The Mac App Store might not be the best way to get software.

DelayedWhen the Mac App Store first hit, I was all for it. Things just seemed easier since anything I bought there could be installed on up to 5 Macs, and would be easier to manage and update.

Things didn’t turn out quite that way…

While the Mac App Store is great for finding, buying, and downloading software, it has major issues when it comes time to keep that software updated. Since developers can’t just post their updates to the store, those critical patches can be seriously delayed, and that’s never a good thing.

For example, I use an app called HyperDock. It’s a great app and very handy for figuring out the various windows an app has open. The problem is that there has been an updated version of HyperDock out for a few weeks now, but delays in submission and clearance in the Mac App Store mean I have yet to get the new version. I can’t just download the update from the vendor, because the Mac App Store licensing is not compatible with the retail licensing that the vendor uses everywhere else. That’s not the vendor’s fault, they literally cannot use the same licensing method for the version sold through the Mac App Store.

This is incredibly common, from what I’ve seen myself and heard about over the last half-year. Some apps get updates immediately, others wait weeks or longer to get the approval and post the update in the store. If the update is just visual or fixes minor bugs, that’s understandable, but some of these updates are major and cannot wait.

Then there’s upgrades. Most software developers have policies in place where all minor upgrades (i.e. 2.1 to 2.3, .4 and .5) are free. Major upgrades (i.e. 3.x to 4.x) are not free, but are offered to existing customers at a very discounted price. The Mac App Store doesn’t have any way to handle that, and therefore you’d have to buy the whole software package over again if the vendor doesn’t want to supply free upgrades for the next major version.

Finally, there’s free trials. With the Mac App Store, you either buy a piece of software, or it’s free. There is no middle ground, and no way for a developer to issue a time-limited key for a free demo. Some developers have created free versions of their apps with greatly limited feature sets, but that’s not the same as “try our product for 30 days with all functions available.” For apps that cost more than the $1.99 level, a free trial makes spending the cash on the full package a lot more justifiable.

There are a lot of alternatives to the Mac App Store, including MacUpdate which I talk about in this blog quite a lot. These systems work directly with developers to allow you to download free software an buy purchasable software directly from their sites, while still having a central place to go to check on fixes, updates and upgrades. It’s where I will be getting most of my software from once again, after dealing with the nightmare that is the Mac App Store.

Photo Credit: Jordiet.

Do’s and Don’ts – Twitter

Twitter newbird boxed whiteonblueTwitter is one of the first places people think about when you say the term Social Media. While Twitter didn’t start the web 2.0 revolution, they did have a pretty big hand in shaping it.

So, what are some guidelines for using Twitter as an Information Worker?

Do’s:

– Do get an image. Using the default “newbie” icon for Twitter is always – ALWAYS – a bad idea. Find an image that is small enough to fit as a user icon, and that represents you, then use it. You can change this on the Profile or Bio page of your account. Remember to respect copyrights and trademarks and only use images you have the right to use.

– Do tweet about all kinds of things. Sticking to just corporate news is a sure way to lose followers fast. Try tweeting about things going on in your life that have some connection to your work. For example, if you make auto parts, talk about the work you’re doing on your own car outside of the parts you sell yourself.

– Do know what you can tweet about. Many companies have strict policies on what can, and cannot be said on Twitter by employees who are affiliated with the company. Make sure you only tweet information that is cleared and ok to send.

– Do remember it’s a conversation. Twitter is not a one-way communication tool, and so you should reply to people, start and participate in conversations, and generally remember that you don’t want to sound like a guy on a street-corner with a megaphone.

– Do keep your ratio. There’s a great temptation to follow a large number of people, but this is not a great strategy. If you’re following hundreds more people than follow you back, most experienced Twitter users will shy away from following you. The reason for this is simple, mass-following is a well-known technique employed by spammers, so you get hit with guilt by association. Start out by following no more than 25 people than follow you back, and stay at that ratio until you’re over 500 followers, then you can open it up to 50.

– Do balance your tweet types. It’s always best to mix up what you’re tweeting. Send some text, some links and some ReTweets (RT’s), and not too many of any one type. Mixing your content types allows others to see that you have a lot to share, that you’re not just spamming press releases, and that you interact with the community.

– Do keep multiple accounts for work and play. If you think you might want to tweet about stuff that isn’t acceptable to your boss, create a different account to do that. This account should clearly state that it is yours, and not affiliated with any particular company at all.

Don’ts:

– Do not spam, ever. Though the temptation is to blast your message out to everyone all the time; keep in mind that Twitter is a conversation and make sure you’re not just spamming links to random people.

– Do not engage in “link building behaviors.” This one is critical. Many so-called Twitter “experts” will tell you to follow thousands of people, then unfollow anyone not following you back. That’s bad for a large number of reasons, not the least of which is that you’ll lose any legitimate followers you were going to get and be left with a huge list of followers who don’t listen to your message anyway. Avoid buying followers or using faulty methods like “TeamFollowBack” and the like. Be a real person, the followers will… well… follow.

– Do not DM on Follow. This is a massively annoying habit most so-called experts still engage in. Direct Messaging someone just to say “thanks for following” – or worse, pelting them with your links and ads, is a sure way to get people to immediately UN-follow you. DM’s are typically sent to mobile devices and generate alerts on the desktop, mobile, etc. This is quite annoying to anyone who gets them and finds out that they’re nothing but a “hello” message.

– Do not sweat it if people don’t follow back. You’ll find that some people don’t follow you back. Don’t worry about it. Keep doing all the things you should do, and many folks will follow you. Annoying one person who doesn’t follow you with @Replies is a sure way to ensure that many more people don’t follow you – so it’s counterproductive.

– Do not tweet on behalf of your company. That is, unless you have express permission to do so, of course. Remember that you’re someone who works *for* that company, you are not officially representing that company. Many folks have gotten in a lot of trouble for speaking on behalf of their employers.

– Do not EVER forget that Twitter is public. Even DM’s can become public in some circumstances, and if you’re tweeting for work, then your boss is looking. A lot of headaches due to this can be avoided if you follow the “Do” about keeping work and personal accounts separate.

If you’re looking for a much more comprehensive list of what not to do on Twitter, have a look at Snipe’s page on why you should not be a “Social Media Marketer” – NOTE: it’s not safe for work.

Photo Credit: Twitter

Yes you can sync your Windows Phone 7

WinphoneA lot of folks are giving glowing reviews to the new line of Windows Phone 7 devices on the market. Having had a chance to play with one of the Samsung Focus devices, I can see why. The big question for me was, can I sync it with my Mac?

Surprisingly, the answer is yes.

Being used to syncing my iPhone, I was skeptical, but not only does an official and supported way to sync exist, it works quite well on both Snow Leopard and Lion.

First, head to the Mac App Store (Apple Menu, App Store) and search for the Windows Phone 7 Connector app. That will get you set up with all the software you need. Run that app, and connect your phone to your Mac via the provided cable that came with your phone.

After the software recognizes your device, it will offer to sync data and media for you. Microsoft went out of their way to make the process simple and reliable. You can sync local files from your Mac to the phone, as well as syncing iTunes music and playlists.

There are a couple of things to note:

1 – I never got the over-the-air sync to work properly, but that might have just been a problem in my configuration.

2 – Only non-DRM media will play on the Windows Phone device. You’d expect that, and since most iTunes music files are non-DRM these days, it isn’t a problem for music. It *is* a problem for movies and TV shows, however.

3 – The sync did not seem to update play counts and other meta-information for media. Again, not unexpected, and usually not critical, but it hurts things like Last.FM scribbling.

Aside from those hiccups, the Connector app worked incredibly well, and allows you to play nice between Apple and Microsoft hardware.

Photo Credit: okalkavan

Do you know where your VM’s are?

GlobeVirtualization of resources bring some interesting issues to the table. Not the least of which, is where the physical locations of your compute resources are at any given moment of the day.

The point of virtualization is that the systems you use are no longer tied to a specific piece of physical hardware, things can move quickly and without notice. For example, a resource located physically next door to you today could be moved via sVmotion to a server across the country tomorrow. As long as the networking team does all the appropriate routing changes, you’d never know.

There are lots of potential issues to consider, but three are:

1 – If you’re servers are not local to you, then the staff responsible for managing those resources at the current time may also not be local. This means that you’ll have to coordinate across time zones to perform maintenance and other tasks.

2 – Flipping resources to another datacenter may mean you suddenly lose physical access to your systems. The good news is that you can always flip the resources back if something goes physically wrong and you don’t have anyone at the other location at that time to plug the wire back in.

3 – Especially for international companies, technologies that cannot be exported could accidentally end up on virtual systems housed in a non-export country. If you deal with encrypted data-sets, this could become a very serious problem.

When you discuss cloud, the situation gets even more confusing, as you may literally not know what physical location your systems reside in at any given time. SLA’s with the cloud provider become absolutely vital, and must be reviewed regularly.

Separating the compute power from physical hardware is – overall – a good thing, but for as many problems as virtualization solves, we do have to remember that there are new problems to consider. Geography is one of those problems.

Dust off your maps…

Photo Credit: Norman B. Leventhal Map Center at the BPL

Why your company needs a clear Social Media Policy for employees

SMPolicyEvery organization is made of people. That’s both good and bad. People make the company what it is, and that’s good. People also have opinions – which is usually good, but can become bad if they’re not representative of your brand and organization.

You can control access to the official corporate Twitter feeds, Facebook pages and LinkedIn accounts, but what happens when employees tag, retweet and link to those pages from their own accounts? That’s where a clear and comprehensive Social Media Policy (SMP) comes into play.

The SMP needs to clearly state what is acceptable and unacceptable for tweets and posts that are linked or tagged to the corporate identities. In other words, you should have language in the policy that clearly states that anything that goes against company policies (like disorderly conduct, HR violations, etc.) should never be linked or tagged to a corporate identity. Ever. For any reason at all.

The policy should also detail what rights and responsibilities an employee has if they choose to affiliate their personal accounts with the company via logos, images, re-tweet streams, etc. If you believe you have control over any account that has your company logo on it – for example – you need to state that very clearly and directly to avoid problems later on.

Of course, if your firm is particularly conservative in these matters, you may simply have a blanket policy that says that only the corporate identities can have anything to do with the company on Social Media. That’s usually a very bad thing to do, as it will severely limit your ability to take advantage of a lot of opportunities that leveraging employees can bring to the table. However, if that is indeed the way you want to operate, every employee needs to know it as soon as possible to avoid confusion, embarrassment and bad blood.

Finally, don’t make the mistake of believing your current employment agreements have you covered. If those agreements haven’t been updated in 3-5 years, you need to revisit them and ensure that the sections on intellectual property and corporate ownership of resources have been updated to operate in the digital age.

Photo Credit: Mr. Norris

Is your cloud data safe?

UnlockedI’ve had it.

Today, I went to search for some cloud-enabled task management software. My needs were simple: It had to be able to run on OS X, and it had to be able to sync with iDevices that weren’t on the same network as the Mac. There are lots of tools out there that can do this.

Then I read the fine print.

Either they sync via Bonjour – and therefore only work if you’re in the room with your Mac – or they use a cloud provider to host the data being synced. Sounds reasonable, right?

Not really.

Only one tool I found allowed for non-Bonjour sync and protected my data from being stolen at the Cloud.

Here’s what happens. When you’re doing a non-Bonjour sync, you need to send the data from your desktop to a cloud provider (typically the vendor’s own servers somewhere out on the Internet). That’s all good, and all of the vendors I looked at used https (SSL) connections to get the data to and from the servers. The problem was that the server data was not encrypted.

That’s right, vendors are making a HUGE deal of encrypting the data in-flight, but then storing the data in plain-text on their servers. Granted, they have good physical and at least good-looking digital security, but that didn’t stop anyone in the past from stealing data like credit card info from similarly shielded servers. Data thieves find a way around physical and digital security easily, and a good, encrypted data format is often the only thing that stands between a vendor and a total PR nightmare.

Before I get flamed to death in the comments section, I also realize that encryption can be broken if the thieves are dedicated enough to getting the job done. But that’s no excuse to not even TRY to keep them from reading the data if they get in.

When I went to find a syncing note-taking application, I found the same thing. The leading vendors store the note data in plain-text on their servers, easily accessible to anyone who gets past their firewall. The claim is that they cannot encrypt or else searching wouldn’t be as in-depth as it is now – but again, not offering it at all isn’t acceptable. I – and many other users – don’t use the web interfaces for these things except in dire emergencies. The whole point is that these solutions sync with desktops and smartphones, which can index locally. So web-site-based searching isn’t the biggest thing we’re looking for anyway. We’d gladly exchange a limited amount of lost functionality that we barely use, for better security overall.

Platform as a Service vendors need to wise up and start storing data in an encrypted format. I realize this means that some things like universal server-side search might suffer, but that’s better than having a data thief get their hands on everything as soon as they make it past the security by guessing some server tech’s woefully easy password.

These vendors are sitting on a time-bomb. Sooner or later some high-profile target will use their service. Thieves and hackers will go after that unencrypted data and take everyone else’s they get their hands on in the process.

So, take a few minutes and check that your PaaS vendor is keeping your data safe in the cloud. You might just be surprised to learn that their idea of “data protection” is encryption of the transmission method, but they’ve left the lock off the data sitting on their servers. Telling me that you’ve mined the road doesn’t help me when the thieves find a way through or around it, and proceed to steal all the valuables inside because the front door is made of tissue paper.

By the way, the tools I found were:

Note taking with Notational Velocity on the Mac and Notesy on the iDevices (with thanks to @BMKatz on Twitter) fits my needs. These tools sync via DropBox. While not incredibly well known for data security, DropBox does at least attempt to keep data safe on their servers. If they manage not to have any more “oops, we forgot to turn on password validation for a few hours” moments, they’re going to be doing just fine.

For task management, I use ToDo with DropBox syncing. It is available on multiple platforms and does a great job of showing what tasks I need to do now, and later.

Both sets of tools store local copies of the data too, so if I’m not connected to the net for some reason, I can still work. I can also search quite quickly and easily because they index the data locally too.

Stay safe out there.

Photo Credit: dylancantwell

Full Disk Encryption, the good and bad

Lock03Since Snow Leopard, OS X machines have been able to encrypt sensitive data on your machine. It has evolved in Lion, and you might indeed want to turn it on, but deciding when and where to do so is something you’ll want to get some background information on.

In the System Preferences page of your Mac, you’ll find the Security Privacy page, which has a tab for FileVault. In Snow Leopard, this would encrypt your User’s Home Directory (./Users/UserName) and nothing else. Good, but that still left a lot of potentially sensitive data unencrypted.

In Lion, FileVault was extended to be able to encrypt the entire system drive. This let you lock up your whole OS X system, including OS binaries and all data that was on the system drive itself. While this still didn’t cover any external drives, it was a huge step forward in data protection.

FileVault in Lion doesn’t seem to slow down processes on Core i type systems, which means that if you bought your Mac after 2009, you probably won’t notice any difference with File Vault enabled. There are some slowdowns on extremely disk-intensive applications (like video editing) but otherwise it should be invisible to you.

The one exception is boot times. Booting up from a powered-down Mac can take a while longer on iMacs and other non-SSD machines when FileVault is on. Personally, it added about 2/3 of a minute to my boot-up times on a 2010 iMac. On an SSD Macbook Air, I noticed no difference in boot times with FileVault enabled, so it appears to be just read/write speed that makes that operation take longer on the iMac and MB Pro.

Now, since only boot times and very intensive applications seem to have any slow-downs, why wouldn’t you use Filevault? Well, there are a couple of reasons:

– You boot into Windows via BootCamp and work a lot with files on your Mac’s system drive. Since the drive is only available while OS X is running, you can’t get into it via BootCamp.

– You use an offline backup tool. This is pretty rare, since most common personal backup software works while you’re logged into your account, but if you back up your Mac while you’re not logged in, there will be issues since the disk is locked out when you’re not logged in.

Otherwise, FileVault is a good idea. Portable devices an be stolen, and using FileVault will help to insure that at least your data doesn’t become public knowledge for thieves. Yes, they’ll still have your Mac – which sucks – but they won’t have access to your bank account information.

Even for non-portable devices, it’s not a bad idea to turn FileVault Full Disk Encryption on. Burglaries do happen, and computers are a hot commodity for thieves. An encrypted system is still lost, but at least your data will not be sitting there waiting to be stolen too.

For external devices, you can encrypt data, but not with FileVault. TrueCrypt is an open-source, free encryption tool that can create a protected directory or even encrypt any non-system drive entirely. Great for use on those removable USB hard drives that might contain private information. There are many tools that can do this, but TrueCrypt is great security at a great price, and actually worth much more than you pay for it (not often true of free software).

So unless you’re editing videos or doing Photoshop work for most of your day, Full Disk Encryption is a good idea. It’s part of the OS, and easy to configure. Not a bad way to take that extra measure of protection without completely changing the way you use your Mac.

Photo Credit: Zitona

Remember, it isn’t private, ever.

MegaphoneWhen using social media services, the biggest mistake folks make is to believe – even for a minute – that anything they say is private. That leads to embarrassment, possible employment termination, and lots of other consequences.

For example, many users believe that their Twitter direct messages are not shared with anyone but the recipient. That’s not necessarily the case.

When you DM someone on Twitter, the message can be seen by everyone who subscribes to their timeline if:

– There is an image attached to the DM – image services are not private, and will carry the text of the message as a caption to the image on the photo-sharing site.

– There’s a link or you use a tweet shortening service (like TwitLonger). This one burns people even more than the image services, as you may have a shortening service enabled for all tweets in a 3rd-Party Twitter product on your desktop or phone. Bit.ly links and other URL shorteners are also public, so links in tweets can become public very easily.

– They retweet it. Twitter will try to stop them from doing that, but there lots of ways around that.

– You accidentally replied instead of sending a DM. It’s easy to do, and you’d be surprised how many times it happens.

On Facebook, all the default security settings make nearly everything in your profile and posts public information. Even if you think your data is shielded, a change to profile information policies can flip things to public without warning – it’s already happened several times.

The same goes for Pinterest and other sharing sites. Even though you can try to keep everything private, the sites are designed from the ground up to share, and with one wrong click the world can see whatever you posted.

Just before this went to post, Eileen Brown posted an article that proves the point. Twitter is allowing 3rd-Party companies to mine historical data from their archive, which means that your tweets could be used by another company. While they don’t seem to want to expose DM’s, one poorly-coded script could make that happen.

So, use social media wisely. Remember that it’s supposed to be SOCIAL, and that sites and networks are designed to facilitate public communication. Even if you think something is private, there’s a good chance it’s not – or it may become public later.

Photo Credit: floeschie

Growl Comes Roaring Back

With Apple’s release of beta code for the upcoming OS X Mountain Lion release, one thing had many folks talking.

The Notification Center, a very popular component of iOS 5, will be coming to Mac desktops and laptops when Mountain Lion is released. This led many (myself included) to think about how Growl would be able to continue when the OS began to incorporate that functionality natively.

Growl – for those who haven’t seen it – is a notification app that runs on nearly every Mac. If you use applications that pop up notification windows to alert you of events, you’ve probably seen Growl in action. A few months ago, Growl went from a free application to a paid app, and suddenly a great number of people who never even knew it was on their machines became very aware of it. Having to pay for the new version will do that to folks.

For the most part, the switch to a paid app was accepted well by the general public. While it’s worth every penny of the US$1.99 they charge for it, that is because there isn’t another app that works as well, as seamlessly, and as integrated to the OS itself. Now, with Mountain Lion getting Notification Center, the folks behind Growl have a real fight on their hands.

To kick off the battle, Growl has posted a blog article showing all the ways that we’ll still need – or at least really want – Growl on the OS X platform.

The argument is pretty straightforward. The Notification Center platform will only cover apps bought from the Mac App Store, and will not have all the functionality of Growl itself.

That’s great, but there’s an issue that may still cause problems for Growl. More and more new Mac Users only know about the App Store for getting new software for their Mac. They rarely use non-App-Store-purchased packages, and therefore don’t need a 3rd-Party alert tool.

I think that Growl will continue to be a great application. For Mac users who get software from multiple sources, it’s still a vital app to have; and even if you only use the Mac App Store to buy software, there will be many apps that continue to stand by Growl.

With luck, Growl will indeed integrate into Notification Center, but continue to supply alerting and tracking to all apps on Macs.

Photo Credit: Ernst Vikne

Yep, I got hacked!

HatchetWell, that happened faster than I thought.

Yesterday, I spent quite a few hours rebuilding my blogs, as nearly all of them managed to get hacked. It was a porn-site redirection attack, inserting javascript into each and every PHP page in the WordPress system.

It started with one blog, but by midday, it had spread to three of my four sites. The site that got hit first was the newest one, so it was surprising that a site with very little traffic was indeed a target to someone out there.

While this issue is never fun to deal with, I expected it would happen at some point, and took the appropriate precautions. They saved my bacon.

Luckily, I have a few friends in the security world, who had armed me properly for how to identify and overcome an attack like this. They also had me prepare to block such attacks, but in this case the hacker found a way around the defenses. That’s not unusual, as new attacks are created every day, and tools like WordPress firewalls and exploit scanners only update so fast.

So, how do you prepare for a potential attack?

1 – Prep your site. Install plug-ins to ward off the more common attacks before they hit. The WordPress Firewall and Exploit Scanner can help quite a lot with this. Both tools were able to deflect quite a few attempts to access my sites before whoever got there yesterday found a back door.

2 – Know what’s on your site – always. There’s a great plugin called WordPress File Monitor that scans your files regularly to see if anything has changed, and alerts you by email when it finds anything that has changed. Sometimes, it gets annoying, but this time it let me know that all my WordPress files had changed at once. This was something that allowed me to address and fix the problem so much faster than I would have been able to do otherwise.

3 – Back everything up. There are plugins that can back up entire WordPress sites – with their content databases – to Amazon S3, DropBox, or your hard drive. Use them! If you do get attacked, you will have to restore from a backup, and so you better have one handy. I had been backing up, but a configuration error meant that many posts ware lost. I have copies, but that will take some time to restore manually.

Luckily for me, I saw the attack happen, confirmed it, and started cleaning up everything all within hours of the actual attack. That kept my readers safe and my headaches limited to the fact that I mis-configured my backup and lost some posts.

And if you do get hacked?

@Snipeyhead – a noted WordPress Security expert – has posted a great guide on what to do next. You can find it via this link. [Note, she does not pull punches, verbally or visually, so her site is very mildly NSFW] The article is a bit old, but the strategy is sound, well researched, and spot-on still today. Follow the process she shows in that post, and recover what got hit before your visitors get infected by drive-by downloads or you lose face due to defacing of your sites.

Remember, change ALL passwords, including the FTP/sFTP logins and your web host login. That’s in addition to the site logins, database logins/users, and any other security info you have on your site. If you can’t identify how you got hacked, then play it safe and change everything.

Now that everything is back online, I can say I weathered the storm. It can be MUCH worse, and it’s never fun, but you can indeed overcome attacks against your site quickly and effectively if you prepare ahead of time.

Photo Credit: neoliminal