noun_Network_176216.png

08/20/2018

Newbie2Security: Are Macs Safer Than PC?

0

by Newbie2Security

Image courtesy of The Noun ProjectA reader recently asked: “I’ve heard that Macs are safer than PC’s. Is that true, and why or why not?”

Well, unfortunately the answer to “Is that true?” is a complete “No.” Macs are not safer than PC’s at all, read on to find out more.

Macs *do* have fewer pieces of malware written specifically to attack them, that is indeed true.

Malware is a security industry catch-all term for any software specifically written to attack and/or damage a digital system or steal information from such a digital system. That can be a virus, trojan, or worm – but it can also be software that encrypts your data and holds the unlock key hostage (ransomeware) or software designed to steal your usernames, passwords, etc.

That being said, there are several things to keep in mind that make Macs as exposed as PC’s (Windows-based machines) these days:

1 – Malware is less about how many different kinds of it exist and much more about how often the ones that do exist succeed in attacking your computer, phone, etc. Mac malware absolutely exists, and though there is less of it; it tends to be very widespread in a very short amount of time. That means while there are fewer kinds of Mac malware, they’re more likely to find their way onto your devices. It only takes one piece of malware to wreak havoc, so the numbers don’t matter and Macs are not inherently safer because there’s fewer pieces of it out there.

2 – Modern attackers are moving away from machine-specific or Operating System-specific attacks. While before the methods used to infect a machine were loaded email attachments and network-based attacks; these days they’re more likely to take advantage of tools and platforms that work on both Windows and Mac. Google Apps, Microsoft Office Online, Adobe Flash Player, Java, and many others work nearly identically on both Windows and Mac since these software packages run in the browser or are just modified versions of each other for each platform. Chrome on Windows and Chrome on Mac are not identical, but they are close enough to each other that an attack that works on one will work equally well on the other. Recent ransomware attacks that were spawned through an infected Flash app are a great example of that. The attacker wrote slightly different payloads for Windows and Mac, but the actual attack worked the same on both platforms; making it much easier for the whole attack to happen – and just as likely to happen on Mac as it was to happen on PC.

3 – Attacks may not need to talk to your computer to impact you at all. Attackers are working hard to compromise websites and online applications directly. That means they can steal personal information and data without ever having to actually compromise your machine at all – PC or Mac. Since these attacks happen at the Service Provider side (such as your bank website or online shopping vendor); you don’t have to fall victim to anything on your own computer to fall victim to the attacker.

So, as you can see, no matter if you’re on a PC or a Mac, you’re no safer on one vs. the other. You need to take reasonable precautions to make sure you’re not getting attacked just as much on your MacOS-based devices as you do on your Windows devices. Oh, and for those who say Linux is the answer; just remember that anything that doesn’t attack your machine directly (see point 3 above) will still hit you – even on Ubuntu or RedHat.

Stay safe, no matter what Operating System you use.

08/20/2018

Where the hell have you been?

0

by Newbie2Security

Well, it’s been some time since I posted, and I think an explanation is in order.

As many of those who follow me on Twitter already know, I moved about a year ago into a whole new career path. I’m still working as a technology pro helping out sales teams; but now I’m doing it in the Identity Security world. That’s meant a lot of ramp up and learning time for me, limiting how much time I can spend on this blog.

I’ve also been helping out by contributing blog postings to their company blog. Search the SecureAuth+Core Security blog for “Security in Plain English” and you’ll find a bunch of stuff I’ve been typing away on.

However, I don’t want to leave my independent writing behind! So, I’m glad to introduce a whole new column here on MikeTalon.com: Newbie2Security. The first several articles are already written and ready to go, and I’ll be posting more as we move forward. Please feel free to tweet or DM me if you have questions you’d like answered, and I’ll keep finding interesting stories to explain out in everyday language for those just learning about security and technology.

Enjoy the new column, and thanks for sticking around! First post in the new column is coming in just a few hours.

12/14/2017

The Reality of the New Non-Neutral Net

0

by Rant, Tech

So the FCC has repealed the regulations that mandated that all traffic on the Internet must be treated equally. The telecom/Internet Service Provider industry has touted this as a good thing, as there will now be a “fast lane” for most traffic and a “faster lane” for so-called priority traffic.

The regulations in question are long, wordy, complex, and unfortunately boring as hell. So what does this new non-neutral net mean in the real world? Let’s take a look:

If you are a tech company:
First, unless you’re well established and have rock-solid relationships with bandwidth providers, you’re in trouble. You *will* be paying more to get your traffic prioritized in a world where everything else online is going to drive up latency and bottlenecks. This means more budget for bandwidth for the life of your product line, and that means you need to start lining up additional funding right now. The impact of the regulatory change may take a few months or a few years, but it is indeed coming – start planning.

If you don’t want to pay for prioritization, then be ready to accept the fact that everyone who did pay will get lower latency and faster throughput – especially during peak operational times for your type of application or platform. So for consumer apps, your performance is going to absolutely suck from about 6PM through about 12AM local time for your customers. For business applications, the 9AM to 5PM local time frame is going to be a nightmare for you and your clients.

While non-latency-dependent or bandwidth-light applications won’t have too much of a problem, if you are streaming anything at all, this will impact your bottom line. If you’re starting up a cloud platform (especially IaaS), just give up now.

If you are a consumer:
Get ready for your Internet Service Provider (ISP) and Mobile companies to charge you more. If you are a heavy user of streaming services (Netflix, Amazon Prime, Apple Music, Spotify, and several dozen more), then you’re going to need prioritized service. After all, if everyone else in your neighborhood pays for it and you don’t, all you’re going to see is the “buffering” message or “please wait” audio prompts as their traffic gets to their devices ahead of yours.

ISP’s are already charging for high-bandwidth users, and in a world of streaming video and audio services we’re pretty much all high-bandwidth users now. If you work from home and are constantly on company applications and VPN connections, your bandwidth profile goes even higher. Have a VoIP phone or a micro-cell for your mobile phone? Higher still. Want to use that VPN for personal or business use – you’ll probably have to pay more for that privilege. There is no end to the nickel and diming that’s now available to ISP’s that they could have only dreamed of before.

A history lesson:
In our history, we have seen that giving corporations – even non-monopolistic corporations – the ability to pick and choose winners and losers exclusively by their ability to control supply doesn’t lead to good things. The punch-card era of IBM is a wonderful example. You see, while anyone could physically produce punch-cards to program and manage IBM accounting machines, only certain vendors were permitted to do so by IBM. Anyone who wanted to get into the market would have to be certified by IBM (an expensive proposition) – even though a punch-card is just a stiff piece of paper of certain physical dimensions. Eventually, other technologies got a toe-hold in the accounting machine market and overcame that restriction – but that took a generation, and caused many businesses who would have competed with official IBM punch-card vendors to go under. Since any vendor selling IBM punch-cards would not have a financial reason to produce them for other brands of accounting machines, this also meant that IBM gained the ability to become a virtual monopoly – no other machines could get anyone to make their punch-cards. Customers also got shafted, as they had to pay a premium for the officially-certified cards or risk their service contracts being voided. To put that in perspective, if your service contract was cancelled, your accounting machine pretty much stopped working.

What’s the correlation? Well, now any new business that wants high-bandwidth, low-latency throughput will have to pay to receive the blessing of an ISP above and beyond what they’re paying for that same service right now. Based on recent history, any user who wants to get the service as intended will also have to pony up some cash each month, making the actual cost of the new platform or service higher still. This will lead to situations where newer technologies may not even be developed, since it will be fiscally difficult to bring them to market successfully. The inventors won’t have the budget to pay for premium connectivity, and the end-users will be reluctant to get better cable/fibre packages to use them.

Recent innovations will wither and die when these new bandwidth fees and/or restrictions exceed their budgets; making it impossible for them to compete with players in the market who can more easily afford the fees by passing them on to their already sizable user bases, or just absorbing them as a cost of business. Google will be able to hold power over online video sharing where a newer company like Twitch may not be able to absorb the extra bandwidth costs. Amazon and Azure will ensure they have little to no competition because any cloud startup will be bankrupted by these premium fees, which would be required for things like Infrastructure as a Service to even function.

Yes, in time, newer bandwidth technologies will be created, and ISP’s will find themselves on the same losing end as the old Bell System did when it got shattered. But, ask yourself, how many innovations and new frontiers took decades longer to develop or were entirely lost when “Ma Bell” controlled almost every telephone line in the country? By allowing a very limited number of bandwidth providers to dictate fees at will – with no regulation to keep them in check – we’re quickly approaching the same situation we had with the Bell Network back in the 1980’s. Will we need to wait several decades for ISP’s to become irrelevant before we’re out of this nightmare, and how much progress will be sacrificed in the meantime?

Our government – in the form of the FCC – has sold us out. We are all going to be poorer in both actual money and in lost innovation and discovery for it.

12/13/2017

My Take on the Amazon vs. Google Shenanigans

0

by Rant, Tech

TL;DR – they’re both being insane and need to stop this crap.

In case you haven’t heard the news, Google (who owns YouTube) is pulling the ability for Amazon Echo devices and Fire devices (tablets, set-top and stick streamers, etc.) as of January 1. Some of this has already happened, as most Fire tablets and the Echo Show already have no ability to show YouTube videos, but after the 1st of the year, the entire rest of the product lines will lose the ability to serve up YouTube content – even though they are Android based, and there are Android apps for YouTube available.

Some backstory:

Amazon is a world-wide powerhouse in online retail and Cloud Services. Google owns most of the information on the Internet and is a major player in Cloud Services. Both are massive – and massively powerful – companies who can set and change the market at will. Both have services which compete with each other directly. Google has their own mobile OS (Android) and a vested interest in online retail – though indirectly as they sell advertising that leads to retail sites instead of offering a retail shop. Amazon is an online retail superstore, and has a mobile OS (FireOS) – though indirectly since FireOS is a fork of Android. Over the last couple of years, a feud has developed between them over eyeballs and ownership, and now we’re all paying the price.

The first salvo was Amazon not permitting the Google Play Store (the Android app store) on Fire devices like tablets and set-top streaming boxes. Apps had to be purchased via Amazon’s own app store functionality. Google made it well known that FireOS wasn’t considered Android anymore, but rather a fork that had branched into its own OS entirely. Some time later, Google devices (like Google Home, ChromeCast streaming sticks for TV’s, etc.) began to systematically disappear from Amazon shopping venues – while at the same time Amazon was promoting their own devices which served the same purpose. So Echo devices were available for sale but Google Home was not. FireTV set-top and stick streaming devices were still available, but ChromeCast sticks disappeared. Fooling absolutely no one with this strategy, Amazon soon caught the ire of Google, who became less and less willing to put up with Amazon’s tricks.

At around this time, FireOS tablets and other devices were using an Amazon-built YouTube application. Google claimed that this app violated their terms of service by manipulating the way in which YouTube advertising displayed, and blocked the app from functioning with YouTube. Amazon retaliated by creating an app that was just a shell to load the YouTube website – seeming taking care of the problem. Google, in a move that is controversial at best, objected to the fact that the touch-screen controls used by the new app didn’t fit their standards, and blocked the new app as well. When the Echo Show (an Echo device with a touch screen) debuted, it was quickly blocked from getting access to YouTube videos by Google, continuing the trend.

So which came first? Did Amazon piss off Google by pulling items from their storefront and manipulating how their devices accessed YouTube? Did Google piss off Amazon by developing competing product lines and limiting 3rd-Party access to their services? It’s a hard call to make, as a lot of these things happened in a very short period of time; but the end result is clear to see. YouTube – as of January 1 – will not be accessible on any Amazon device. ChromeCast and other Google-made hardware devices won’t be sold on Amazon.com – even by 3rd-Party sellers. Together, they’re tearing off their collective noses to spite their collective faces, and that doesn’t help anyone.

Amazon – you’re losing money. People will be hesitant to buy FireTV, or tablets, or the Echo Show when they cannot display the most popular video streaming site in the world. This is especially true when other devices like the Roku, AppleTV, and the majority of smart TV’s can show both Amazon content and YouTube content. You are hurting your sales and tarnishing your reputation.

Google – you are losing money. There is a large population of people who already own FireTV or Echo Show devices, and aren’t going to buy another device just to watch YouTube. That means less eyeballs, and less advertising revenue. It also means fewer people signing up for YouTube Red (the subscription service). The feud is keeping your devices off the most popular online shopping portal in most of the world, and you too are tarnishing your reputation.

Both of you are hurting your own bottom lines, and neither of you can win this in the current market. 3rd-Party devices that neither of you make money from will gain ground, and Apple is going to eventually eat your lunches when they inevitably launch their own voice assistant home device that supports both streaming platforms and doesn’t require directly dealing with either of your independent petty streams of bullshit.

Start working together. Amazon, use the YouTube native interface for touch and web. Show the ads inside of YouTube the way Google wants. Google, face the fact that Amazon sells competing hardware and isn’t going to promote your hardware. Take solace in the fact that you can buy a ChromeCast from a lot of places, and just sit back and rake in the ad revenue from ALL platforms that run YouTube. You don’t have to get along with each other, and can continue sniping at each other until the end of time – just don’t force your end users to make the difficult but inevitable choice to abandon both your platforms for the next hot hardware that comes into the market. Worse yet, don’t put a bad taste in consumers’ mouths when alternatives (like iTunes Video and Xbox Video) exist and could gain market share at your expense if you force users into new behaviors.

10/19/2017

No, I will not disable my ad blocker.

0

by Rant, Security

Anyone who uses an ad blocker has no doubt seen the “placeholder” images or text that replace where the advertisement would be on popular websites. These placeholders implore us to turn off our ad blockers to give the site vital revenue, to not starve the website owners of cash. Lately, there have been even more aggressive methods to ask us to turn blocking off – pop-up or interstitial notifications to shut the blocker off, or even full-page-blocking notifications that keep you from seeing anything if an ad blocker is on.

I do not, in principle, have an issue with these notifications. I think companies and individuals who support their sites with advertising have the right to ask us to turn off the tech that keeps them from getting paid and paying their bills. However, I must regretfully inform these sites that I will not be turning off my ad blocking software, and here is why:

Ad networks (the 3rd-party companies that serve up the ads found on most websites these days) have become nothing more than the latest vector for delivering malware of many forms. In the past, an attacker had to compromise the site itself through security holes or brute force in order to turn that site into an attack vector for infecting visitors with various nasty software. Ad networks have allowed attackers to do many multiple times the damage with a fraction of the effort.

Here’s how it works: The attacker buys ad space with a network that allows Javascript or other active-code ad serving. The technology generally allows advertisers to show rich-media ads (which are annoying and should be removed from the internet anyway, but I digress). Rich-media ads have video, audio, and other eye-catching stuff built-in, but require that the website displaying them allow for the scripts to be run. They also require that the browser allow the scripts to run, which ad blockers disable. For a legitimate advertiser and the website owner, this means better conversion rates (the rate at which viewers click on the ad to see the product/service being sold) and rich-media ads have become insanely popular for advertisers themselves; and a requirement for most ad networks to support.

An attacker can create an “advertisement” that has scripting which delivers the payload of their choice. This could be malware or spyware that the user must accept and run, other malware and spyware that requires no user interaction (limiting what it can attack, but making it much more likely to execute), or more recently crypto-currency mining scripts that chew up CPU cycles and can theoretically damage a computer though overheating it. Since the ad network has no way to tell that the malicious ad is any different from any other rich-media ad (because networks don’t bother to police their customers), the ad network serves up the bad ad to hundreds of websites and infects thousands of end-users.

In short, network advertising on websites has become the new way for attackers to deliver their malware.

This “malvertising” has become so prevalent that even giant sites like Showtime have been attacked via malware in ads posted on their sites. The ad networks do nearly nothing to stop the problem, and the site owners cannot stop it short of removing the ad networks’ code from their sites.

So, until such time as ad networks begin to properly police the ads they put up on network sites, or until such time as you – the site owner – remove that code and post ads you know to be non-malicious only; I’m not turning off the ad blocker. I’m sorry that this impacts you, truly I am. However, the situation has reached a point where no site that runs network ads is safe unless that code is blocked from ever running.

PS: I do indeed subscribe to websites that offer quality content without ads, either through Patreon or directly with the site itself. I know that this limits how many sites I can possibly support, but for those that offer great content and don’t attempt to infect my system with their lax code policies, I’m more than willing to put my money where my mouth is.

10/12/2017

Out with LiqudSky, in with @Paperspace

1

by Cloud, games, Mac, Review

Those who follow me on Twitter know I have, in the past, been a big fan of LiquidSky for cloud gaming. What I’ve found over time, however, is that I can no longer support that platform. I’ve officially cancelled my subscription and been using a new platform – Paperspace and Parsec – for several months now. The reasons for the change are straight-forward, and could have been addressed by LiquidSky before I jumped ship, but were not.

First, a note on what cloud gaming is: Basically, cloud gaming is simply a desktop hosted with a cloud provider close enough to you physically to provide a very low latency streaming experience. Streaming allows you to see the video and hear the audio of the desktop in much the same way as you watch movies and TV online. Low latency allows your clicks and keyboard input to happen on the remote desktop in close enough to real-time that it feels real-time. Both are required for cloud gaming because you need to react to what’s happening on the screen as it happens (you see an enemy, you react and shoot, or hide, or dodge, etc.). This is insanely difficult to accomplish, as most streaming systems like Netflix are designed for one-way communication. They send the data to your browser or set-top box and that’s all they’re worried about. With gaming, input matters, and therefore latency is a both sending and receiving input is something that must be dealt with. Just having a remote desktop connection doesn’t work – latency might be low enough to stream the desktop to you, but not anywhere near low enough for quick reactions to be recognized by the desktop itself in enough time to be useful.

Another issue is that most cloud platforms are geared toward commodity compute – basic CPU and RAM functions – and not for graphics. This means that while some games will run, those that require dedicated graphics cards (GPU) will not – ruling out the use of nearly all major games you’d want to play. GPU-focused cloud instances exist, but at a huge premium in price, and latency is still a massive issue with those.

Cloud gaming works to solve both issues by accelerating networking to allow for reasonably low latency, and offering GPU-enabled cloud desktop instances with sufficient resources to play the games you want to play. It’s a balancing act, and tricky to get right, but a few companies have managed to do it. For a Mac person who likes to play big-name games (which are typically Windows only), cloud gaming is a dream that’s just now starting to come true.

So less address why I made the switch:

1 – Mac Support: LiquidSky originally had a great Mac client. It wasn’t perfect, but they were working on correcting the few issues that there were there and making it better. Then LiquidSky 2 launched without a Mac client at all. Over the remainder of 2017, we Mac users patiently waited for the next-generation Mac client, but to no avail. Update after update of the Windows client came, and an Android client finally launched, but the Mac client continued to be listed as “coming soon.” As one of the major uses of cloud gaming is allowing Linux and Mac users to play these games, this is inexcusable. The Windows client can be used on a Mac with virtualization or emulation (things like vmWare Fusion and Wine), but this requires a level of technical expertise that is beyond the majority of users – and doesn’t provide a pleasant user experience at all.

Paperspace has had a Mac client since day one of their GPU-enabled gaming desktop services. It works, and it works very well, and they’re continuing development of the platform as they move forward to make it even better. They partner with Parsec to minimize latency and maximize the gaming experience overall, and they provide complete and easy-to-follow instructions on how to install and use these tools that anyone can follow.

2 – Latency: LiquidSky has continued to get worse and worse on this front as it gets more popular. While I’m happy they’re getting more users, they’re not scaling properly to allow for the increased user base to get a good experience when they play. Overburdening of their systems is taxing their networks, causing lag that makes playing many games impossible, and most games just plain unpleasant. Even using Wine to jury-rig their client into working on a Mac, visuals are “muddy” and reaction is sluggish and painful most of the time.

Paperspace keeps their networks and platform robust as it grows. It’s not perfect – there are periods of peak activity that definitely cause hiccups, lag, and some muddiness; but they’re far fewer than I ever experienced on LiquidSky and seem to be kept short. You’ll get a few seconds of sluggishness and stutter, and then you’re back to the great desktop experience you want.

3 – Billing Experience and Support: LiquidSky just doesn’t seem to care about its customers. It pains me to say that, as this is completely different than the experience I had when I started using their service. Customer support used to be fast, efficient, and friendly. Now, it seems that they respond when they feel like it, if at all, and basically always answer with “we’re working on that.” While this answer is perfectly acceptable when a new platform launches or a major overhaul has been rolled out – that period of acceptability ended several months ago and the attitude has continued nonetheless. Billing is painful, as it is handled by a 3rd-party entirely now and not even visible on the LiquidSky site. The shift from the ability to use unlimited accounts to everyone using a points system to rent access by the hour is even more confusing; and poorly explained. Let me be clear, they needed to raise their rates – no one could hope to grow and expand with the numbers they were offering – but make it easy for people to figure out what they’re paying for. Use real-money for the per-hour fees, not a conversion first to points and then to different amounts of points for each of the sizes of machines that can be run.

Paperspace has two billing options: per-hour fees in real money and unlimited plans at a fixed amount of money per month. They do charge far more than LiquidSky for unlimited accounts, but they are available and a decent value indeed for those of us who spent a lot on our Mac or Linux desktops and do not wish to buy a Windows machine with that much horsepower just to play games. Billing is handled by Paperspace and all options are available from their own website so I can manage my account quickly and easily. Support is stellar! Paperspace requires the use of a 3rd-party service called Parsec to play games (it mitigates many of the latency issues and handles things like controller support). I have been able to get help on Parsec from Paperspace directly, even though it isn’t their code or product. Paperspace always replies quickly and in a friendly manner.

All-in-all, LiquidSky seems to have totally lost the plot when it comes to cloud gaming. They shifted their focus to gaining more users as fast as possible by offering free credits for watching ads, but didn’t plan well to handle the influx of users that brought. They lost focus on their customers and service and support suffered. They’ve outsourced their billing to a 3rd-party and detached themselves from that process, and made the new purchase plans confusing and complex. Finally, they’ve stabbed their Mac customers in the back by focusing so heavily on Windows. I do understand that the vast majority of the gaming market is Windows, so this isn’t an un-sound business decision on their part. That being said, they had a fanatically loyal user base of Mac folks, who are now abandoning the service due to neglect. They did so as several well-known names like nVidia jumped into this space to compete for those same Windows and mobile users. So they’ve given up one advantage (a dedicated and untapped market) to maximize their effort in a crowded space against major household names. That’s not the best business plan.

Paperspace, with the help of Parsec, offers the total package. High quality services, ease of use, native clients on Mac, and reasonable prices. Note that cloud gaming is currently a very expensive proposition, with monthly fees averaging about US$200/month for unlimited use and per-hour fees being higher than for commodity compute uses. It is, however, worth it – especially for occasional gamers who just want to play one or two games that are Windows-only and therefore don’t need a monthly unlimited plan. It’s not perfect. Setup can be challenging, and not all hardware is fully supported (especially USB devices like gamepads and microphones for chat) – though that’s also the case for LiquidSky and not a Paperspace-specific issue. There are instances of network congestion, and minor nitpick issues, etc. Compared to their competition, however, they’re showing themselves to be leaders in the space of cloud gaming – giving big name brands like nVidia a real challenge and proving that they know what they’re doing and will get it done. They’re also proving themselves savvy businesspeople by targeting users who want the service and have found other platforms don’t get the job done. Mac and Linux users who want to play Windows games exist, and they spend money with companies that remain loyal to them – and Paperspace is going after that loyalty while retaining Windows customers – a recipe for success.

So give Paperspace a look if you’re gaming and not on hardware that can support those games well. No matter if it’s Windows, Mac, or Linux on your desktop, they can make your experience a lot better. Start with an hourly GPU instance and see if it meets your needs. You can always graduate to a monthly plan later if that will save you money. The Paperspace team will indeed be there to help you choose, help you get set up, and help you get back in the game.

10/02/2017

Outlook for iOS just plain sucks

0

by Rant, Review, Security

Recently, I joined a new company that uses Office365 – Microsoft’s cloud-forward platform that they believe will eventually replace the traditional licensing models for the Microsoft Office Suite, Exchange Server, SharePoint and several other products. The idea is good, as it opened the door to Microsoft finally brining its signature office applications (Word, PowerPoint, Outlook, etc.) to more platforms, like iOS devices. Word, Excel, and several others made the jump to my iPhone rather nicely. I’m pleasantly surprised at how well they translated from the big screen on my desktop to the small screen on my mobile devices.

Outlook fell out of the WTF tree and smacked into every single dumb-ass branch on the way down.

First, let’s talk about the interface. On a computer, with a keyboard and mouse, the interface for Outlook for PC and Mac is manageable and useable. I’m not a huge fan of the “put all the menu buttons in one tiny corner” school of UX design, but with keyboard shortcuts it’s a very workable solution for maximizing screen real-estate. Even Outlook for Mac – long the whipping boy for how not to port an application from Windows – the interface is clean, effective, and works. On iOS, the interface is horrible. There are no keyboard shortcuts to jump from mail to calendar to contacts, and some features like the task list are just plain missing. To be fair, tasks sync to the Reminders app in iOS – but only if you also set up your Outlook/Exchange account as an internet account on the phone.

All right, I know what you’re all saying, “It’s a scaled down version for just the essential stuff like email!” Great, let’s look at email:

No font sizing. So basically you’re going to see a set amount of info on each screen, no exceptions. Got an iPhone SE and need a bigger scale to avoid going blind? Too bad. On an iPad Pro and want to shrink stuff down so you can get more on the screen? Sucks to be you. To clarify, I am not talking about the fonts IN the emails – Outlook has little to no control over that if the email has its own formatting. I’m talking about the interface itself and the message previews in your mailbox lists.

No red squiggles. In nearly every other iOS application, when you mis-spell a word that autocorrect doesn’t murder for you (AUTOCORRECT SICKS!); you get a helpful visual indicator that something just ain’t right – the infamous red squiggle underline. It happens in the native mail app, and Airmail for iOS, and honestly every other 3rd-Party email app I’ve tried since iOS 4 was a thing. Outlook can’t get it to happen – or on the few instances they do get it to work it almost immediately stops working again. I’ve changed my keyboard settings, fiddled with autocorrect settings, etc. Nothing gets it to work reliably. Now I do a quick proof-read of emails before I hit send whenever possible because… well… AUTOCORRECT SICKS! but sometimes it’s easy to miss a spelling errer, and the red squiggly lines (like the one that’s glaring at me from that purposeful mistake in the last sentence) are extremely vital to not letting them get sent out.

No S/MIME support. What were they thinking? Outlook on the desktop has supported S/MIME in one form or another since Office 98, and done it reasonably well. Even Outlook for Mac has supported the use of signing certificates since it changed over from Entourage years ago. The native mail app supports S/MIME just fine, so the phone itself is capable of it; and other 3rd-Party mail apps seem to offer at least basic support for it, so it’s not an “Apple locked this feature away for their own use only” issue. But, alas, Outlook for iOS cannot use certificates to sign or encrypt emails, or even recognize that one is in use in an incoming email.

Not all bad news

There are some good points to Outlook for iOS as well. It’s not all doom and gloom. While the sizing is an issue, the interface is at least intuitive enough that I didn’t have to go searching through a knowledge base to figure out where things were. Not having the keyboard shortcuts as on a Mac or PC is annoying, but not something that will completely hobble you. Having email and calendars in one app is a much simpler method than downloading the .ics attachment, opening it in the Calendar app, and finally accepting it (or more often then not, finding out there is a conflict and starting the process over with the updated invite). Direct interoperability with other Office for iOS apps right out of the box is also a strong feature in Outlook’s favor. And having the licensing included in my Office365 subscription – which is handled by the iTunes App Store natively – makes things a lot simpler to manage.

I hope that Microsoft hammers out the kinks in the system. I would personally love to use Outlook for iOS for all of my work-related email; as I always keep work email and personal mail in different apps to avoid confusion and mistakes between accounts. For now though, I have to stick with Airmail for iOS. It doesn’t support S/MIME either, but can talk to Exchange online and does everything else I need except Calendars. For those who are interested, I went with BusyCal for iOS on that front.

Outlook for iOS is a flawed, half-baked product. It shouldn’t be part of the Office for iOS suite, and only serves to drag down what is otherwise a great set of apps that we’ve all been waiting for since Microsoft started looking at mobile devices. Get it together, Microsoft, and give me what I’ve had on the desktop and in other 3rd-Party email apps for years now!

09/27/2017

Bailing S3 Buckets

0

by Cloud, Security, Tech

Headlines are breaking out all over the last few weeks about high-profile data breaches caused by company databases and other information being stored in public Amazon Web Services (AWS) Simple Storage Service (S3) buckets. See here and here for two examples. The question I get most often around these breach notices is, “Why does anyone leave these buckets as public, and isn’t that AWS’s fault?” The answer is straight-forward, but comes as a bit of a shock to many – even many who work with AWS every day.

A quick refresher on S3

For those not familiar with S3 or what it is and what it does, basically S3 is an online file system of a very defined type. S3 is a cloud-based Object Storage platform. Object Storage is designed to hold un-structured collections of data; which typically are written once and read often, are overwritten in their entirety when changed, and are not time-dependent. The last one simply means that having multiple copies in multiple locations doesn’t require that they be synchronized in real-time, but rather that they can be “eventually consistent” and it won’t break whatever you’re doing with that data.

S3 organizes these objects into “buckets” – which would be the loose equivalent of a file system folder on more common operating system file systems like NTFS or EXT. Buckets contain sub-buckets and objects alike, and each level of the bucket hierarchy has security permissions associated with it that determine who can see the bucket, who can see the contents of the bucket, who can write to the bucket, and who can write to the objects. These permissions are set by S3 administrators, and can be delegated to other S3 users from the admin’s organization or other organizations/people that have authorized AWS credentials and API keys.

It’s not AWS’s fault

Let’s begin with the second half of the question. These breaches are not a failure of AWS’s security systems or of the S3 platform itself. You see, S3 buckets are *not* set to public by default. An administrator must purposely set both the bucket’s permissions to public, and also set the permissions of those objects to public – or use scripting and/or policy to make that happen. “Out of the box,” so to speak, newly created buckets can only be accessed by the owner of that bucket and those who have been granted at least read permissions on it by the owner. Since attempting to access the bucket would require those permissions and/or API keys associated with those permissions, default buckets are buttoned up and not visible to the world as a whole by default. The process to make a bucket and its objects public is also not single-step thing. You must normally designate each object as public, which is a relatively simple operation, but time consuming as it has to be done over and over. Luckily, AWS has a robust API and many different programming languages have libraries geared toward leveraging that API. This means that an administrator of a bucket can run a script that turns on the public attribute of everything within a bucket – but it still must be done as a deliberate and purposeful act.

So why make them public at all?

The first part of the question, and the most difficult to understand in many of these cases we’ve seen recently. S3 is designed to allow for the sharing of object data; either in the form of static content for websites and streaming services (think Netflix), or sharing of information between components of a cloud-based application (Box and other file sharing systems). In these instances, making the content of a bucket public (or at least visible to all users of the service) is a requirement – otherwise no one would be able to see anything or share anything. So leveraging a script to make anything that goes into a specific bucket public is not, in itself, an incorrect use of S3 and related technologies.

No, the issue here is that buckets are made public as a matter of convenience or by mistake when the data they contain should *not* be visible to the outside world. Since a non-public bucket would require explicit permissions for each and every user (be it direct end-user access or API access); there are some administrators who set buckets to public to make it easier to utilize the objects in the bucket across teams or business units. This is a huge problem, as “public” means exactly that – anyone can see and access that data no matter if they work for your organization or not.

There’s also the potential for mistakes to be made. Instead of making only certain objects in a bucket public, the administrator accidentally makes ALL objects public. They might also accidentally put non-public data in a public bucket that has a policy making objects within it visible as well. In both these cases the making of the objects public is a mistake, but the end result is the same – everyone can see the data in its entirety.

It’s important to also point out that the data from these breaches was uploaded to these public buckets in an unencrypted form. There’s lots of reasons for this, too; but encryption of data not designed for public consumption is a good design to implement – especially if you’re putting that data in the cloud. This way, even if the data is accidentally put in a public bucket, the bad actors who steal it are less likely to be able to use/sell it. Encryption isn’t foolproof and should never be used as an alternative to making sure you’re not putting sensitive information into a public bucket, but it can be used as a good safety catch should accidents happen.

No matter if the buckets were made public due to operator error or for the sake of short-sighted convenience, the fact that the buckets and their objects were made public is the prime reason for the breaches that have happened. AWS S3 sets buckets as private by default, meaning that these companies had the opportunity to just do nothing and protect the data, but for whatever reason they took the active steps required to break down the walls of security. The lesson here is to be very careful with any sensitive data that you put in a public cloud. Double-check any changes you make to security settings, limit access only to necessary users and programs by credentials and API keys, and encrypt sensitive data before uploading. Object Stores are not traditional file systems, but they still contain data that bad actors will want to get their hands on.

09/25/2017

What is Ransomware, and how do I stop it?

0

by Cloud, Security, Software, Tech

I get asked this question a lot by folks from all over the tech industry and from non-tech people just as often. Ransomeware is not new, but several extremely high profile attacks (like the “NotPetya” attack in Europe earlier in 2017) have put the topic back on the front burner of most peoples’ minds. With that in mind, let’s take al look at how to answer the question “What is ransomeware, and how do I stop it?”

What is it?

Ransomware is a form of malware – software that is not wanted on your computer and does something detrimental to your machine or the data it holds. This particular form of malware is nastier than most, however. While many virus, trojan, and other types of malware will delete data; ransomware encrypts data on your disk, meaning the data is still there, but totally unusable by you until you decrypt it. The creator of the ransomware is effectively holding your data hostage for money.

Tech Note – Encryption:

Encryption is the process of manipulating the binary data of your files using a cypher of some form to make the data useless to anyone who cannot decrypt it with the appropriate key. Much like converting orders into code before sending them in a war zone, you can encrypt data to make it useless to anyone who doesn’t have the key. This technology lets us safely bank online, save data in the cloud, etc. and is not natively a bad thing to have.

Ransomware arrives as an email attachment, a “drive-by” download from a website (where you visit a website and are prompted to download an executable file), and sometimes it acts as a true worm which infects any computers near one which has fallen victim to the malicious code. Once the infection takes hold on a computer, the malware will look for certain types of files (most often documents, spreadsheets, database files, text files, and photos); and will then encrypt these files in such a way that they are unusable by anyone until the malware author provides you with the decryption key.

The malware creator will offer to send you the key if you pay them the amount of money they are demanding – typically via the crypto-currency Bitcoin. They’ll also provide handy information on how to obtain Bitcoin, and the current exchange rates between the Bitcoin currency and your local currency. These malware authors are of course not going to provide just the helpful information. Along with that info comes a warning that if you don’t pay them by a certain date, your data will become permanently un-decryptable and lost forever. You seem to have only two choices: Pay the ransom or lose your data.

What do you do?

First, don’t panic. The malware creators of the world rely on people getting freaked out and doing anything they say in order to make the problem go away. Take a deep breath, step away from the computer for a moment, and then let’s deal with things.

1 – DO NOT PAY THE RANSOM! I can’t stress this enough, and there are very good reasons why you should never pay the ransom no matter how tempting it might be. First, there is at least a very good chance that the malware creators won’t ever give you the decryption key. It’s depressingly common for malware authors to use ransomware as a tool to steal money; and once the malware is known about, internet service providers and security researchers take steps to remove the ability for them to actually get paid or send you the key anyway. Secondly, negotiating with bad actors only results in more bad actors. If an author of ransomware gets a ton of money from their victims, then other authors will see the money available and write more ransomware to get in on the act.

2 – Check online to see if the ransomware has already been broken. Especially for the older variants of ransomware, there is a chance a security research group has figured out what the decryption key is. Check with your anti-virus/anti-malware provider (Symantec, Sophos, etc.) and legitimate tech sites to see if the key has already been found and made available; and to get instructions on how to decrypt your files with it.

3 – If a decryption key isn’t available, then you will need to restore your data from backups AFTER you clean the malware off your system. Check with your anti-virus/anti-malware vendor or your company’s IT department to find out how to get your system cleaned up; and with your backup provider or IT team to get the last known good version of your files back.

How do we stop it?

Stopping ransomware is not easy, as a successful attack can gain the malware authors quite a bit of money. New variants are popping up often, and some of them can spread themselves from machine to machine once the first few machines are infected via email attachments, etc. So how can you help stop ransomware and make it less profitable for the authors?

1 – DO NOT PAY THE RANSOM! Seriously, this cannot be said often enough. Each time someone pays the ransom, another author sees that they can make money by creating their own ransomware and spreading it around the internet. The first step in stopping the spread of this malware is to make sure there is nothing for the criminals who create it to gain.

2 – Keep your Operating System (OS), anti-virus, and anti-malware software up to date. No matter what OS you use (Windows, Mac, Linux, etc.) you are susceptible to malware of various kinds – including ransomware. Make sure you are regularly updating any desktops, laptops, tablets, and smartphones with OS updates and app updates as they are available. Even if you don’t feel comfortable having the OS keep itself updated automatically, be sure you are manually updating on a weekly basis at least. If you don’t have an anti-malware tool (such as those from Sophos, Computer Associates, etc.), then go download one and get it installed. Keep it updated – either via the tool’s own auto-update feature or just manually checking for updates at least daily. While anti-malware tools cannot catch every single variant of every malware package, they can catch a large number of them and keep you safer than not having one at all.

3 – Back up regularly. Use a tool that stores multiple versions of your files when they change – like Carbonite (disclosure: I’m a Carbonite subscriber and used to work for one of their family of products) or other such tools. This way, if you do get hit with ransomware, you can clean your system and restore last-known-good versions of files that were lost.

4 – Practice common sense internet safety. Don’t open attachments in email messages unless you know exactly what they are, who sent them, AND that they are legitimate. If you’re not sure of all three things, don’t open it – get confirmation from the sender first. Don’t click links in email. Instead, go to the website in question manually in your web browser and then navigate to the information you need. NEVER accept or open any files that automatically download when you load a website. If you didn’t click on it, don’t accept it. Along with that, always go to the vendor page to get new software. For example, if a site says you need a new version of Flash Player, then go to http://get.adobe.com/flashplayer and check for yourself instead of clicking on the link or button.

Protect yourself from ransomware as best as you can by following common-sense internet safety rules, and keeping your system backed up. Never pay the criminals who are holding your data for ransom. Finally, spread the word that ransomware can be stopped if we all work together and take the right precautions!

04/24/2017

Cranky Old Gamer: The Technomancer

1

by COG • Tags: , ,

The Technomancer cover art

Spiders isn’t a AAA game company – and there’s nothing wrong with that at all.

I played Mars: War Log a while back on XB360. It was ok, but not the kind of game that really dragged me in and made me want to see it through to the end. Spiders has released another game between then an The Technomancer, but I never got a chance to play that one. Reviews for the second game weren’t great (when I was still relying on them to figure out what to play), and it seemed to be just another medieval fantasy RPG.

When I saw the review titles for The Technomancer, it rang a bell. I remembered that Mars: War Log also revolved around a character type called Technomancers, and sure enough it was another game by Spiders. However, this one seemed to be much more fleshed out, more fully envisioned, than the earlier effort on the last-generation console. The reviews bashed it for being akin to early Bioware titles like Knights of the Old Republic – one of my favorite sci-fi games of all time, so I took the dive and gave it a go – and I’m very glad I did.

This second outing into the world of human colonies on Mars is seen through the eyes of the protagonist, Zachariah, the titular Technomancer. Think of them as fighters with a bit of electrical magic added in – similar to biotics in the Mass Effect series. Through the storyline, you’re introduced to the Technomancers of Abundance – one of several water companies that dominate the political and social landscape of Mars. Earth hasn’t been reachable for generations, entire colonial sites have been lost to history, and mutations have created a sub-species of humanity that is, to say the least, not treated well. Each water corp has their own Technomancer brigade, but unlike Aurora (another massive water company/nation-state); Abundance treats them as battle commanders in the armed forces – essentially weapons to be used by the state. Your character is no different, with the game beginning as they transition from being a trainee into their first military commission as a Lieutenant.

I won’t spoil the story for you, but suffice it to say you find yourself embroiled in the political intrigue of multiple powerful groups; and can – in the end – change the very course of history for the red planet. No, not the red-green-blue change the galaxy ending of Mass Effect; but actually change the entire society of Mars with your decisions. Granted, most of it is just spelled out in an epilogue, but frankly Dragon Age Origins did the same thing and it’s one of the most revered RPG’s ever.

What’s interesting about this game is that Spiders isn’t a massive game studio with hundreds of programmers grinding away at coding the next big blockbuster hit like Bethesda or Bioware. They’re not an indie group, but they’re small enough that the scope of both the game itself and the storyline within it are a refreshing surprise. Spiders has evolved a rather sparse Mars landscape found in War Log into a fully-viable planet stuffed with different experiences and personality. Each region is unique – with Ophir – a major city-state of Abundance – being a utilitarian, corporate behemoth of a building (no one can live on the actual surface of Mars due to solar radiation, so people live in naturally sheltered communities or massive enclave buildings like Ophir), while Noctis has an arabian-like vibe to it. You also visit Shadow Paths – points along rail-like transport systems that exist in naturally or artificially covered areas of the planet to protect from the sun’s rays; and long-lost colonial outpost domes from the original settlers. Unlike many of the AAA games lately, the scenery is very rarely re-used – it’s extremely varied and each area has some form of distinctness that keeps it apart from all the others. In short, this doesn’t feel like a dozen re-skinned dungeons, but individual areas created from scratch each time.

The people you meet also vary wildly. From the not-quite-all-there doctor companion Scott, to the intelligent mutant Phobos; each is given a distinct personality. Each also has side-missions that you can choose to undertake to get closer to each companion, and various perks (even romance) if you progress far enough with them. Non-companion characters central to the storyline also get their own personalities. From shady businessmen to impotent politicians, everyone feels like they had their stories written just for them.

Added to this, the world itself is incredibly believable. There’s no fantastic technology saving the inhabitants of Mars; as aside from some basic atmospheric manipulation decades back (to make the surface breathable), the planet is still about the same as it is today. There was some cataclysmic event that made the solar radiation outright lethal instead of just extremely dangerous as we know it – but there’s no magic going on here. The event caused a shift in the planet’s angle toward the sun, thereby making solar rays much more dangerous to humans – a potential event that science says could happen under the right (or wrong?) circumstances to any planet. The world of The Technomancer’s Mars is only slightly different than the actual Mars – and the differences are believably explained. I have to give Spiders credit for the level of research that must have gone into making that a possibility – a level of detail notably absent from many games that take place on earth, much less another planet.

The storyline is somewhat readable – you won’t be shocked by most of the twists and turns – but very enjoyable to play through. There’s an emancipation plot in progress, Secret Police who want to clamp down on everyone, back-alley mobsters, even a trade-hub of caravans with their own ulterior motives. While somewhat formulaic, the story does through a few curves in that you probably won’t see coming – and that I won’t spoil here.

This isn’t to say the game is without fault. The voice acting can be static, with characters voices failing to deliver emotion in many cases. There are two issues at play that cause this: First is the fact that the game was written in French, and the translation loses some of the emotion impact. Second, the acting talent probably didn’t work together on pre-recording reads and such. The facial animations are also not great, leaving characters speaking surprise without their eyebrows moving at all, etc. The issues distract from the punch of the storyline, but not enough to make the game one you should avoid unless those issues are your primary concern in a game.

Combat can also be unforgiving and occasionally just unfair. Even on Easy difficulty, you will find yourself outnumbered by damage sponges on multiple occasions. The combat itself is easy to understand, with three styles to choose from (staff-weapon moves, mace and shield, and rogue-like dagger and gun) plus the titular technomancy mechanic available to all three. The game handles combat well, and tends to be usually be fair but punishing. You can generally win out over your opponents, but you might have to re-try a fight or two due to just plain bad luck. The game’s camera follow doesn’t help it any here, and you will definitely find yourself having to manually move the stick to see what’s going on in the middle of a battle. I will definitely give the game points on the combat animations, however. Combat moves are fluid, and flow very well with only a few exceptions. Plus, the momentary slow-motion on critical hits makes them feel oh so very satisfying to land.

The lack of a fast-travel system is also painful. While you can travel by rover to outposts and cities, you have to traverse within the volume of those places (many of which are absolutely huge) on foot. This will lead you to go on mind-numbing runs through the same set of guards every time you have to visit a hostile location – over and over again. It doesn’t feel like lazy programming or filler or anything like that, it honestly just feels like an oversight where fast-travel simply wasn’t built into the game.

Overall, however, I’d recommend this one to anyone who likes deep Western RPG’s. The storyline is fun, and while usually pretty easy to divine what’s coming next, it will surprise you now and then. The combat is passible, though not exceptional; and the non-combat animations are fairly static. But if you like a good yarn and enjoy believable sci-fi universes, this is a game you should check out.

1 2 3 4 5 >»

Mike Talon's Home on the Web is Stephen Fry proof thanks to caching by WP Super Cache