08/27/2018

Newbie2Security: Is the Cloud Safe, Part II

0

by Newbie2Security

IoT Security 1520897A reader asked a particularly complex question recently: “Is the cloud safe to use?”

In my continuing answer to that complicated question, let’s look at the Internet of Things and what you can do to keep your own things safe.

The Internet of Things (IoT) is a collective term to describe all the connected boxes, devices, and widgets that don’t fall into the category of desktops, laptops, and phones/tablets. In some cases, even those devices are considered IoT technology; but generally this refers to home automation, home assistants, set-top boxes, and other such gear that is steadily but surely sneaking its way into our homes and hearts.

The security of IoT devices depends a lot on both you and the cloud vendor that manages the online components of those devices. Let’s take a look at things to watch out for.

1 – The trust factor. While the very latest gizmo to automate your home might sound cool, remember that these devices are only as secure as the companies that make them. Millions of IoT devices became infected with malware that turned them into distributed denial-of-service (DDoS) attackers due to a back-door that vendors put into the devices to make them easier to manage remotely.

DDoS (Distributed Denial-of-Service) is a type of attack where thousands or even millions of devices all over the internet start flooding a website with bogus data traffic. Since a website can only handle a fixed amount of traffic at any one time, all these devices suddenly blasting it with data requests causes legitimate users of the site to be unable to reach it. Effectively, the site is offline to real users even though there’s nothing wrong with the site itself – it’s simply overwhelmed with all the requests and cannot talk to anyone else.

Working with vendors that you trust is critical to avoiding this situation. While any vendor can make a mistake or have bugs in their code, those who are well-known and well-reviewed are less likely to let a major flaw end up taking their whole network offline or allowing their devices to be compromised. They also react much faster if they should get attacked, pushing out updates and changes quickly to fix the problem. A fly-by-night vendor, on the other hand, may just stop supporting a product and leaving all their users out in the cold when the next security problem comes up.

2 – Limiting what devices can do. Does your home lighting system need to speak directly to the internet? Probably not, and therefore it should not. While some systems like home thermostats do have a good reason to be accessible to the outside world (so you can remotely change the temperature), it shouldn’t be allowed when it isn’t necessary. Reputable vendors use home hubs and other technology to limit how much of their system needs to talk to the internet at all – and most vendors allow for you to limit that connectivity further. In short, if it doesn’t have to talk to the internet, it shouldn’t – full stop. If a vendor demands that the device be able to connect to their servers when there’s no reason to; choose another vendor. One great example is software updates for smart LED lights. Why should the light-bulb have to talk to the internet when updates can be done via a smartphone app or other method that doesn’t require every bulb have an internet connection individually?

3 – Segregate your networks. Most home internet routers have an easy-to-use method for creating a guest network. Guest networks are great for IoT devices that have no need to speak to your computers and tablets, but still do need internet access. Basically a guest network is a WiFi network on your home router that can talk to the internet, but cannot talk to anything else that’s using the same router. This means that if someone does manage to compromise your IoT devices, they cannot use that as a way to access your home computer or other systems. The one exception here is for devices that indeed to have to talk to the rest of the things on your home network – like home assistants and other tools. They’ll have to go on your main WiFi network; so keep the trust factor high in your mind.

4 – Use basic security precautions at all times. Alexa, Google Home, and Apple HomePod all listen all the time, and can’t figure out your voice from anyone else’s except for some tricks they do. They can’t stop someone else from voice ordering products or changing settings since their voice identification systems aren’t sharp enough to figure out it’s not you talking. This means you should set up purchase passcodes, and limit their ability to access sensitive stuff via their configuration apps. You should also think twice about letting them communicate to outside devices (such as Alexa’s ability to call other people who own and Alexa). It might be convenient, but the phone still works for that purpose (or email, or text messaging, etc.). One recent case of Alexa accidentally sending a voice message with mildly embarrassing info to a contact in its address book is a great example of why you have to be very careful. Amazon did note that it was because of an incredibly rare set of circumstances, but it’s still possible and should be taken into account before you set up “drop in” or similar features.

Finally, as these services are attached to online accounts with various vendors, you should keep your account secured with two-factor logins and password hygiene at all times. Just like any other website you access, your username and password can be easily stolen or compromised if you’re not careful, and you have to take that into consideration.

IoT devices can be incredibly useful, or just downright fun, or both. But always remember that these are devices that can open dangerous doors into your home and office. Take precautions to make sure they don’t and you can use them safely to make your life better and more enjoyable.

08/22/2018

Newbie2Security: Is the Cloud Safe, Part I

0

by Newbie2Security

Cloud Security 1725060A reader asked a particularly complex question recently: “Is the cloud safe to use?”

That’s one incredibly complex question. I’m going to to my best to answer it, but keep in mind that “the cloud” isn’t a single thing – it’s an interwoven set of services, platforms, and applications from multiple vendors and companies. The short answer to the question would be “Yes, so long as you’re secure when you use it,” but that’s hardly a good answer to give to someone looking for information. So, let’s break this down over the next few articles to give some advise on cloud security for the average user on the most common consumer cloud services: Cloud Backup, Syncing, and Storage, Cloud Software, The Internet of Things, and Cloud Desktops.

Part I: Cloud Storage, Syncing and Backup

Anyone with an Android or iOS phone, tablet, or other device knows about cloud storage, syncing, and backup. Your photos, application data, and other info are synced between your devices by means of cloud services provided by Google and Apple. Your data is backed up with automated backup tools from those companies, and you may even store data up in their cloud systems for sharing or use elsewhere. These same services can be used by other types of computers and devices with tools provided by DropBox, Carbonite, SpiderOak and more for your PC, Mac, and Linux desktops and laptops.

Security for these types of systems revolves around three concepts: Device security, platform security, and account security.

Device security is how you protect the devices that you control. That can be desktops, laptops, phones, tablets, set-top TV boxes (or SmartTV’s), etc. You do need to do your part to make sure the system as a whole remains secure – it’s not all the responsibility of the cloud provider in this case. The good news is that providing for device security isn’t overly complicated, and most devices walk you through the process automatically when you set them up.

Core concepts in device security are:
1 – Keep the device in your possession, and immediately notify the cloud provider if it’s lost or stolen. We all keep track of our – rather expensive – laptops, tablets, and phones, but this also extends to any device that holds personal or confidential information that can be stolen from you. If you lose any mobile device, or have a mobile or non-mobile device stolen, you must immediately notify the cloud provider to let them know it happened. This allows the cloud provider (Microsoft, Apple, Roku, Google, etc.) time to lock down your account to make sure whoever comes into possession of that device cannot get any of your information off of it.

2 – Lock devices down. Make sure you use passwords that aren’t simple 4 or 5 digit numbers (the usual default for these devices). iPhone, Android, and other types of devices will allow you to use fingerprints, facial recognition, and/or a complex password to gain access to their services; and you really should take advantage of these features. An attacker can quickly and easily figure out a 4-digit passcode, but will take much longer to figure out a complex password or passphrase. This means more time for you to realize the device isn’t in your possession anymore and alert the cloud provider that it is lost or stolen. It also means that visitors, kids, and others won’t gain access to things they shouldn’t – even when their intent isn’t malicious. This also counts for home assistants like Google Home, Apple HomePod, and Alexa. Set up purchasing passcodes so that people cannot accidentally or purposely place orders via these devices voice control systems.

3 – Don’t connect devices when you don’t have to – and limit what they can talk to. Not every device needs to talk to the internet 24/7. Make sure that, if you have the option, these devices are only allowed to go online when they need to. If a device must be online all the time, limit what it can do and who it can talk to. For example, most home routers have the ability to allow you to connect to your home network from anywhere. That means they continuously update the router vendor’s cloud services with your home IP address and other information. If you don’t have a need to access your home network from the outside world (and unless you have a specific reason to do that then you probably have no need), shut that feature off. Finally, be aware the convenience is often the enemy of security. I once had a CPAP machine (for sleep apnea) that offered to upload my sleep data to their cloud service so my doctor could get it. My doctor said I could just use the build-in memory card to get him that data – there was no need for the machine to be broadcasting that info – and so I shut it off. It would be more convenient to have the cloud handle that data, but much less secure with my medical details.

Platform security is all about the cloud vendor themselves, and what steps they take to make sure their own systems are secured. Most of this is far outside of your control, so you need to ask the vendors about their security practices and make a judgement call on if you trust them to hold your data or not.

For example, until relatively recently I had avoided using EverNote for note syncing. While they did encrypt data while it was being transmitted from my machine to their storage (known as encryption-in-flight), they did not store the data in an encrypted format when they were holding it (known as encryption-at-rest). That meant that if their systems got breached, all that data would be immediately visible to the attacker with no need to break an encryption algorithm to read it. Basically they had mined the front yard, but left the front door unlocked.

For the most part, cloud vendors will encrypt both in-flight and at-rest these days. As a matter of fact EverNote has indeed started encrypting at-rest over the past year or so in response to users demanding it. Apple, Microsoft, and Google all encrypt at rest for their sync and backup tools in iCloud, Office 365, and Google Apps as well.

You should be aware, however, that not all encryption-at-rest is created equal. Most vendors use shared-knowledge encryption, meaning that no other user of the service can see your data, but the service provider (Apple, Google, etc.) can see it whenever they need to. A famous case in recent history was when the US Government demanded Apple turn over all data from a suspect’s iPhone. While Apple could not read the data on the iPhone itself (as the phone’s encryption didn’t allow Apple to unlock it); Apple was able to – and did – hand over all data stored in iCloud, which uses shared-knowledge and allows Apple to unlock and read it.

While zero-knowledge vendors of cloud sync, backup, and storage exist (such as SpiderOak and CrashPlan Pro); their services are generally much more complex and expensive that shared-knowledge vendors like DropBox and iCloud. The reason is that zero-knowledge systems require dedicated storage and other technologies for each user, making those services cost the vendor more per-customer, which is passed on to the customers themselves. For most data, shared-knowledge is perfectly fine if the company in question – like DropBox or Apple – has a proven track record of securing their own access to your data. Apple has proven they will only turn over data with a valid warrant or other legal instrument; and DropBox did have some hiccups, but has worked very hard to close those security holes and ensure new ones do not crop up.

Account security is the third pillar of safe sync, backup, and storage online. This one is shared between you and the cloud vendor equally. You must use a secure password and only access the service from devices that you trust. They must ensure all employees follow security best-practices and no one gets unauthorized access to their systems. Working together, both of you ensure that your account information (passwords, application authorizations, etc.) stay assigned to you and you alone – keeping prying eyes from getting the chance to access your stuff on their servers.

Taken together; device security, platform security, and account security work to make sure that neither you or the cloud vendor do anything that could compromise either your data or their services. Controlling your devices allows you to make sure they don’t leak information or allow others to access it. By sticking with well-regarded and well-secured vendors who have a commitment to platform security you can make sure the platform itself will keep attackers out. Account security makes sure that it is as difficult as possible for an attacker to impersonate you or an employee of the cloud vendor and gain unauthorized access.

So, as you can see; using sync, backup, and storage in the cloud can be secure if both you and the cloud vendor take security seriously. Stay tuned for parts II and III for more information!

noun_Network_176216.png

08/20/2018

Newbie2Security: Are Macs Safer Than PC?

0

by Newbie2Security

Image courtesy of The Noun ProjectA reader recently asked: “I’ve heard that Macs are safer than PC’s. Is that true, and why or why not?”

Well, unfortunately the answer to “Is that true?” is a complete “No.” Macs are not safer than PC’s at all, read on to find out more.

Macs *do* have fewer pieces of malware written specifically to attack them, that is indeed true.

Malware is a security industry catch-all term for any software specifically written to attack and/or damage a digital system or steal information from such a digital system. That can be a virus, trojan, or worm – but it can also be software that encrypts your data and holds the unlock key hostage (ransomeware) or software designed to steal your usernames, passwords, etc.

That being said, there are several things to keep in mind that make Macs as exposed as PC’s (Windows-based machines) these days:

1 – Malware is less about how many different kinds of it exist and much more about how often the ones that do exist succeed in attacking your computer, phone, etc. Mac malware absolutely exists, and though there is less of it; it tends to be very widespread in a very short amount of time. That means while there are fewer kinds of Mac malware, they’re more likely to find their way onto your devices. It only takes one piece of malware to wreak havoc, so the numbers don’t matter and Macs are not inherently safer because there’s fewer pieces of it out there.

2 – Modern attackers are moving away from machine-specific or Operating System-specific attacks. While before the methods used to infect a machine were loaded email attachments and network-based attacks; these days they’re more likely to take advantage of tools and platforms that work on both Windows and Mac. Google Apps, Microsoft Office Online, Adobe Flash Player, Java, and many others work nearly identically on both Windows and Mac since these software packages run in the browser or are just modified versions of each other for each platform. Chrome on Windows and Chrome on Mac are not identical, but they are close enough to each other that an attack that works on one will work equally well on the other. Recent ransomware attacks that were spawned through an infected Flash app are a great example of that. The attacker wrote slightly different payloads for Windows and Mac, but the actual attack worked the same on both platforms; making it much easier for the whole attack to happen – and just as likely to happen on Mac as it was to happen on PC.

3 – Attacks may not need to talk to your computer to impact you at all. Attackers are working hard to compromise websites and online applications directly. That means they can steal personal information and data without ever having to actually compromise your machine at all – PC or Mac. Since these attacks happen at the Service Provider side (such as your bank website or online shopping vendor); you don’t have to fall victim to anything on your own computer to fall victim to the attacker.

So, as you can see, no matter if you’re on a PC or a Mac, you’re no safer on one vs. the other. You need to take reasonable precautions to make sure you’re not getting attacked just as much on your MacOS-based devices as you do on your Windows devices. Oh, and for those who say Linux is the answer; just remember that anything that doesn’t attack your machine directly (see point 3 above) will still hit you – even on Ubuntu or RedHat.

Stay safe, no matter what Operating System you use.

08/20/2018

Where the hell have you been?

0

by Newbie2Security

Well, it’s been some time since I posted, and I think an explanation is in order.

As many of those who follow me on Twitter already know, I moved about a year ago into a whole new career path. I’m still working as a technology pro helping out sales teams; but now I’m doing it in the Identity Security world. That’s meant a lot of ramp up and learning time for me, limiting how much time I can spend on this blog.

I’ve also been helping out by contributing blog postings to their company blog. Search the SecureAuth+Core Security blog for “Security in Plain English” and you’ll find a bunch of stuff I’ve been typing away on.

However, I don’t want to leave my independent writing behind! So, I’m glad to introduce a whole new column here on MikeTalon.com: Newbie2Security. The first several articles are already written and ready to go, and I’ll be posting more as we move forward. Please feel free to tweet or DM me if you have questions you’d like answered, and I’ll keep finding interesting stories to explain out in everyday language for those just learning about security and technology.

Enjoy the new column, and thanks for sticking around! First post in the new column is coming in just a few hours.

12/14/2017

The Reality of the New Non-Neutral Net

0

by Rant, Tech

So the FCC has repealed the regulations that mandated that all traffic on the Internet must be treated equally. The telecom/Internet Service Provider industry has touted this as a good thing, as there will now be a “fast lane” for most traffic and a “faster lane” for so-called priority traffic.

The regulations in question are long, wordy, complex, and unfortunately boring as hell. So what does this new non-neutral net mean in the real world? Let’s take a look:

If you are a tech company:
First, unless you’re well established and have rock-solid relationships with bandwidth providers, you’re in trouble. You *will* be paying more to get your traffic prioritized in a world where everything else online is going to drive up latency and bottlenecks. This means more budget for bandwidth for the life of your product line, and that means you need to start lining up additional funding right now. The impact of the regulatory change may take a few months or a few years, but it is indeed coming – start planning.

If you don’t want to pay for prioritization, then be ready to accept the fact that everyone who did pay will get lower latency and faster throughput – especially during peak operational times for your type of application or platform. So for consumer apps, your performance is going to absolutely suck from about 6PM through about 12AM local time for your customers. For business applications, the 9AM to 5PM local time frame is going to be a nightmare for you and your clients.

While non-latency-dependent or bandwidth-light applications won’t have too much of a problem, if you are streaming anything at all, this will impact your bottom line. If you’re starting up a cloud platform (especially IaaS), just give up now.

If you are a consumer:
Get ready for your Internet Service Provider (ISP) and Mobile companies to charge you more. If you are a heavy user of streaming services (Netflix, Amazon Prime, Apple Music, Spotify, and several dozen more), then you’re going to need prioritized service. After all, if everyone else in your neighborhood pays for it and you don’t, all you’re going to see is the “buffering” message or “please wait” audio prompts as their traffic gets to their devices ahead of yours.

ISP’s are already charging for high-bandwidth users, and in a world of streaming video and audio services we’re pretty much all high-bandwidth users now. If you work from home and are constantly on company applications and VPN connections, your bandwidth profile goes even higher. Have a VoIP phone or a micro-cell for your mobile phone? Higher still. Want to use that VPN for personal or business use – you’ll probably have to pay more for that privilege. There is no end to the nickel and diming that’s now available to ISP’s that they could have only dreamed of before.

A history lesson:
In our history, we have seen that giving corporations – even non-monopolistic corporations – the ability to pick and choose winners and losers exclusively by their ability to control supply doesn’t lead to good things. The punch-card era of IBM is a wonderful example. You see, while anyone could physically produce punch-cards to program and manage IBM accounting machines, only certain vendors were permitted to do so by IBM. Anyone who wanted to get into the market would have to be certified by IBM (an expensive proposition) – even though a punch-card is just a stiff piece of paper of certain physical dimensions. Eventually, other technologies got a toe-hold in the accounting machine market and overcame that restriction – but that took a generation, and caused many businesses who would have competed with official IBM punch-card vendors to go under. Since any vendor selling IBM punch-cards would not have a financial reason to produce them for other brands of accounting machines, this also meant that IBM gained the ability to become a virtual monopoly – no other machines could get anyone to make their punch-cards. Customers also got shafted, as they had to pay a premium for the officially-certified cards or risk their service contracts being voided. To put that in perspective, if your service contract was cancelled, your accounting machine pretty much stopped working.

What’s the correlation? Well, now any new business that wants high-bandwidth, low-latency throughput will have to pay to receive the blessing of an ISP above and beyond what they’re paying for that same service right now. Based on recent history, any user who wants to get the service as intended will also have to pony up some cash each month, making the actual cost of the new platform or service higher still. This will lead to situations where newer technologies may not even be developed, since it will be fiscally difficult to bring them to market successfully. The inventors won’t have the budget to pay for premium connectivity, and the end-users will be reluctant to get better cable/fibre packages to use them.

Recent innovations will wither and die when these new bandwidth fees and/or restrictions exceed their budgets; making it impossible for them to compete with players in the market who can more easily afford the fees by passing them on to their already sizable user bases, or just absorbing them as a cost of business. Google will be able to hold power over online video sharing where a newer company like Twitch may not be able to absorb the extra bandwidth costs. Amazon and Azure will ensure they have little to no competition because any cloud startup will be bankrupted by these premium fees, which would be required for things like Infrastructure as a Service to even function.

Yes, in time, newer bandwidth technologies will be created, and ISP’s will find themselves on the same losing end as the old Bell System did when it got shattered. But, ask yourself, how many innovations and new frontiers took decades longer to develop or were entirely lost when “Ma Bell” controlled almost every telephone line in the country? By allowing a very limited number of bandwidth providers to dictate fees at will – with no regulation to keep them in check – we’re quickly approaching the same situation we had with the Bell Network back in the 1980’s. Will we need to wait several decades for ISP’s to become irrelevant before we’re out of this nightmare, and how much progress will be sacrificed in the meantime?

Our government – in the form of the FCC – has sold us out. We are all going to be poorer in both actual money and in lost innovation and discovery for it.

12/13/2017

My Take on the Amazon vs. Google Shenanigans

0

by Rant, Tech

TL;DR – they’re both being insane and need to stop this crap.

In case you haven’t heard the news, Google (who owns YouTube) is pulling the ability for Amazon Echo devices and Fire devices (tablets, set-top and stick streamers, etc.) as of January 1. Some of this has already happened, as most Fire tablets and the Echo Show already have no ability to show YouTube videos, but after the 1st of the year, the entire rest of the product lines will lose the ability to serve up YouTube content – even though they are Android based, and there are Android apps for YouTube available.

Some backstory:

Amazon is a world-wide powerhouse in online retail and Cloud Services. Google owns most of the information on the Internet and is a major player in Cloud Services. Both are massive – and massively powerful – companies who can set and change the market at will. Both have services which compete with each other directly. Google has their own mobile OS (Android) and a vested interest in online retail – though indirectly as they sell advertising that leads to retail sites instead of offering a retail shop. Amazon is an online retail superstore, and has a mobile OS (FireOS) – though indirectly since FireOS is a fork of Android. Over the last couple of years, a feud has developed between them over eyeballs and ownership, and now we’re all paying the price.

The first salvo was Amazon not permitting the Google Play Store (the Android app store) on Fire devices like tablets and set-top streaming boxes. Apps had to be purchased via Amazon’s own app store functionality. Google made it well known that FireOS wasn’t considered Android anymore, but rather a fork that had branched into its own OS entirely. Some time later, Google devices (like Google Home, ChromeCast streaming sticks for TV’s, etc.) began to systematically disappear from Amazon shopping venues – while at the same time Amazon was promoting their own devices which served the same purpose. So Echo devices were available for sale but Google Home was not. FireTV set-top and stick streaming devices were still available, but ChromeCast sticks disappeared. Fooling absolutely no one with this strategy, Amazon soon caught the ire of Google, who became less and less willing to put up with Amazon’s tricks.

At around this time, FireOS tablets and other devices were using an Amazon-built YouTube application. Google claimed that this app violated their terms of service by manipulating the way in which YouTube advertising displayed, and blocked the app from functioning with YouTube. Amazon retaliated by creating an app that was just a shell to load the YouTube website – seeming taking care of the problem. Google, in a move that is controversial at best, objected to the fact that the touch-screen controls used by the new app didn’t fit their standards, and blocked the new app as well. When the Echo Show (an Echo device with a touch screen) debuted, it was quickly blocked from getting access to YouTube videos by Google, continuing the trend.

So which came first? Did Amazon piss off Google by pulling items from their storefront and manipulating how their devices accessed YouTube? Did Google piss off Amazon by developing competing product lines and limiting 3rd-Party access to their services? It’s a hard call to make, as a lot of these things happened in a very short period of time; but the end result is clear to see. YouTube – as of January 1 – will not be accessible on any Amazon device. ChromeCast and other Google-made hardware devices won’t be sold on Amazon.com – even by 3rd-Party sellers. Together, they’re tearing off their collective noses to spite their collective faces, and that doesn’t help anyone.

Amazon – you’re losing money. People will be hesitant to buy FireTV, or tablets, or the Echo Show when they cannot display the most popular video streaming site in the world. This is especially true when other devices like the Roku, AppleTV, and the majority of smart TV’s can show both Amazon content and YouTube content. You are hurting your sales and tarnishing your reputation.

Google – you are losing money. There is a large population of people who already own FireTV or Echo Show devices, and aren’t going to buy another device just to watch YouTube. That means less eyeballs, and less advertising revenue. It also means fewer people signing up for YouTube Red (the subscription service). The feud is keeping your devices off the most popular online shopping portal in most of the world, and you too are tarnishing your reputation.

Both of you are hurting your own bottom lines, and neither of you can win this in the current market. 3rd-Party devices that neither of you make money from will gain ground, and Apple is going to eventually eat your lunches when they inevitably launch their own voice assistant home device that supports both streaming platforms and doesn’t require directly dealing with either of your independent petty streams of bullshit.

Start working together. Amazon, use the YouTube native interface for touch and web. Show the ads inside of YouTube the way Google wants. Google, face the fact that Amazon sells competing hardware and isn’t going to promote your hardware. Take solace in the fact that you can buy a ChromeCast from a lot of places, and just sit back and rake in the ad revenue from ALL platforms that run YouTube. You don’t have to get along with each other, and can continue sniping at each other until the end of time – just don’t force your end users to make the difficult but inevitable choice to abandon both your platforms for the next hot hardware that comes into the market. Worse yet, don’t put a bad taste in consumers’ mouths when alternatives (like iTunes Video and Xbox Video) exist and could gain market share at your expense if you force users into new behaviors.

10/19/2017

No, I will not disable my ad blocker.

2

by Rant, Security

Anyone who uses an ad blocker has no doubt seen the “placeholder” images or text that replace where the advertisement would be on popular websites. These placeholders implore us to turn off our ad blockers to give the site vital revenue, to not starve the website owners of cash. Lately, there have been even more aggressive methods to ask us to turn blocking off – pop-up or interstitial notifications to shut the blocker off, or even full-page-blocking notifications that keep you from seeing anything if an ad blocker is on.

I do not, in principle, have an issue with these notifications. I think companies and individuals who support their sites with advertising have the right to ask us to turn off the tech that keeps them from getting paid and paying their bills. However, I must regretfully inform these sites that I will not be turning off my ad blocking software, and here is why:

Ad networks (the 3rd-party companies that serve up the ads found on most websites these days) have become nothing more than the latest vector for delivering malware of many forms. In the past, an attacker had to compromise the site itself through security holes or brute force in order to turn that site into an attack vector for infecting visitors with various nasty software. Ad networks have allowed attackers to do many multiple times the damage with a fraction of the effort.

Here’s how it works: The attacker buys ad space with a network that allows Javascript or other active-code ad serving. The technology generally allows advertisers to show rich-media ads (which are annoying and should be removed from the internet anyway, but I digress). Rich-media ads have video, audio, and other eye-catching stuff built-in, but require that the website displaying them allow for the scripts to be run. They also require that the browser allow the scripts to run, which ad blockers disable. For a legitimate advertiser and the website owner, this means better conversion rates (the rate at which viewers click on the ad to see the product/service being sold) and rich-media ads have become insanely popular for advertisers themselves; and a requirement for most ad networks to support.

An attacker can create an “advertisement” that has scripting which delivers the payload of their choice. This could be malware or spyware that the user must accept and run, other malware and spyware that requires no user interaction (limiting what it can attack, but making it much more likely to execute), or more recently crypto-currency mining scripts that chew up CPU cycles and can theoretically damage a computer though overheating it. Since the ad network has no way to tell that the malicious ad is any different from any other rich-media ad (because networks don’t bother to police their customers), the ad network serves up the bad ad to hundreds of websites and infects thousands of end-users.

In short, network advertising on websites has become the new way for attackers to deliver their malware.

This “malvertising” has become so prevalent that even giant sites like Showtime have been attacked via malware in ads posted on their sites. The ad networks do nearly nothing to stop the problem, and the site owners cannot stop it short of removing the ad networks’ code from their sites.

So, until such time as ad networks begin to properly police the ads they put up on network sites, or until such time as you – the site owner – remove that code and post ads you know to be non-malicious only; I’m not turning off the ad blocker. I’m sorry that this impacts you, truly I am. However, the situation has reached a point where no site that runs network ads is safe unless that code is blocked from ever running.

PS: I do indeed subscribe to websites that offer quality content without ads, either through Patreon or directly with the site itself. I know that this limits how many sites I can possibly support, but for those that offer great content and don’t attempt to infect my system with their lax code policies, I’m more than willing to put my money where my mouth is.

10/12/2017

Out with LiqudSky, in with @Paperspace

1

by Cloud, games, Mac, Review

Those who follow me on Twitter know I have, in the past, been a big fan of LiquidSky for cloud gaming. What I’ve found over time, however, is that I can no longer support that platform. I’ve officially cancelled my subscription and been using a new platform – Paperspace and Parsec – for several months now. The reasons for the change are straight-forward, and could have been addressed by LiquidSky before I jumped ship, but were not.

First, a note on what cloud gaming is: Basically, cloud gaming is simply a desktop hosted with a cloud provider close enough to you physically to provide a very low latency streaming experience. Streaming allows you to see the video and hear the audio of the desktop in much the same way as you watch movies and TV online. Low latency allows your clicks and keyboard input to happen on the remote desktop in close enough to real-time that it feels real-time. Both are required for cloud gaming because you need to react to what’s happening on the screen as it happens (you see an enemy, you react and shoot, or hide, or dodge, etc.). This is insanely difficult to accomplish, as most streaming systems like Netflix are designed for one-way communication. They send the data to your browser or set-top box and that’s all they’re worried about. With gaming, input matters, and therefore latency is a both sending and receiving input is something that must be dealt with. Just having a remote desktop connection doesn’t work – latency might be low enough to stream the desktop to you, but not anywhere near low enough for quick reactions to be recognized by the desktop itself in enough time to be useful.

Another issue is that most cloud platforms are geared toward commodity compute – basic CPU and RAM functions – and not for graphics. This means that while some games will run, those that require dedicated graphics cards (GPU) will not – ruling out the use of nearly all major games you’d want to play. GPU-focused cloud instances exist, but at a huge premium in price, and latency is still a massive issue with those.

Cloud gaming works to solve both issues by accelerating networking to allow for reasonably low latency, and offering GPU-enabled cloud desktop instances with sufficient resources to play the games you want to play. It’s a balancing act, and tricky to get right, but a few companies have managed to do it. For a Mac person who likes to play big-name games (which are typically Windows only), cloud gaming is a dream that’s just now starting to come true.

So less address why I made the switch:

1 – Mac Support: LiquidSky originally had a great Mac client. It wasn’t perfect, but they were working on correcting the few issues that there were there and making it better. Then LiquidSky 2 launched without a Mac client at all. Over the remainder of 2017, we Mac users patiently waited for the next-generation Mac client, but to no avail. Update after update of the Windows client came, and an Android client finally launched, but the Mac client continued to be listed as “coming soon.” As one of the major uses of cloud gaming is allowing Linux and Mac users to play these games, this is inexcusable. The Windows client can be used on a Mac with virtualization or emulation (things like vmWare Fusion and Wine), but this requires a level of technical expertise that is beyond the majority of users – and doesn’t provide a pleasant user experience at all.

Paperspace has had a Mac client since day one of their GPU-enabled gaming desktop services. It works, and it works very well, and they’re continuing development of the platform as they move forward to make it even better. They partner with Parsec to minimize latency and maximize the gaming experience overall, and they provide complete and easy-to-follow instructions on how to install and use these tools that anyone can follow.

2 – Latency: LiquidSky has continued to get worse and worse on this front as it gets more popular. While I’m happy they’re getting more users, they’re not scaling properly to allow for the increased user base to get a good experience when they play. Overburdening of their systems is taxing their networks, causing lag that makes playing many games impossible, and most games just plain unpleasant. Even using Wine to jury-rig their client into working on a Mac, visuals are “muddy” and reaction is sluggish and painful most of the time.

Paperspace keeps their networks and platform robust as it grows. It’s not perfect – there are periods of peak activity that definitely cause hiccups, lag, and some muddiness; but they’re far fewer than I ever experienced on LiquidSky and seem to be kept short. You’ll get a few seconds of sluggishness and stutter, and then you’re back to the great desktop experience you want.

3 – Billing Experience and Support: LiquidSky just doesn’t seem to care about its customers. It pains me to say that, as this is completely different than the experience I had when I started using their service. Customer support used to be fast, efficient, and friendly. Now, it seems that they respond when they feel like it, if at all, and basically always answer with “we’re working on that.” While this answer is perfectly acceptable when a new platform launches or a major overhaul has been rolled out – that period of acceptability ended several months ago and the attitude has continued nonetheless. Billing is painful, as it is handled by a 3rd-party entirely now and not even visible on the LiquidSky site. The shift from the ability to use unlimited accounts to everyone using a points system to rent access by the hour is even more confusing; and poorly explained. Let me be clear, they needed to raise their rates – no one could hope to grow and expand with the numbers they were offering – but make it easy for people to figure out what they’re paying for. Use real-money for the per-hour fees, not a conversion first to points and then to different amounts of points for each of the sizes of machines that can be run.

Paperspace has two billing options: per-hour fees in real money and unlimited plans at a fixed amount of money per month. They do charge far more than LiquidSky for unlimited accounts, but they are available and a decent value indeed for those of us who spent a lot on our Mac or Linux desktops and do not wish to buy a Windows machine with that much horsepower just to play games. Billing is handled by Paperspace and all options are available from their own website so I can manage my account quickly and easily. Support is stellar! Paperspace requires the use of a 3rd-party service called Parsec to play games (it mitigates many of the latency issues and handles things like controller support). I have been able to get help on Parsec from Paperspace directly, even though it isn’t their code or product. Paperspace always replies quickly and in a friendly manner.

All-in-all, LiquidSky seems to have totally lost the plot when it comes to cloud gaming. They shifted their focus to gaining more users as fast as possible by offering free credits for watching ads, but didn’t plan well to handle the influx of users that brought. They lost focus on their customers and service and support suffered. They’ve outsourced their billing to a 3rd-party and detached themselves from that process, and made the new purchase plans confusing and complex. Finally, they’ve stabbed their Mac customers in the back by focusing so heavily on Windows. I do understand that the vast majority of the gaming market is Windows, so this isn’t an un-sound business decision on their part. That being said, they had a fanatically loyal user base of Mac folks, who are now abandoning the service due to neglect. They did so as several well-known names like nVidia jumped into this space to compete for those same Windows and mobile users. So they’ve given up one advantage (a dedicated and untapped market) to maximize their effort in a crowded space against major household names. That’s not the best business plan.

Paperspace, with the help of Parsec, offers the total package. High quality services, ease of use, native clients on Mac, and reasonable prices. Note that cloud gaming is currently a very expensive proposition, with monthly fees averaging about US$200/month for unlimited use and per-hour fees being higher than for commodity compute uses. It is, however, worth it – especially for occasional gamers who just want to play one or two games that are Windows-only and therefore don’t need a monthly unlimited plan. It’s not perfect. Setup can be challenging, and not all hardware is fully supported (especially USB devices like gamepads and microphones for chat) – though that’s also the case for LiquidSky and not a Paperspace-specific issue. There are instances of network congestion, and minor nitpick issues, etc. Compared to their competition, however, they’re showing themselves to be leaders in the space of cloud gaming – giving big name brands like nVidia a real challenge and proving that they know what they’re doing and will get it done. They’re also proving themselves savvy businesspeople by targeting users who want the service and have found other platforms don’t get the job done. Mac and Linux users who want to play Windows games exist, and they spend money with companies that remain loyal to them – and Paperspace is going after that loyalty while retaining Windows customers – a recipe for success.

So give Paperspace a look if you’re gaming and not on hardware that can support those games well. No matter if it’s Windows, Mac, or Linux on your desktop, they can make your experience a lot better. Start with an hourly GPU instance and see if it meets your needs. You can always graduate to a monthly plan later if that will save you money. The Paperspace team will indeed be there to help you choose, help you get set up, and help you get back in the game.

10/02/2017

Outlook for iOS just plain sucks

0

by Rant, Review, Security

Recently, I joined a new company that uses Office365 – Microsoft’s cloud-forward platform that they believe will eventually replace the traditional licensing models for the Microsoft Office Suite, Exchange Server, SharePoint and several other products. The idea is good, as it opened the door to Microsoft finally brining its signature office applications (Word, PowerPoint, Outlook, etc.) to more platforms, like iOS devices. Word, Excel, and several others made the jump to my iPhone rather nicely. I’m pleasantly surprised at how well they translated from the big screen on my desktop to the small screen on my mobile devices.

Outlook fell out of the WTF tree and smacked into every single dumb-ass branch on the way down.

First, let’s talk about the interface. On a computer, with a keyboard and mouse, the interface for Outlook for PC and Mac is manageable and useable. I’m not a huge fan of the “put all the menu buttons in one tiny corner” school of UX design, but with keyboard shortcuts it’s a very workable solution for maximizing screen real-estate. Even Outlook for Mac – long the whipping boy for how not to port an application from Windows – the interface is clean, effective, and works. On iOS, the interface is horrible. There are no keyboard shortcuts to jump from mail to calendar to contacts, and some features like the task list are just plain missing. To be fair, tasks sync to the Reminders app in iOS – but only if you also set up your Outlook/Exchange account as an internet account on the phone.

All right, I know what you’re all saying, “It’s a scaled down version for just the essential stuff like email!” Great, let’s look at email:

No font sizing. So basically you’re going to see a set amount of info on each screen, no exceptions. Got an iPhone SE and need a bigger scale to avoid going blind? Too bad. On an iPad Pro and want to shrink stuff down so you can get more on the screen? Sucks to be you. To clarify, I am not talking about the fonts IN the emails – Outlook has little to no control over that if the email has its own formatting. I’m talking about the interface itself and the message previews in your mailbox lists.

No red squiggles. In nearly every other iOS application, when you mis-spell a word that autocorrect doesn’t murder for you (AUTOCORRECT SICKS!); you get a helpful visual indicator that something just ain’t right – the infamous red squiggle underline. It happens in the native mail app, and Airmail for iOS, and honestly every other 3rd-Party email app I’ve tried since iOS 4 was a thing. Outlook can’t get it to happen – or on the few instances they do get it to work it almost immediately stops working again. I’ve changed my keyboard settings, fiddled with autocorrect settings, etc. Nothing gets it to work reliably. Now I do a quick proof-read of emails before I hit send whenever possible because… well… AUTOCORRECT SICKS! but sometimes it’s easy to miss a spelling errer, and the red squiggly lines (like the one that’s glaring at me from that purposeful mistake in the last sentence) are extremely vital to not letting them get sent out.

No S/MIME support. What were they thinking? Outlook on the desktop has supported S/MIME in one form or another since Office 98, and done it reasonably well. Even Outlook for Mac has supported the use of signing certificates since it changed over from Entourage years ago. The native mail app supports S/MIME just fine, so the phone itself is capable of it; and other 3rd-Party mail apps seem to offer at least basic support for it, so it’s not an “Apple locked this feature away for their own use only” issue. But, alas, Outlook for iOS cannot use certificates to sign or encrypt emails, or even recognize that one is in use in an incoming email.

Not all bad news

There are some good points to Outlook for iOS as well. It’s not all doom and gloom. While the sizing is an issue, the interface is at least intuitive enough that I didn’t have to go searching through a knowledge base to figure out where things were. Not having the keyboard shortcuts as on a Mac or PC is annoying, but not something that will completely hobble you. Having email and calendars in one app is a much simpler method than downloading the .ics attachment, opening it in the Calendar app, and finally accepting it (or more often then not, finding out there is a conflict and starting the process over with the updated invite). Direct interoperability with other Office for iOS apps right out of the box is also a strong feature in Outlook’s favor. And having the licensing included in my Office365 subscription – which is handled by the iTunes App Store natively – makes things a lot simpler to manage.

I hope that Microsoft hammers out the kinks in the system. I would personally love to use Outlook for iOS for all of my work-related email; as I always keep work email and personal mail in different apps to avoid confusion and mistakes between accounts. For now though, I have to stick with Airmail for iOS. It doesn’t support S/MIME either, but can talk to Exchange online and does everything else I need except Calendars. For those who are interested, I went with BusyCal for iOS on that front.

Outlook for iOS is a flawed, half-baked product. It shouldn’t be part of the Office for iOS suite, and only serves to drag down what is otherwise a great set of apps that we’ve all been waiting for since Microsoft started looking at mobile devices. Get it together, Microsoft, and give me what I’ve had on the desktop and in other 3rd-Party email apps for years now!

09/27/2017

Bailing S3 Buckets

0

by Cloud, Security, Tech

Headlines are breaking out all over the last few weeks about high-profile data breaches caused by company databases and other information being stored in public Amazon Web Services (AWS) Simple Storage Service (S3) buckets. See here and here for two examples. The question I get most often around these breach notices is, “Why does anyone leave these buckets as public, and isn’t that AWS’s fault?” The answer is straight-forward, but comes as a bit of a shock to many – even many who work with AWS every day.

A quick refresher on S3

For those not familiar with S3 or what it is and what it does, basically S3 is an online file system of a very defined type. S3 is a cloud-based Object Storage platform. Object Storage is designed to hold un-structured collections of data; which typically are written once and read often, are overwritten in their entirety when changed, and are not time-dependent. The last one simply means that having multiple copies in multiple locations doesn’t require that they be synchronized in real-time, but rather that they can be “eventually consistent” and it won’t break whatever you’re doing with that data.

S3 organizes these objects into “buckets” – which would be the loose equivalent of a file system folder on more common operating system file systems like NTFS or EXT. Buckets contain sub-buckets and objects alike, and each level of the bucket hierarchy has security permissions associated with it that determine who can see the bucket, who can see the contents of the bucket, who can write to the bucket, and who can write to the objects. These permissions are set by S3 administrators, and can be delegated to other S3 users from the admin’s organization or other organizations/people that have authorized AWS credentials and API keys.

It’s not AWS’s fault

Let’s begin with the second half of the question. These breaches are not a failure of AWS’s security systems or of the S3 platform itself. You see, S3 buckets are *not* set to public by default. An administrator must purposely set both the bucket’s permissions to public, and also set the permissions of those objects to public – or use scripting and/or policy to make that happen. “Out of the box,” so to speak, newly created buckets can only be accessed by the owner of that bucket and those who have been granted at least read permissions on it by the owner. Since attempting to access the bucket would require those permissions and/or API keys associated with those permissions, default buckets are buttoned up and not visible to the world as a whole by default. The process to make a bucket and its objects public is also not single-step thing. You must normally designate each object as public, which is a relatively simple operation, but time consuming as it has to be done over and over. Luckily, AWS has a robust API and many different programming languages have libraries geared toward leveraging that API. This means that an administrator of a bucket can run a script that turns on the public attribute of everything within a bucket – but it still must be done as a deliberate and purposeful act.

So why make them public at all?

The first part of the question, and the most difficult to understand in many of these cases we’ve seen recently. S3 is designed to allow for the sharing of object data; either in the form of static content for websites and streaming services (think Netflix), or sharing of information between components of a cloud-based application (Box and other file sharing systems). In these instances, making the content of a bucket public (or at least visible to all users of the service) is a requirement – otherwise no one would be able to see anything or share anything. So leveraging a script to make anything that goes into a specific bucket public is not, in itself, an incorrect use of S3 and related technologies.

No, the issue here is that buckets are made public as a matter of convenience or by mistake when the data they contain should *not* be visible to the outside world. Since a non-public bucket would require explicit permissions for each and every user (be it direct end-user access or API access); there are some administrators who set buckets to public to make it easier to utilize the objects in the bucket across teams or business units. This is a huge problem, as “public” means exactly that – anyone can see and access that data no matter if they work for your organization or not.

There’s also the potential for mistakes to be made. Instead of making only certain objects in a bucket public, the administrator accidentally makes ALL objects public. They might also accidentally put non-public data in a public bucket that has a policy making objects within it visible as well. In both these cases the making of the objects public is a mistake, but the end result is the same – everyone can see the data in its entirety.

It’s important to also point out that the data from these breaches was uploaded to these public buckets in an unencrypted form. There’s lots of reasons for this, too; but encryption of data not designed for public consumption is a good design to implement – especially if you’re putting that data in the cloud. This way, even if the data is accidentally put in a public bucket, the bad actors who steal it are less likely to be able to use/sell it. Encryption isn’t foolproof and should never be used as an alternative to making sure you’re not putting sensitive information into a public bucket, but it can be used as a good safety catch should accidents happen.

No matter if the buckets were made public due to operator error or for the sake of short-sighted convenience, the fact that the buckets and their objects were made public is the prime reason for the breaches that have happened. AWS S3 sets buckets as private by default, meaning that these companies had the opportunity to just do nothing and protect the data, but for whatever reason they took the active steps required to break down the walls of security. The lesson here is to be very careful with any sensitive data that you put in a public cloud. Double-check any changes you make to security settings, limit access only to necessary users and programs by credentials and API keys, and encrypt sensitive data before uploading. Object Stores are not traditional file systems, but they still contain data that bad actors will want to get their hands on.

< 1 2 3 4 5 >»

Miketalon.com Privacy Policy