Incandescent Bulb Watts Versus Lumens Chart

It can be very confusing to purchase compact fluorescent (CFL) or light emitting diode (LED) light bulbs because of the way the products are labeled.  They state the equivalency of the light output to the old watt based ratings.  IE 100 W equivalent or 100 W replacement.  However, the real test is how much light is output, which is rated in lumens.  And, the labeling is not always consistent.

The following chart makes it easy to convert the old light bulb measurement of watts to the new light bulb measurement of lumens for comparison to basic omnidirectional lamps.  This way, you can see if that 100 W replacement bulb really is equivalent to the old 100 W bulb, for example.  This chart is based on the US Government’s Energy Star program specifications as well as information for smaller bulbs from Wikipedia with the latter showing a range of +/- 10% from the nominal values.

Any new CFL or LED bulb you buy should produce at least as many lumens as the watt replacement that it says it is.  For example, a 100 W replacement bulb should produce at least 1600 lumens.  Note that the actual power consumption for CFL or LED bulbs will be much less.  For example a CREE 100 W replacement LED bulb actually consumes 18 W of power.

Energy Star Lamps v1.1 Specification
Wikipedia Incandescent Bulb Article

Incandescent Bulbs Watts Versus Lumens

Incandescent Bulbs Watts Versus Lumens – Click To Enlarge

 

Ron

 

Random Thoughts About Two Factor Authentication Or 2FA

I recently decided that I had a need to make my Google mail account more secure because I wanted to receive what you might call “official” mail from certain companies.  I decided to enable Two Factor Authentication or 2FA.  Another term for this is Multi Factor Authentication.

http://en.wikipedia.org/wiki/Multi-factor_authentication

Googling this yields huge numbers of results.  I’ll leave it to the reader to explore as deeply into those as desired.  But, in essence, 2FA makes it so you must enter something other than your user name and password to log into something.  Thus, if your user name and password are stolen as part of a security breach, the bad guys still cannot log into your account.

2FA generally uses A) something you know (like your debit card pin), B) something you have (like your cell phone), or C) something that’s part of your physical identity (like your fingerprint).

Option B, something you have, is particularly useful.  Since the bad guy won’t have this if he’s trying to attack you remotely, this is a good security measure.  A very common technique is for a company to provide you with a physical token or key fob or card, etc. which generally has a button that you press to get a number.  So, you would go to log in, enter your user name and password, then press the button on your token, read the number, and enter that.  Without the token, it is more difficult to log in.  And, a bad guy is unlikely to have your token.

I say more difficult because the companies usually provide a backup way for you to log in without the token if you’ve forgotten it, for example.  This is because they don’t want the tech support overhead of having people who’ve forgotten or lost their token getting locked out of their account and tying up the support reps’ time to reset everything.  After all, you (customers) are only human.  So, while procedures vary from site to site, if you click the link to log in without your token, the site will generally ask you for other data which you’re supposed to know to verify your identity.  This may include things such as the last 4 digits of your social security number, the answer to your security questions, the last payment you made, the last 4 digits of the credit card you pay with, etc.

Unfortunately, this backdoor used to make up for your own humanity can also allow bad guys a toehold to try to get into your account.  However, HAVING 2FA on is still much better than NOT having it on.  So, I recommend it for your accounts which need extra security.  Think of it this way, if XYZ Big Company had a breech and lost it’s security database with your credentials, would you want criminals and thieves reading and posting on your social media accounts or reading your email and sending messages on your behalf?  When you think of it that way, you’ll see that many more of your accounts might be considered SENSITIVE.

Another popular variation on the something you have concept relies on your cell phone.  Most cell phones made within the last decade can receive text messages, although not all users want to pay for that feature.  The general approach is that when you log in, and enter your user name and password, a text message is sent to your phone with a code number or word, etc.  You read the word off the phone and type it into the login screen.  Then the site lets you in.  Again, the bad guy is unlikely to have your cell phone.

(By the way, a related topic, outside the scope of this article, is the use of your alternate communications channels to receive security alerts.  So, for example, your bank could text or call you if suspicious activity is detected.  You generally have to set this up on the security portion of your profile screen for each account where it’s relevant.)

Unfortunately, setting up and using 2FA can be a bit tedious.  And, there are some potholes you may fall into.  Here are some more or less random items from my own experience setting up 2FA on a few of my accounts, starting with Google.  Much of this applies to other vendors too.  (This is NOT a step by step procedure, but covers general concepts.)

* Set up your cell phone for 2FA.

For Google, log into your account, go to your profile, and into the security section.  Tell it you want to add a phone for 2FA, tell it you have a mobile phone, and add the number.  It will want to send your phone an SMS (text) message for testing.  Let it.

* My test text message failed.

I don’t know the reason, but the text message to my phone failed twice.  I’ve never seen hide nor hair of it.  So, in this case, you can tell Google that you didn’t get the message.

* If you don’t get the message, or you’re entering a voice only phone number, tell the system to call you instead of text you.

If you have to use this option, if it’s available on the system in question (it is for Google), then, when you log in, the system will literally call you on the phone and read you the 2nd factor to log in with an automated voice.  Then you type that in.  This will happen every time you log in.  Some systems, even if you’ve requested text messages, will allow voice fail over so you can tell them you didn’t get the message, then they call you.  You may think you’re done now, but you’re not.

* Enter a backup phone number.

Google strongly recommends you enter a backup phone number.  This could be another cell phone or your house phone, etc.  In particular, if you have difficulty receiving texts, or you travel a lot, you may want to set the second number for voice calls rather than text messages.  You’re still not done.

* Retrieve one time pass codes.

As an additional way to keep from getting locked out of your account (on Google), you can access and print or download one time pass codes to allow you to log in.  You should do that.  Now, try to store the pass codes somewhere where the bad guy can’t get them if he, for example, steals your PC or phone.  I store mine in an encrypted note in LastPass.  You’re still not done.

* Go enter your account recovery data.

Google wants backup methods to contact you and verify your identity.  Go to account recovery options.  Enter a backup email.  Also, enter your security question(s).  If you have to try to log in using a method other than your 2FA, these various things will help you get into your account and still, hopefully, keep the bad guys out.

* Your tablet or smart phone was just locked out of your Google account.

Once you’ve enabled 2FA on Google, it’s possible (probable) that your tablet or smart phone will get locked out of your Google account.  That’s because it doesn’t have the 2nd factor to log in.  The solution is to go into the app passwords section of your account and generate a custom 16 character password for your device.  You can even give it a custom name, like “Android Tablet”, or whatever.  Once you generate the password, go to your device, which is probably complaining because it can’t log in, tell it to try to log in, and enter the new password.  Use a different password for each device.

* Don’t trust my PC.

On the login screen, you may see a check box that says trust my PC, or remember my PC, or something similar.  If you check it, your 2nd factor won’t be required when you log in with the same device.  That may apply for a set time, like 30 days, or it may apply indefinitely.  It’s just my opinion, but I DON’T check the box.  And, I make sure it’s not checked each time I log in.  I figure I don’t want it to be incredibly easy for someone to log into my accounts if they stole my pc.

* TADA!  Now you’re done.  NOT.

OK, so now you’re sitting pretty.  Your sensitive account(s) is / are protected by 2FA (if they support it).  You get appropriately grilled by the system to get into it, for something you have, preferably.  But, if you don’t have it, you at least get grilled for something you know that the bad guys don’t, hopefully.  You have backup contact methods so the company can still get you if your phone is lost or stolen or your email changes.  What’s not to like?  Here are some more things to think about.

* What if you have to UNWIND or ALTER all this?

What if your phone number(s) change?  What if your email changes?  What if your phone is run over by a truck?  What if your phone is stolen?  What if your PC is damaged or stolen?  What if your physical security token is damaged or stolen?

I used to own another domain name other than the one this blog is on.  I, literally, had been using it for a decade.  And, I had HUNDREDS of entities sending email to that domain.  Then, I sold it.  Now, getting some spending money was nice.  But, 2 years later, I’m STILL going through the PAIN of people sending me email, some of which I want, to the old domain.  Now, I had the most important email addresses forwarded.  So, at least I KNOW someone is sending me mail.  But, what if I never saw those mails again?  The point is, maybe you want your backup email to be in a different domain than your primary address.  Maybe your primary is email that comes to Gmail and your secondary goes to Comcast, or whatever.  Even if that’s the case, you can still forward from Comcast to Gmail so you don’t normally have to log in to both.

First and foremost, you have to at least know which vendors you have 2FA with and what that factor is.  Easy if Google is the only one.  But, what if you have 5, or 10, all of which have different (or at least some different) factors, different security questions, different procedures, different backup contacts?  This could get to be a royal mess.  In this case, LastPass is my friend.  Every time I set up another vendor with 2FA, at the very least, I put their name in a private note in LastPass.  So, if I ever have to change all my 2FA stuff, I at least know I have to go to Google, my payment site, my other site, my other site, etc. and change all the relevant data.

I also make an entry in the notes portion for the LastPass record for EACH vendor that’s using 2FA.  So, when I click on the LastPass record for Google, for example, to log in, I know right then to expect a phone call or text message.  Finally, I sometimes put data regarding security questions, etc. in those same notes.

* What about your Spouse?  Significant other?  Family?  Executor?  Attorney?  Heirs?

No one wants to think about leaving the scene – permanently.  But, unless we’re around when Jesus returns, we’re all going to leave the scene.  So, do you want people such as those mentioned to have access to your accounts?  Do you want them NOT to have access?  These are complex issues I haven’t nailed down personally yet.  But I plan to be thinking about them.  You should too.

* Two more tidbits.

Here are two more 2FA methods to consider, which I have no experience with.  And, there are probably many more I don’t know about.  But, I wanted to share these for completeness.

Google Authenticator:
http://en.wikipedia.org/wiki/Google_Authenticator

Yubikey
http://www.yubico.com/
http://www.yubico.com/products/yubikey-hardware/

Well, I’ve presented a number of potential issues you need to consider which relate to Two Factor Authentication.  I hope you find the information helpful.

Ron

 

Security TECH Isn’t The Hardest Thing, Security PSYCHOLOGY Is The Hardest Thing

Hi all,

I had a little epiphany during a discussion with someone in a computer security group.

Security TECH isn’t the hardest thing, security PSYCHOLOGY is the hardest thing.

Think about that statement.  For those in the computer security industry, what if everyone you met and dealt with was knowledgeable, concerned, conscientious, and supportive about security?  What if you had all the budgets and people and equipment you needed.  What if all the users knew exactly what to do and what not to do, and followed through on it?  Your job would be a LOT easier.

Think about this.  I told an older acquaintance, after seeing a show about atomic bombs on tv, that if one went off in the upper atmosphere, almost all the cars would stop because they’re driven by and dependent on computers, which would fail.  She didn’t believe it.  She COULDN’T believe it.

Now think about this.  We tell Joe User, Joe CEO, Joe Manager, Joe Entrepreneur things like, if you do nothing other than go to the wrong website, that you think is the right website, that you could get a criminal invasive remote control system installed in your machine.  That, once it’s there, someone in (small country on the other side of the world) monitors you and sells your data.  That your machine, Mr. / Ms. User, will be used to terrorize other people.

They DON’T believe it.  They CAN’T believe it.  Even if they sort of believe it, they don’t / can’t COMPREHEND the level of risk or fallout.  Even if they sort of comprehend that, they can’t believe that THEY are likely to be affected.  And, even if they sort of get that, they can’t BELIEVE that the vendors and manufacturers would let that happen.

That’s 4 brick walls you have to get over.

A) The threat exists and it’s real, not fictional.
B) The level of danger and fallout from an attack is substantial.
C) The entity (user / company) in question is likely to be affected.
D) The manufacturers and vendors won’t prevent this from happening.

(
Edit 09/23/14

I just wanted to mention that I’ve added a 5th psychological brick wall you may have climb over.  This comes from an actual experience with a user I know.  Some of the websites he was visiting weren’t working because of noscript, etc.  We were discussing it.  He was upset, so I take that into account.  He said:

E) I don’t care if my pc is infected.  I just want the (bleep) computer to work.  I don’t put anything confidential on it.

My response was, regrettably, a bit rude (sorry).  I essentially said we WILL be securing this pc and it WILL be a bit harder to use and we WILL NOT (knowingly) allow it to be used to harm other people.

While I’m not proud of my un tactfulness, this is exemplary of another psychological barrier that you may encounter.  I’m sure that the user would care if he fully understood the issues and implications.
)

Everything stated in that prior list is psychological.  Talk about defense in depth.  The psychological defense in depth is formidable.  We must get past that before we even start on technology.

Unfortunately, I don’t know a good “patch” for the human brain.  But, the more inroads we make there, the more likely we’ll be to get more of our nifty tech deployed.

Ron

 

Hello World!

Hello world!  This post was created by WordPress automatically during the creation of the blog.  I edited it, but I’m leaving it to commemorate the start date.  Hope you enjoy the blog.

Ron