Monthly Archives: February 2012

Is your cloud data safe? 0

UnlockedI’ve had it.

Today, I went to search for some cloud-enabled task management software. My needs were simple: It had to be able to run on OS X, and it had to be able to sync with iDevices that weren’t on the same network as the Mac. There are lots of tools out there that can do this.

Then I read the fine print.

Either they sync via Bonjour – and therefore only work if you’re in the room with your Mac – or they use a cloud provider to host the data being synced. Sounds reasonable, right?

Not really.

Only one tool I found allowed for non-Bonjour sync and protected my data from being stolen at the Cloud.

Here’s what happens. When you’re doing a non-Bonjour sync, you need to send the data from your desktop to a cloud provider (typically the vendor’s own servers somewhere out on the Internet). That’s all good, and all of the vendors I looked at used https (SSL) connections to get the data to and from the servers. The problem was that the server data was not encrypted.

That’s right, vendors are making a HUGE deal of encrypting the data in-flight, but then storing the data in plain-text on their servers. Granted, they have good physical and at least good-looking digital security, but that didn’t stop anyone in the past from stealing data like credit card info from similarly shielded servers. Data thieves find a way around physical and digital security easily, and a good, encrypted data format is often the only thing that stands between a vendor and a total PR nightmare.

Before I get flamed to death in the comments section, I also realize that encryption can be broken if the thieves are dedicated enough to getting the job done. But that’s no excuse to not even TRY to keep them from reading the data if they get in.

When I went to find a syncing note-taking application, I found the same thing. The leading vendors store the note data in plain-text on their servers, easily accessible to anyone who gets past their firewall. The claim is that they cannot encrypt or else searching wouldn’t be as in-depth as it is now – but again, not offering it at all isn’t acceptable. I – and many other users – don’t use the web interfaces for these things except in dire emergencies. The whole point is that these solutions sync with desktops and smartphones, which can index locally. So web-site-based searching isn’t the biggest thing we’re looking for anyway. We’d gladly exchange a limited amount of lost functionality that we barely use, for better security overall.

Platform as a Service vendors need to wise up and start storing data in an encrypted format. I realize this means that some things like universal server-side search might suffer, but that’s better than having a data thief get their hands on everything as soon as they make it past the security by guessing some server tech’s woefully easy password.

These vendors are sitting on a time-bomb. Sooner or later some high-profile target will use their service. Thieves and hackers will go after that unencrypted data and take everyone else’s they get their hands on in the process.

So, take a few minutes and check that your PaaS vendor is keeping your data safe in the cloud. You might just be surprised to learn that their idea of “data protection” is encryption of the transmission method, but they’ve left the lock off the data sitting on their servers. Telling me that you’ve mined the road doesn’t help me when the thieves find a way through or around it, and proceed to steal all the valuables inside because the front door is made of tissue paper.

By the way, the tools I found were:

Note taking with Notational Velocity on the Mac and Notesy on the iDevices (with thanks to @BMKatz on Twitter) fits my needs. These tools sync via DropBox. While not incredibly well known for data security, DropBox does at least attempt to keep data safe on their servers. If they manage not to have any more “oops, we forgot to turn on password validation for a few hours” moments, they’re going to be doing just fine.

For task management, I use ToDo with DropBox syncing. It is available on multiple platforms and does a great job of showing what tasks I need to do now, and later.

Both sets of tools store local copies of the data too, so if I’m not connected to the net for some reason, I can still work. I can also search quite quickly and easily because they index the data locally too.

Stay safe out there.

Photo Credit: dylancantwell

Full Disk Encryption, the good and bad 0

Lock03Since Snow Leopard, OS X machines have been able to encrypt sensitive data on your machine. It has evolved in Lion, and you might indeed want to turn it on, but deciding when and where to do so is something you’ll want to get some background information on.

In the System Preferences page of your Mac, you’ll find the Security Privacy page, which has a tab for FileVault. In Snow Leopard, this would encrypt your User’s Home Directory (./Users/UserName) and nothing else. Good, but that still left a lot of potentially sensitive data unencrypted.

In Lion, FileVault was extended to be able to encrypt the entire system drive. This let you lock up your whole OS X system, including OS binaries and all data that was on the system drive itself. While this still didn’t cover any external drives, it was a huge step forward in data protection.

FileVault in Lion doesn’t seem to slow down processes on Core i type systems, which means that if you bought your Mac after 2009, you probably won’t notice any difference with File Vault enabled. There are some slowdowns on extremely disk-intensive applications (like video editing) but otherwise it should be invisible to you.

The one exception is boot times. Booting up from a powered-down Mac can take a while longer on iMacs and other non-SSD machines when FileVault is on. Personally, it added about 2/3 of a minute to my boot-up times on a 2010 iMac. On an SSD Macbook Air, I noticed no difference in boot times with FileVault enabled, so it appears to be just read/write speed that makes that operation take longer on the iMac and MB Pro.

Now, since only boot times and very intensive applications seem to have any slow-downs, why wouldn’t you use Filevault? Well, there are a couple of reasons:

– You boot into Windows via BootCamp and work a lot with files on your Mac’s system drive. Since the drive is only available while OS X is running, you can’t get into it via BootCamp.

– You use an offline backup tool. This is pretty rare, since most common personal backup software works while you’re logged into your account, but if you back up your Mac while you’re not logged in, there will be issues since the disk is locked out when you’re not logged in.

Otherwise, FileVault is a good idea. Portable devices an be stolen, and using FileVault will help to insure that at least your data doesn’t become public knowledge for thieves. Yes, they’ll still have your Mac – which sucks – but they won’t have access to your bank account information.

Even for non-portable devices, it’s not a bad idea to turn FileVault Full Disk Encryption on. Burglaries do happen, and computers are a hot commodity for thieves. An encrypted system is still lost, but at least your data will not be sitting there waiting to be stolen too.

For external devices, you can encrypt data, but not with FileVault. TrueCrypt is an open-source, free encryption tool that can create a protected directory or even encrypt any non-system drive entirely. Great for use on those removable USB hard drives that might contain private information. There are many tools that can do this, but TrueCrypt is great security at a great price, and actually worth much more than you pay for it (not often true of free software).

So unless you’re editing videos or doing Photoshop work for most of your day, Full Disk Encryption is a good idea. It’s part of the OS, and easy to configure. Not a bad way to take that extra measure of protection without completely changing the way you use your Mac.

Photo Credit: Zitona

Remember, it isn’t private, ever. 0

MegaphoneWhen using social media services, the biggest mistake folks make is to believe – even for a minute – that anything they say is private. That leads to embarrassment, possible employment termination, and lots of other consequences.

For example, many users believe that their Twitter direct messages are not shared with anyone but the recipient. That’s not necessarily the case.

When you DM someone on Twitter, the message can be seen by everyone who subscribes to their timeline if:

– There is an image attached to the DM – image services are not private, and will carry the text of the message as a caption to the image on the photo-sharing site.

– There’s a link or you use a tweet shortening service (like TwitLonger). This one burns people even more than the image services, as you may have a shortening service enabled for all tweets in a 3rd-Party Twitter product on your desktop or phone. Bit.ly links and other URL shorteners are also public, so links in tweets can become public very easily.

– They retweet it. Twitter will try to stop them from doing that, but there lots of ways around that.

– You accidentally replied instead of sending a DM. It’s easy to do, and you’d be surprised how many times it happens.

On Facebook, all the default security settings make nearly everything in your profile and posts public information. Even if you think your data is shielded, a change to profile information policies can flip things to public without warning – it’s already happened several times.

The same goes for Pinterest and other sharing sites. Even though you can try to keep everything private, the sites are designed from the ground up to share, and with one wrong click the world can see whatever you posted.

Just before this went to post, Eileen Brown posted an article that proves the point. Twitter is allowing 3rd-Party companies to mine historical data from their archive, which means that your tweets could be used by another company. While they don’t seem to want to expose DM’s, one poorly-coded script could make that happen.

So, use social media wisely. Remember that it’s supposed to be SOCIAL, and that sites and networks are designed to facilitate public communication. Even if you think something is private, there’s a good chance it’s not – or it may become public later.

Photo Credit: floeschie

Growl Comes Roaring Back 0

With Apple’s release of beta code for the upcoming OS X Mountain Lion release, one thing had many folks talking.

The Notification Center, a very popular component of iOS 5, will be coming to Mac desktops and laptops when Mountain Lion is released. This led many (myself included) to think about how Growl would be able to continue when the OS began to incorporate that functionality natively.

Growl – for those who haven’t seen it – is a notification app that runs on nearly every Mac. If you use applications that pop up notification windows to alert you of events, you’ve probably seen Growl in action. A few months ago, Growl went from a free application to a paid app, and suddenly a great number of people who never even knew it was on their machines became very aware of it. Having to pay for the new version will do that to folks.

For the most part, the switch to a paid app was accepted well by the general public. While it’s worth every penny of the US$1.99 they charge for it, that is because there isn’t another app that works as well, as seamlessly, and as integrated to the OS itself. Now, with Mountain Lion getting Notification Center, the folks behind Growl have a real fight on their hands.

To kick off the battle, Growl has posted a blog article showing all the ways that we’ll still need – or at least really want – Growl on the OS X platform.

The argument is pretty straightforward. The Notification Center platform will only cover apps bought from the Mac App Store, and will not have all the functionality of Growl itself.

That’s great, but there’s an issue that may still cause problems for Growl. More and more new Mac Users only know about the App Store for getting new software for their Mac. They rarely use non-App-Store-purchased packages, and therefore don’t need a 3rd-Party alert tool.

I think that Growl will continue to be a great application. For Mac users who get software from multiple sources, it’s still a vital app to have; and even if you only use the Mac App Store to buy software, there will be many apps that continue to stand by Growl.

With luck, Growl will indeed integrate into Notification Center, but continue to supply alerting and tracking to all apps on Macs.

Photo Credit: Ernst Vikne

Yep, I got hacked! 0

HatchetWell, that happened faster than I thought.

Yesterday, I spent quite a few hours rebuilding my blogs, as nearly all of them managed to get hacked. It was a porn-site redirection attack, inserting javascript into each and every PHP page in the WordPress system.

It started with one blog, but by midday, it had spread to three of my four sites. The site that got hit first was the newest one, so it was surprising that a site with very little traffic was indeed a target to someone out there.

While this issue is never fun to deal with, I expected it would happen at some point, and took the appropriate precautions. They saved my bacon.

Luckily, I have a few friends in the security world, who had armed me properly for how to identify and overcome an attack like this. They also had me prepare to block such attacks, but in this case the hacker found a way around the defenses. That’s not unusual, as new attacks are created every day, and tools like WordPress firewalls and exploit scanners only update so fast.

So, how do you prepare for a potential attack?

1 – Prep your site. Install plug-ins to ward off the more common attacks before they hit. The WordPress Firewall and Exploit Scanner can help quite a lot with this. Both tools were able to deflect quite a few attempts to access my sites before whoever got there yesterday found a back door.

2 – Know what’s on your site – always. There’s a great plugin called WordPress File Monitor that scans your files regularly to see if anything has changed, and alerts you by email when it finds anything that has changed. Sometimes, it gets annoying, but this time it let me know that all my WordPress files had changed at once. This was something that allowed me to address and fix the problem so much faster than I would have been able to do otherwise.

3 – Back everything up. There are plugins that can back up entire WordPress sites – with their content databases – to Amazon S3, DropBox, or your hard drive. Use them! If you do get attacked, you will have to restore from a backup, and so you better have one handy. I had been backing up, but a configuration error meant that many posts ware lost. I have copies, but that will take some time to restore manually.

Luckily for me, I saw the attack happen, confirmed it, and started cleaning up everything all within hours of the actual attack. That kept my readers safe and my headaches limited to the fact that I mis-configured my backup and lost some posts.

And if you do get hacked?

@Snipeyhead – a noted WordPress Security expert – has posted a great guide on what to do next. You can find it via this link. [Note, she does not pull punches, verbally or visually, so her site is very mildly NSFW] The article is a bit old, but the strategy is sound, well researched, and spot-on still today. Follow the process she shows in that post, and recover what got hit before your visitors get infected by drive-by downloads or you lose face due to defacing of your sites.

Remember, change ALL passwords, including the FTP/sFTP logins and your web host login. That’s in addition to the site logins, database logins/users, and any other security info you have on your site. If you can’t identify how you got hacked, then play it safe and change everything.

Now that everything is back online, I can say I weathered the storm. It can be MUCH worse, and it’s never fun, but you can indeed overcome attacks against your site quickly and effectively if you prepare ahead of time.

Photo Credit: neoliminal

Can you hear MP3 now? 0

This AM I downloaded the audio for the Republican Primary 2012 Debate from the 19th. Before anyone asks, I feel strongly about listening to ALL candidates before making any voting decisions.

The issue is that nearly every version of the audio and video I found has horribly low sound levels. On a PC, you’d use a 3rd-Party product to re-code the MP3 to a higher audio rate, lose a little bit of quality, but get a file you could hear clear sound on.

On a Mac, it’s actually easier!

Credit where it’s due, I found the basic instructions here on POI-Factory, but there were some hiccups along the way with iTunes 10.5.1 (the current version for Lion).

First, download the audio. You can get it from wherever you want, I found it on Ron Paul’s podcast. His Podcast team has been posting the audio from every debate within 24 hours, so very convenient; and I didn’t have to do anything quasi-legal like recording the YouTube version.

Next, load the audio that’s too low into iTunes. The easiest way is to just drag and drop the file from wherever you downloaded it right into a playlist. If the audio in question is a podcast, then you can just find the podcast episode in iTunes.

Right-click (CTRL-Click) the track in iTunes and go to “Get Info”

Go to the Options tab

Slide the Volume slider to the right to increase the volume level for just this track and hit OK.

This may take a little trial and error to find the right level for you, but iTunes will remember the level each time you hit OK.

By the way, the same trick works to LOWER the levels, should you ever download an audio file that has the levels set way too high.

Changing Default in OS X 0

I often check Replyz to give back to the Social Media community and answer questions folks have on a few topics that I have some knowledge of.

One of the frequent questions on using Mac OS is “how do I set the default application for a file type?” It’s actually pretty easy to accomplish this, all you need is a file of the type you want to assign an application to, and a mouse/trackpad.

irst, right-click (or secondary-tap) the file and choose “Get Info.” This will bring up the dialog box shown to the right. You may have to click the little arrows at the top-left of each section to expand that section out.

About half-way down the Info page, you can see an “Open With” section. This contains two objects, a drop-down list for choosing the app, and a “Change All…” button.

To select which application will open this file ONCE, just drop down the menu you see and choose one of the listed applications. This list contains all the installed apps that have registered as able to open that type of file. If the app you want is not on the list, choose either “App Store” or “Other” from the menu (they show up at the bottom of the drop-down list).

If you choose App Store, the Mac App Store opens for you to find and install a software package for this file type. If you choose Other, Finder opens to your Applications directory so you can choose an app you already have installed. Note that you may need to change the drop-down menu under the file view from “Recommended Applications” to “All Applications” in order to see all the apps you have installed.

The “Always open with” checkbox on this page applies ONLY to this one file, so leave it unchecked when you choose the app you want to use for ALL files of this type.

Once you select a file type, you can then click the “Change All…” button under the drop-down menu on the Info window, which will allow you to specify that ALL files of this type should use the selected application to open/view, from now on.

That’s it, from then on, any time you open a file of that type, it will open with the selected application!

Note that there are two instances where the default app will change. 1) you can manually change it again using the same method you just went through. 2) a newly installed application can take the file type over. Usually you get the ability to stop a new app from doing that during installation, but sometimes it happens automatically. If that happens, you will have to manually set the file type to open with your preferred program once more.

How Spammers Get Around CAPTCHA 0

I’ve written in the past about CAPTCHA, the technology that shows you a picture of a group of letters or words that you must type in before you can log in to some sites, or sign up for free services like Gmail. As annoying as CAPTCH is, the automated Turing Test has stood for several years as a standard way of ensuring that a real person is trying to access a service, instead of just some kind of automated system.

The problem is that spammers and scammers have found more an more ways to get around the CAPTCHA tests to ensure they have access to these systems just as easily as legitimate users do.

Initially, the bad guys just used sophisticated character recognition engines to look at the images digitally, and figure out what the letters or words were. This worked for a time, but then site owners started skewing the letters or adding in “noise” – dummy lines, dots and other static that made it more difficult for a scanning tool to figure out what was part of the CAPTCHA code and what was not.

So, spammers have taken a new route to getting around CAPTCHA. Since the codes are designed to only be human-readable, they’ve been employing humans to read them. Yup, that’s right, you can now hire someone to break CAPTCHA by solving thousands of codes a week for you to use to send spam. See this article for more information on such services.

Social Networking is no stranger to this problem, as thousands of fake blog comments, even entire blogs and RSS feeds full of fake information, are common. Spammers set up thousands of fake Twitter accounts to blast out spam, malware and fake gift certificates, only to create yet more new accounts as soon as the existing ones are flagged and banned. The same thing happens on Facebook, Windows Live and just about every other social network out there, as the spammers simply change their tactics and continue doing what they do, no matter how good the technology to stop them seems to be getting.

How do we stop this? Simple, make it economically inefficient to spam. Most of my readers already refuse to click links in email, or accept links/codes/certificates from anyone they don’t know on Twitter, G+, etc. Now we have to spread the message. Make sure everyone you work and play with knows that they shouldn’t accept offers, click links, or approve blog comments that come from anyone they don’t know. Those coming from people they know should even be suspect.

Set your blogs to require approval for all comments, and weed out the spam. Approve comments but remove URL’s if you’re not sure. If you see tons of spam comments in a blog, alert the author that they need to turn on approvals or they’ll lose a reader.

If you have the ability to flag posts as spam, do it. Same for Tweets, Posts and other social media sharing. Don’t be abusive or obnoxious about it, just flag them and move on.

Eventually, the cost of successfully spamming the world will become greater than the revenue generated by the spamming. Money talks, folks, and if it’s too expensive to make money by spam, people will stop spamming, but not until then.

In the meantime, ignoring links and flagging spam posts and comments will keep you safe from a lot of the malware running around out there.

Photo Credit: yandle

Get an Image 0

When you go online, visual experiences are some of the most powerful. Video speaks louder than audio alone. Blog postings with pictures tend to have a better impact on readers than text alone.

This holds true to your profiles as well. As you can see on my own home page, I have an icon image that I use for my online profiles. Mine was done for me by a web-comic artist (Woody Hearn of GUcomics.com) and wasn’t free, so not everyone will be able to have this kind of profile picture set up for them. That’s not to say you can’t have anything!

Even if you’re not paying for someone to make a profile picture for you, that’s no excuse for having the default “person” or “egg” icons that services like Twitter and Facebook provide. You need to change the default profile image to something that represents you, as soon as you can.

Now, this doesn’t mean you have to draw it yourself, or even use a real photo if you’re uncomfortable doing so. You just need to get something in there that is not the default icon that brands you as a new user.

For example, the image at the top of this post was created by John Kovalic (who writes Dork Tower, another online comic). He did it to show just how easy it is to create simple, but powerful user icons without a lot of technical expertise.

Here’s a few more of his icons – that he’s made available to anyone who wants to use them, free of charge:

With just a few clicks in some simple graphics programs (that you most likely already have free of charge on your PC or Mac) you can create a cute, funny icon that is clearly not the “default user” graphic.

So why don’t you want the default icon?

1 – it brands you as a “newbie” – a person who just started and has no clue what they’re doing. Even if that’s true, you probably don’t want the world to know that if you can avoid it =)

2 – It’s unprofessional. If you’re using Social Media for your job, the last thing you want is others discounting your opinion because you didn’t change the default user icon.

3 – Spammers use the defaults. Spammers create dozens of spam accounts at once, therefore they tend to not even bother to change the icon (after all, the accounts are going to get blocked pretty quickly). If you keep the default icons, many folks will instantly suspect you of being a spammer.

So get an image! Build it, buy it, or borrow it (make sure you have permission to do so, though).

Photo Credit: John Kovalic

Why You Should Not Auto-DM on Follow 0

I’m noticing more and more of this lately, and figure it’ll make a good topic for my first “Do’s and Don’ts” column.

Many folks – even those who have been working with Social Media for a good amount of time – will DM every new follower on Twitter with a message. Usually it’s a “thank you” with a request to follow them on other networks.

I’m very much against this for a few reasons:

1 – Twitter is about public conversation and social sharing. Yes, there are some times you need to DM a person. Usually it’s to give out an email address or phone number or some other information you don’t want the world seeing. Links to your Facebook profile and fan page are *not* private information.

2 – It’s annoying. Most of us get DM’s on our mobile phones or via email in addition to our Twitter clients. That means that I’ve got alerts going off to tell me that you’re looking for me to follow you on Facebook.

3 – It’s useless. The vast majority of people I know will specifically NOT follow you anywhere else, and many will immediately un-follow you on Twitter, for doing this. In other words, you’ve done the exact opposite of what you were trying to do with the DM.

Now, this isn’t to say you shouldn’t say hi to your followers. You absolutely should! But do it with an @Reply instead of a DM. This allows more than just your new followers to find you on other networks, and opens a public conversation, instead of a private message.

You’ll note that if you try to send the same message (e.g. “Thanks, follow me here and here and here, too!”) to dozens of people, Twitter will stop you. They’ll attempt to keep you from posting the identical message to multiple people, and lock you out as a spammer if you keep trying.

So, if it’s not acceptable to send a message to each person in an @Reply, why would you do it in DM’s, where you’re being annoying in addition to getting flagged as a spammer?

Talk to your followers, share that someone followed you with your network, share your other networks with your Twitter followers. Just reserve DM’s for their intended purpose – sending one person information that you don’t want the entire world to hear.

Photo Credit: brainware3000