do a search and find the actual sites. I have never clicked on an ad and said, oh yes, this is what I happen to want. So yeah. Yeah, and I'll pause it every once in a while. I did last week, I have a big old tree in my backyard I need to get taken down and I wasn't exactly sure what the best place was but I thought, I'm gonna pause this and see who has ads in the Google search results and it was kinda like, I don't know, maybe using the yellow pages in a way but then I forgot to unpause it and everything looked different. Yeah. Everywhere I went there was ads and flashing things and it's just quite a shout out. I do like in some cases I'll see where something that, it's called ad blocker. Sometimes it blacks things that are, it considers ads but kind of aren't. Like I've seen things where it's actually it was part of the website and it says, this is blocked, do you want to unblock it just temporarily to see what it was? And I do like that feature that it will say, let you know sometimes that there was something here it might, and then you can just check, take a look at it. Say, oh nope, I didn't really close it up again. Yeah. So a Wi-Fi whether it's at home, well this is mostly for home advice. There's not much you can do to make your Wi-Fi in the library all that secure because. Oh, we do have a question actually. Sorry, sorry, it just came up that going back to the ad blockers that is, I know part of the answer, I'm not sure. So ad blockers will block ads inside Facebook and Yahoo Mail, et cetera. I know they'll block in Facebook because I've seen that in your own mail accounts too when you're logged into your web mail. I don't know about Yahoo but I know they do on Gmail because I use Gmail and I don't see ads in there. So yeah, anything that you're doing in your browser they'll, yeah. Yeah, I think it's pretty easy. I mean, they just sort of have a black list of, most of the ads are served out of particular URLs and they just redirect those to local hosts and it's pretty effective. Yeah, there are any more questions on browsers and anything else? Well, some did say, I think it said, what is your opinion of search engines like DuckDuckGo? Yeah, that's a step. So DuckDuckGo is a search engine company that it's kind of like the librarian version of Google where they really go out of their way to protect privacy. They don't track you and that kind of stuff. I don't ever use it. I think it's a great idea but really I'm just too lazy and I don't care enough about what Google knows about me to be that dedicated to it. I don't even know if there are any other things like DuckDuckGo out there. But yeah, I think it's a great idea and I wish more people would sort of push that. I think Firefox, Mozilla is doing a great job with their new focus on security and privacy and that kind of thing and I hope that's the kind of thing that catches on a lot more. DuckDuckGo is definitely fighting the good fight. Any other questions on it? Although some did mention the Tor browser. Yeah, well there's another huge step. So Tor is a sort of separate network within the internet where it starts at your computer and it goes through a whole bunch of Tor routers and every time it hits a router it gets encrypted and decrypted and comes out the other end on a Tor endpoint and so it's a lot more secure. If you wanna talk about making your stuff a lot more obscure, then if you're really, really dedicated look into the Tor. But it's also one of those things that sends up all sorts of red flags to the NSA and everything else. You go from being one in a billion on the internet to one in like a thousand on Tor. So there was a really interesting case. I think it was at Harvard. It was at a college in the Northeast where someone sent a bomb threat or did something really stupid like college kids always do and he did it through Tor thinking that he would be completely safe except he was the only person on Tor at the time it was done. So he was very, very easy to spot on the college network. So it had the exact opposite effect. So things like Tor and that are, you know, they're good at defending against other things but they're unintended consequences. Yeah and someone also said in the chat some Tor also significantly slows down your connection because of what it's doing there, yeah. And someone did also share a link. You're talking about Firefox, the tracking protection, an article about that from digital trends. So I will include that in the show notes afterwards as more information about that. The Firefox tracking protection feature that also speeds up your web browsing it says. Yeah, it's pretty neat. It just came out, it's not, you have to go into the settings thing to enable it but it's a step in the right direction I think. And someone did just make the comment talking about ad blockers and unfortunately it is true. So if a library is going to pay for a Facebook ad in its zip code there's no guarantee it's hitting its audience because folks may be running ad blockers. Yep, that's their choice. Yeah. Not only that but Facebook is really pretty evil when it comes to that, they're only showing it to some small percentage unless you pay even more. So it's something to try and you can get statistics on that and see how it is going. But yes, people do have the choice to use their browsers and their connection how they want to. Yeah, I know, that's why I always discuss it more than I should probably. I feel a little guilty. Cool, all right, that's what we have now. We do have one question that's been coming up about how patrons at the library can stay safe on the public computers but I think a lot of what you've been talking about that we can do personally is the same thing they can do. Yeah, that's coming up to... Yeah, more about that. Okay, all right and then I just want to let everyone know it is actually 10, 11 a.m. central time now, yes but we will keep going until Blake is done. We sometimes run long on the show and that's fine. We won't get cut off or anything. We'll go as long as it needs to to finish up with him and any of your questions that you have. No, it's okay. No, it's good, we've got these discussions going. Not a problem. If you do need to leave, go right ahead. We are recording and the archive of this will be available later and I will email everyone who's attended to let you know when it's ready for you to go and watch if you had to miss on the ending of it. All right. Yeah, like I said, I can go on and on about this stuff so I'll try to speed it up a little bit. All right, go ahead. So your wife, home, definitely make sure it's encrypted. Have a password on it. You can do other things like limiting it by MAC address and DHCP. Definitely make sure you check for firmware updates maybe once a month or every couple months and if you're not using it, maybe you just shut it off. In general, public Wi-Fi is trivial to, I don't wanna say hack, but observe traffic on. There are very easy to use, free to download programs that just let you watch what everyone's doing through unencrypted connections. So I'm not saying don't use public Wi-Fi, use it like someone is watching you. How's that? Social media, I think we covered this enough already. You know, adjust your private settings, privacy settings, use secure connections, everybody defaults to that now already. Be skeptical of everything. Watch the apps that you have given, excuse me, given access to your Facebook and everything else. Very common threats, you probably have seen them. They show up in my feeds every once in a while too. If it looks too good to be true, then it's probably something really evil. This is a really old comment from Metafilter that's kind of taken on a life of its own but I really still like it. If you're not the customer, you're the product being sold. The cost of all these things are privacy. So for your mobile devices, your phones and your iPads, it's not all that different from everything else. Make sure there's a password on it. Put a case on it. I was gonna post a picture of my phone, my shattered phone that I dropped on the floor last week that somehow still works. It's not a good idea to leave your Wi-Fi on when you're walking around. You don't want it to connect to random Wi-Fi networks. Make sure you know what your apps have access to. Keep the iOS updated. If you can, Apple's really good about forcing updates, Android, not so much. Keep it backed up, set it to remote wipe and don't store any financial or important data on there. There are antivirus programs available. Not really sure that they are really worth it. Maybe, depending on how much you do through your phone, but in general, I'm kind of on the fence about recommending those. Same thing goes for your phone, it's for a laptop. Do your best to carry a safe and not a suitcase. Okay, so security in libraries. By now, hopefully you're starting to think different about your library. Maybe you thought, well, we're just a library. No one's gonna target us. We need to worry, if we're a library and we have 20 public access machines and 20 printers and a few routers and all these things with IP addresses, this attack surface gets really, really big, really, really fast. And if we're a target at home, we're a bigger target at the library. Most of the, so this is from the Verizon DBI from four years ago, which I didn't even need to update. It came out a couple months ago and these numbers are almost exactly the same. They don't change. Almost everyone, all the businesses from this report that comes out every year and really the numbers would probably be the same for the libraries. They're just targets of opportunity. They're bots, they got picked up by bots or just someone who was bored one day. If you're plugged into the internet, if you have an IP address, you're getting scanned constantly. 83% of the targets were just hit because they were there. Most of the attacks were easy because someone forgot to change a password or update a firmware and almost all of them were found by someone else. The bad guys are really good at getting in and hiding. You won't know if they're there. And really it's easy being a bad guy because if I'm a bad guy, this is my full-time job. I work, I don't know, eight hours. Maybe I work four hours another day but I have a hundred or a thousand or a hundred thousand bots out there doing all the hard work for me. And if we're a library, we have to remember every single thing that's plugged in. We have to remember to update the firmware and change the password and then remember the password and remember that thing is in the closet and it hasn't been updated for five years. The bad guys only need to succeed once. They only need to find that old router we forgot about or any of these other things. But it doesn't mean we should just give up and not try to do anything. It does take more than just saying, well, I've heard this time and time again, oh, we have a firewall. So it makes us safe. And of course, every single thing that's plugged into the internet, every company, everything that's ever been hacked has a firewall. So firewalls are fine but they are very similar to antivirus in that it's not a force field. It's more like a seat belt. So in a library, especially this whole idea of layers of security is very important. You want that firewall, but you also want things like a VPN and intrusion detection system. You want anti malware, spam, antivirus on all the public computers especially, but everything else. And you wanna do the things that we've already talked about. You wanna keep everything patched and have good passwords and everything else. And you want to, as much as you can, have people trained at least to look at things, have at least the very basics of what we're talking about today, have someone come in and talk to them about this kind of stuff so that they're aware of it. In a library, we have all these things plugged in. We have any number of vendors. We have threats coming from outside of the library, from all around the world, from these botnets that just never stop. And then we have people who come into the library and either they purposely try to cause trouble or inadvertently they go to a website and I download something and they don't notice. Our library is a full of people and people are just the worst. We're terrible at security. It's hard to think about. It's hard to do and it's just people are in trouble. So I don't want to ignore it and just think you're safe. You want to be prepared. You want someone to think about this stuff and you want to make sure that there's some kind of training that goes on once in a while so people know that these things are really a problem. You want to do something. You want to do anything to make the bad guys job harder. This is, I sort of rewrote this quote from earlier. Safety here doesn't mean an accessible, competent and determined hunter is armed with the right tools can always find a way in. If there is a talented hacker or a talented bad guy after you, they will find a way. But that very rarely happens and that's not really, we could spend all our time worrying about that but it's not worth it. We want these less committed folks, these bots, these things that are scanning for common exploits and holes that are everywhere. We want them to just sort of have a look and say, well, this isn't worth it and move on. Yeah, that's something I was gonna, I thought when you first started the presentation, it's like a crime of opportunity is what you're trying to prevent. It's just like people who think that it's a safe area and they leave their car unlocked compared to the ones that are locked. The people who are the criminals are just going trying car doors and the one that's unlocked is the one they're gonna get into and all that took was that little bit. That's what you're trying to prevent is those kind of lazy hackers, less, like you said, less professional ones who are just doing it for, and once they find one, they're looking for the easy access. We're locking our car doors, we're not leaving our laptop on the front seats. It's that kind of thing. So we have all of these things in the library to protect anything with an IP address could potentially be hacked. So somebody asked about public access computers and I don't really know, I mean, if I wanna be a crazy IT security guy, I would say that you should never ever let people touch your computers because they're gonna do bad things, not necessarily intentionally, but I don't know, I think a sign like this would probably end up scaring too many people away, but maybe your public access computers should have some kind of little thing on it. Probably no one's gonna sit there and study it and read it, and it's probably not gonna change a lot of lives, but maybe it's one of those things that could help raise awareness around the library. Just sort of gently reminding them that this is something that's used by a lot of people and there could be bad things hiding here. I keep repeating myself on this one. Anything that is there to protect your public access machines could possibly fail, and there is a really good chance if it did fail that you won't know it, and it doesn't matter if it's any virus or deep freeze or anything else. Things find their way in, things hide out, and things get recreated when it gets restarted. So some easy things to do is make sure that you have these policies in your library where someone's keeping track of things being updated, have some automated checks, keep an eye out, there's a website, one of many, there's one called pastepin.com, and this is where a lot of usernames and passwords get dumped, and you can set up searches there, and I have, I don't know, maybe a dozen or so searches preloaded here, and any time either Lyrisis or LIS host or some of my usernames show up there, I get an email right away. It would be great if everyone had a dedicated IT security person around, but that's obviously never gonna happen for most places, if not all places, maybe the largest public libraries or academic libraries do. But at the very least, I think someone on the staff who used to stay current have this as sort of an interest of theirs and stay up on what's going on and know what to look for around the library. I always like to ask the question when I'm talking to live people, I guess you're all live, but when people are sitting in front of me, I always say, what's your policy on USB drives that you find around? And without exception, everyone always says, well, we just plug it in and see if we can figure it out. Other people say, well, we just put it in a box because we don't wanna invade their privacy, but USB drives are notorious for passing out viruses and random other stuff, so just keep that in mind. I don't know what your policy is in your library or your personal policy, but that USB drive could be carrying bad things and it's not necessarily that people are doing it on purpose, that they could have something and they never knew it and they lost it and that's how things get passed around. Another thing that's easy to overlook is your domain name. Make sure it doesn't expire. Someone, I see this a couple of times a year, at least where a library forgets to renew their domain name. So just a small practical piece of advice. There's tons of places to keep updated. The SANS Institute, they're 20 critical security controls. They have, in general, SANS has all sorts of great training materials that are available for free. They put on classes. They have all sorts of good stuff there, so it's a really good place to start. There's a slightly out-of-date, old, who published it? I think ALA published it. Securing library technology, how to do it manual. It's, some of the very specific things that they talk about are outdated, but there's a lot of other good things, like how to plan and how to think about security that will probably never go out of date. I think it's out of print now, but if you can find it, it's a good read. So when it comes to training, you wanna do, talk about the things that we do. You want people to think about security different. You wanna think like a hacker. You wanna people to look at things differently. I found this great analogy at some point where this, to me, looks like that thing that I had hanging on my high school locker, and I knew my combination, and I twisted it and opened my locker every day. But if you're someone who's into picking locks and cracking locks, you look at this and you know that it's this certain master lock. You know exactly what to do to it to get it to open, even if you don't know the combination. And that's the kind of thing that you want people to look at differently. So I was looking for a picture of a lock when I was putting this together, different presentations several years ago, and sure enough, I put into Google Image Search, master lock or whatever, went to a site, an e-commerce site that sold locks and stuff, and the site had been hacked and my computer got hacked because the version of Java on it was old and they installed some kind of ransomware thing. So I always like to put this in here because I was working on a presentation about security and I got hacked. So it happens, it can happen anytime. It can even happen to the average person like you. No, I'm just gonna blow that down. Yes, I know you think I'm perfect, but believe it or not, I'm just not. So if you're gonna do some training in your library, talk about phishing and privacy and passwords and all the things that we've talked about today, maybe send out some kind of email reminder, that kind of thing. This is a topic that can be really overwhelming, I think for a lot of people. So maybe don't have them sit in an eight hour presentation but maybe once a month just do a little bit. As far as patrons go, I don't know, we probably can't do anything, right? I mean, we could put signs up, we can try to gentle awareness and that kind of thing. What you wanna do is the principle of least privilege. Anything that they can touch, you want lockdown as much as possible. You want it to be, have them just not able to change anything or get to the back end of anything. It needs to be just as locked down and as useless as possible. Maybe come up with a nice library security mantra for your library where you hit on security and privacy, confidentiality, integrity, availability and access. These are all things, several of these I think already fit into just sort of the librarian mindset in general. So it's not that much of a stretch to add a few other things. And if you're here, you're probably interested, you have a fairly strong interest in IT security. I suggest downloading, there are versions of Linux that are full of all the same tools that all the bad guys use. Download it, install it and take it to the library and see what you can get into. Hack your library in a good way. Figure out what's not safe and what is safe and lock things down as much as possible based on what you can do yourself. It's not all that difficult. There's, the tools are out there, they're easy and they're pretty much the same tools that all the bad guys use. Think evil will do good. So that was a whole lot about libraries, keeping your library secure in a really short amount of time. There any questions about libraries? What's plugged in and what's safe and that kind of thing? Going back to the wireless aspect wifi that someone did say that a good wireless solution will allow the admin to disallow peer-to-peer communications to help with that kind of security. Oh, that's good. Yeah, I don't know a whole lot about the sort of enterprise level routers that are in libraries but I would assume that there's all sorts of good things that you can block there. We have a comment that those master locks are super easy to open and a link to an instructable is on how to crack a master lock padlock if you just did that. Exactly, if you know what you're doing. Exactly, yeah, and that's just the perfect example. You can Google how to crack a lock. You can Google how to do all this stuff. You can search for how to do all these things. And someone did comment, you might explain what a white hat hacker is which is I think what you were just saying be one of those kind of guys that... Yeah, so there's white hat, gray hat and black hat hackers and black hats are the bad guys. They're evil, they're out to steal things and do all the bad things that we're talking about. Gray hats are kind of somewhere in between there sometimes. Sometimes they're good, sometimes they're evil. And then white hat hackers would be you going into your library and seeing what you can break into in order to make it safe. Ethical hacking and good guy hackers are out there doing the same stuff but for different... Yeah, and there are security companies that have these people on staff on purpose to do this. Or there are companies, big companies will hire someone to come in and say, who does this as a profession, come in and try and hack in and tell us where we need to fix things. But you can do that yourself, be your own white hat hacker. That sounds like a fun job to me being a white hat hacker. People hire you to break into their stuff all day. Some does have a question. So those programs like Deep Freeze that wipe a previous patron's activity aren't really that great or are they? Well... I know a lot of libraries use that. No, I think they're... Yeah, I know. But we're talking about Googling how to crack stuff. Google Deep Freeze cracks and see what's out there. They are there. I mean, I'm definitely not saying don't use them. They're way, way, way better than nothing. But they are, they're a seatbelt. You know, they do a good job, but there's ways around them. And if someone targets them, targets your public PCs or whatever else, they will probably find a way around it. And that's just one thing that you would have in your arsenal of tools for keeping things secure. Don't just depend on the Deep Freeze is the only thing you need. You've got to do all these other things as well. Yeah. And then one last question. We have one public IP address for the entire building. Is this a safe method or are our internal computers still vulnerable? Yeah, so they're still vulnerable. I can't say that word either. Yeah, I think that's pretty common. At least with the smaller libraries that I talk to regularly, there is everyone in the building goes through some kind of router and they end up behind one public-facing IP. It definitely reduces your attack surface down from, you know, I don't know, 50 or 100 IPs down to one is much easier to defend against. It doesn't mean everything is secure. It's definitely a big step in the right direction. Cool. All right. That's all I had online with questions. Those are good questions. I think that you start thinking about things like how many IP addresses you have pointed at the internet and it goes a long way. And also, it's also exhausting when you start thinking about all the things plugged in. And this is what I think about all the time. It's just, it's worrying and exhausting. And so the last section here is service security and this is basically what I do all day. And it's not all that different than anything we've talked about. You wanna keep things updated. You wanna have secure passwords. You don't wanna let people guess passwords all day long. You wanna watch the logs on the servers. Watch for file changes. Make sure there's a firewall. Don't run anything on them that you don't need. So in this greatly shortened version here, when I talk about servers, I'm gonna focus on web servers and just sort of any general website. Keep in mind, in tomorrow you could go to your, well, maybe your library's website or your town's website or whatever and it could have been hacked last night. And the bad guys will do their best to hide from people who will notice but they wanna get into other people's computers. So basically a long quote short and I see this all the time. WordPress, especially, there's just bots out there scanning and scanning and cracking. It doesn't matter if you have a tiny little blog that 12 people read. There is a reason somebody wants that and they can sell it or they can use it. So even if you have a tiny little website, you're still being scanned constantly. I see scans and scans and scans. They never ever end. Things like WordPress is really the biggest target out there but Drupal and Joomla and PHPBB and all these other CMSs that are out there. So this is a nice little pie chart from Encapsula and what they're saying here is that in general, more than half of the traffic to your website is not people. And I think that's true. When I first saw this, I thought that's impossible. There's no way. And I looked at, I have access to a huge number of blogs here and that's about right. And so they're saying about half of it is not people and about 20% of that half is Google and other search bots. And then 27, 26% of the rest of it is bad people and you wouldn't believe it. There's just constant evil bots pinging away. So there's all sorts of ways to get a regular, good website to go bad. There's things called remote file inclusion which you can probably guess what that is. They drop a file on the server. SQL injection which is putting nasty code through a URL into a database. Local and remote file inclusions, cross-site scripting, directory transversal is just a never ending way of, never ending ways to get into a website. So if you're an assistant, make sure the passwords are safe. Make sure that people can use any password that they want. If you do encrypt traffic, don't mix it because that kind of defeats the purpose. Keep your everything updated all the time. And if you're an IT in a library, maybe make that part of your job, keeping people updated or at least do something to raise awareness of these things. There's something called mod security which is one of many, many tools that you can put on servers. This is a web application firewall and it does a great job of defeating spam, blog spam and that kind of stuff. And also a lot of those other things, the remote file inclusions and SQL injection and that kind of stuff. There's all sorts of other tools that you can run. I like config server, security and firewall, CSF. It does a great job of tying up a bunch of things together in a pretty easy way. Okay, that's it. Any questions about servers? I'm never quite sure how interesting this last part is to people. I don't know how many sysadmins or people are responsible for servers are around, but. I don't know. I don't know, does anybody have any questions about the server side? Nothing came in while you were talking, but. Okay, so really any question, that's about it now. So if you have any questions on anything else, feel free to chime in. Yes, anybody have any last minute desperate questions that they didn't ask already while we still have Blake captive here? I don't see anything. A whole lot of people stayed online with us, which is great, because we're almost 25 minutes past our, we started a little late, so I say we're 20 minutes over our hour. Not bad, not bad at all. So in general, just remember, use good passwords, be paranoid, keep everything updated, just do something to make a hacker's job harder. Have someone come to the library and talk to people, have someone make it part of their job. I'm very easy to find if you have any questions or have any specific things, just let me know. Yeah, because I think on the first slide you had website and you had your contact email on there I think. Yeah, I guess I could read. Hey, you don't have it. But as I say, we'll have the slides available afterwards as well for people. So if anyone does want to, like if you wanna send me, yeah, there we go. The slides I can post them, we'll have them up. Somebody just have a suggestion of how to do things, host a hackathon and hand out gift cards for anyone who actually breaks into your site. Nice. Yeah, there you go. All right. All right, doesn't look any other urgent questions came in and I think we will wrap it up for today. Thank you very much everyone for attending. I'm gonna take back control here. Thank you very much, Blake, that was great. I'm glad we were able to get you on again to, there we go, I'm getting my screen up. There we go, on the show. Like I said, it's been a few years and I know people need to be, well, either things have, new things come out or people definitely need to be reminded about things like this. Anytime. Thank you very much. Thank you very much, Blake. Thank you everyone for attending. The show is being recorded and will be available on our website after. So this is where our recordings will go. Sorry about that, I had to mute. Our recordings will go here in our archives on our webpage. So today's show will be here later today when I get everything processed along with our links for our delicious account where I put everything in here and anything else I may have missed as I was going through. So that will wrap it up for this morning. Thank you very much. I hope you join us next week when our topic is connecting to your community through the Human Library Program, the PACE University Library Experience. This is something you may have heard at many libraries across the country are doing human libraries, having people come in and you can check out, so to speak, the people and talk to them about their experiences, their jobs, whatever they do. And PACE University in Pleasantville, New York is one library that's been doing this and so we're gonna have staff on from there to talk about their experiences with their Human Library Project. Also, Encompass Live is on Facebook, so if you are a big Facebook user, please do like us there. You'll get notifications of when recordings are available. I do reminders every morning, as I did here today, that today's show is ready to start so you can log in on the fly. So if you're being on Facebook, go ahead and go over there and like us and you'll keep up with us there. Other than that, I think that will wrap it up for today. Thank you very much for attending this week and we'll see you next time on Encompass Live. Bye-bye.