Archive

Archive for the ‘I.T. Management’ Category

Flashback-More Info

April 13th, 2012 No comments

Steve Ragan of Security week tells us Everything You’ve Always Wanted to Know About Flashback (but were afraid to ask)

The above just about covers it all. I’ll add that my earlier post: Apple shoddiness so easily fixed remains relevant but Apple has improved the documentation for the two latest updates:

About Java for Mac OS X 10.6 Update 8 and  About Java for OS X Lion 2012-003 continue to have different names for the Snow Leopard and Lion updates and continue to link to files with uselessly unclear file names. (JavaForMacOSX10.6.dmg and JavaForOSX.dmg respectively). The good new is that now Apple includes this in both documents: “Java for Mac OS X 10.6 Update 8 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for [OS version].” so, some forward motion there.

The key take away from this very real malware event on Mac OS X is this: It may be true that Mac OS X, when configured and managed properly, is less of malware risk than Windows. It’s clearly true that the Mac is not now, never was and never will be immune. Even iOS has not been immune if you acknowledge that some less than ideal behavior has been allowed in Apple-approved apps. Just because something is better doesn’t mean it’s perfect and informed users and well managed I.T. are a necessity no matter what. Apple would have been wise not to oversell the Mac’s historical advantage in this regard as a future guarantee of safety. I said that to Apple loudly and repeatedly for years. I said this to clients. Now the truth has been thrust upon us: No, the Mac is not the insta-p0wn Windows was. Yes, I’d still much rather use a Mac but the Mac’s not perfect and Windows is getting better. We all need to be smarter. We all need to realize we have a responsibility to protect ourselves and learn caution.

One final thought. I’ve picked on Intego a lot before.  The most aggressive of my posts about them being “When your protection tools can’t be trusted: Intego“and another later post where I made some significant technical errors Intego pointed out and I corrected.

In truth a side effect of the Flashback story for me is that my frustrations with Intego have crystalized nicely. I understand more completely why I express such frustration with them. I also fully acknowledge that they have made useful and meaningful contributors to the research and documentation of issues with Flashback for the Mac community.

What I said in the past was that they don’t seem to understand that as a vendor of security tools they need to be above moral reproach in the way they communicate.  This is a blog of a person. A person who happens to run a business but a person none-the-less. You don’t see these posts at my company site. Here, I’m a Mac IT and media production consultant blogging on a personal blog some might say has an attitude. That’s, in part, what a personal blog is for. A touch of the ‘tude. A bit more of the personality than corporate communications.

My clients will tell you when it’s business,  I may be gruff but I am always one hundred percent transparent about the issues involved in a problem or project and I never, ever, take a markup on services or products I specify for a job. I sell my opinion and my skill and my willingness to say “I’ll do what you ask but I think it’s bad for your business for these reasons.” and let my clients decide. This is a business value system I am proud of. It’s what I believe a good consultant strives to do. Help the client, be honest even if it costs you revenue. This attitude has, I hope, been a major reason I’ve stayed in business.

The concern I have with Intego I now understand better and  it’s well encapsulated in a quote from the article linked at the top of this post:

“Intego promoted the trial of their Anti-Virus product, while Sophos promoted their free Mac-based Anti-Virus. F-Secure, Symantec, and Kaspersky Lab also released tools. However, on April 12th Kaspersky had to temporarily pull its tool out of circulation, after a handful of the people downloading it reported that its usage could result in erroneous removal of certain user settings. Kaspersky fixed the tool and released an update a day later.”

Look what other companies did. Note even that Kaspersky made a mistake that they had to publicly acknowledge and then promptly fixed. Contrast the others with Intego. Intego promoted their commercial product as a fix and offered a 30 day free trial. A free trial you could only get if you gave them your email address. There’s a sort of sticky ooze all over that approach.

True, no company has to provide product or tools for free but a smart company, a company you want to do business with, might have recognized that there are more customers to be won if you provide a simple and basic free tool for one issue as a promotional loss-leader for the product they can, and should BUY to provide protection in the future.

What Intego did was say “Here’s a fix. If Apple doesn’t really solve this for 30 days, you’ll have to pay us.” and “Here’s a fix but we want your email so we can try and sell you stuff later.” and to me, that’s a tone-deaf approach.

A tone-deaf approach defined by a naked marketing agenda. Tone deaf marketing makes me feel like I can expect tone-deaf support. If I think I’m going to get tone-deaf support, I won’t trust a security tool provider. It’s just that simple. The past issues I’ve had with Intego all boil down to the same thing.  Dumb down UX at the expense of good practice.  Post alerts that convey more urgency than there is.  Do these things and your company doesn’t feel trustworthy.

Flashback is a real threat now. Now Intego can (and should!) enjoy revenue that comes with more global awareness of the truth that Mac users do need to be a lot more security aware than, in general, they had been. But don’t over-play that hand. Don’t miss a chance to be the best and most transparent.

If you sell security tools, you have to recognize that value of your product is defined by ‘trust’ and trust is, in large part, engendered with tone. So, is Intego useless? No. Are they buggy? No more or less than anyone else necessarily. What they are is tone-deaf and it’s just sad. They are a Mac company selling to Mac users and we need them to be better.

 

Post to Twitter Post to Facebook

Apple shoddiness so easily fixed

April 4th, 2012 No comments

******UPDATE  4.8.12*******

I make some assumptions I probably shouldn’t in this blog. In this case my flawed assumption was that readers would already have done the research, or would use the embedded links below to research the fixes and specifics of this malware. Feedback from readers indicates they’d rather have had more from me on the specifics of Flashback malware and more context. All I intended to point out below was that Apple wasn’t applying good practice in how they posted and documented updates. For those wanting more info on the issue, this is a great piece from Rich Mogull at Macworld.

**********

There’s a lot of noise about Apple whenever they slip up. A bug in a piece of software, an adapter cable that can take only so much abuse. There’s often room for some debate about what’s a reasonable expectation of quality or even what’s really a problem.

There is an update to Java for MacOS that addresses a pretty serious Java security problem being exploited in the wild. (Info here, and here and here.) I’m not getting into how long it took to patch, pointing out that it’s good practice to leave Java off unless you need it on (ditto Flash), or that this is another good argument for running Little Snitch and ClamXav or similar tools. This is a much simpler issue.

This is a simpler more easily fixed concern: Apple needs to clean up it’s documentation and naming and it needs to be consistent.

This is the Apple Support Document for the Snow Leopard compatible version of the Java update: http://support.apple.com/kb/DL1516

This is the Apple Support Document for the Lion compatible version of the Java update: http://support.apple.com/kb/DL1515

The names of the updates in the two articles differ. “Update 7” for the Snow Leopard update vs  “2012-001” for the Lion update.

The files the updates link for download are not only different but opaquely named. “JavaForOSX.dmg” for the lion update and JavaForMacOSX10.6.dmg for the Snow Leopard update.

This is broken.

How can support people, be they professional or ‘just helping dad’ hope to be able to recognize these updates, be confident they address the same issues, and don’t make possibly different  (app-breaking) changes to the way Java behaves when the naming and descriptions are so vague and inconsistent?

Argue if you like that it has marketing value to name every MacBook Pro model released since the death of PowerPC  a “MacBook Pro” or that “The New iPad” isn’t too-clever-by-half a name for the 3rd generation iPad but there’s no reason for creating this confusion.

It’s so easily fixed with a set of conventions published and enforced internally at Apple for consistent naming and documentation. Enforcing such consistency and publishing that set of conventions would be enormously useful for the legions of people who save Apple millions doing support for Apple’s products.

 

 

 

Post to Twitter Post to Facebook

Categories: Apple, I.T. Management, Tools Tags:

AT&T and the word “Unlimited”

March 2nd, 2012 No comments

Weasel words may change the meaning of ‘unlimited’ in terms of a court’s interpretation of a contract but the categorically do not change the underlying truth that ATT chose a word they weren’t willing to have mean what it means.

—————————–

This word you keep using, ‘unlimited’. I don’t think it means what you think it means.

I have an unlimited data plan option on my iPhone. I have had this contract since shortly after the release of the iPhone in June of 2007. I stayed with AT&T to keep that grandfathered plan not because I needed it. Not because Verizon isn’t a MUCH more reliable cell carrier but because if you allow yourself to get on a metered plan, you fall to the mercy of your provider. To see how this is exploited, give this a read: http://blog.jonalper.com/2010/price-of-sms/.

The thing is, with telcos both wired and wireless, we have more rights than if, for example, they were a restaurant  deciding after we’d ordered the meal that they were charging for ketchup.  With a restaurant, we don’t like the food or the prices? Tough noogies on us for that check.We pay. We leave. We don’t come back. We don’t have any right to tell a restaurant how much they can charge all we can do is choose another and hope market pressures keep prices in check.

With telcos and cable companies we really don’t have that option. We can’t just pay and walk away to a better, cheaper alternative. They have near and sometimes literal monopolies depending where you live, whether your devices are locked to their service.

What we do have is this:

If you’re old enough, recall long distance charges before the government broke up the original AT&T. Now, because of the way spectrum is allocated (wireless spectrum is owned by the people and allocated to companies to sell us back services using that spectrum) and the way Cable Companies and Telcos get access to tearing up the roads and putting up poles

They get this access in exchange for the right to make money selling us connectivity. When we grant them this access to public (public means we own them all citizens own them and we ‘hire’ government to manage them for us) facilities as a way to let them turn a profit we must also demand they find a way to profit in a manner that serves the public good.

This isn’t some hippy-lefty-tree-hugger-99% thing. This is simple logic. They get the right to exploit public resources to make money and with those rights come responsibilities. It’s our job to make sure we get both what we pay for as customers and what we, as a country pay for when we allow them that access.

Today, ATT announced:

http://www.att.com/esupport/datausage.jsp

” Info for Smartphone customers with Unlimited Data Plans

Do you have an unlimited data plan? If so, we have information to help you manage your account if you use more than 3GB, which means you are in the top 5% of data users in our network. If you have a 4G LTE Smartphone with monthly data usage over 5GB, you’ll also be interested in this information. You can check your usage for this month by dialing *data# on your mobile phone.
If you have one of our tiered data plans, this information will not affect you.
Background: In response to soaring mobile broadband usage and the limited availability of wireless spectrum, we implemented a network management program back in 2011 to help ensure the best possible mobile broadband experience for all of our customers.

If you have a smartphone that works on our 3G or 4G network and still have an unlimited data plan,
• You’ll receive a text message when your usage approaches 3GB in one billing cycle.
• Each time you use 3GB or more in a billing cycle, your data speeds will be reduced for the rest of that billing cycle and then go back to normal.
• The next time you exceed that usage level, your speeds will be reduced without another text message reminder.
If you have a 4G LTE smartphone and still have an unlimited data plan, the same process applies at 5GB of data usage, instead of 3GB.
You’ll still be able to use as much data as you want. That won’t change. Only your data throughput speed will change if you use 3GB or more in one billing cycle on a 3G or 4G smartphone or 5GB or more on a 4G LTE smartphone.”

This is actually a loosening of what they’d allegedly been silently doing before capping at 2GB but now they’re on record.

In my “informed but not a lawyer” opinion:
A lawyer would say this is not within the legal definition of a “reasonable” interpretation of the word “unlimited”.

This is what a lawyer would call ‘breach of contract’.

As a citizen and co-owner with you all, My Fellow Americans, this is not what I want my government to allow them to do with our  spectrum, our rights of way under and over  our land.

So, what I’ll be doing, and what I recommend y’all do too is the following:

– Look into what it takes to file a small claims action in your state. Might win, might lose but either way, it will cost AT&T money to defend themselves or pay because they refused to.

– Go here and file a complaint: http://esupport.fcc.gov/complaints.htm

– Contact your representative and complain to them: http://www.house.gov/

Why do you care?

Very simple. If there is no such thing as an ‘unlimited’ plan for data services, wired and wireless, then there will be no “cloud”. There will be no ‘backup to a server’. There will be no “access my data from anywhere”. There will be those who can pay the metered fees and those who can’t. The digital divide will be a chasm. The telcos will be able to skim a piece of the action off everything you do. Netflix will be Netflix’s fees plus however much your ISP charges for having been home with the flu and watched more movies than last month. It will mean if you iTunes Match and want to listen to your music you may pay a bit more for the last few plays of that great new London Calling reissue.

This isn’t some small little narrow issue. This is about the future of the connected world. There is plenty of money to be made selling unlimited connectivity. Our job as customers is to simply make it too expensive not to.

Post to Twitter Post to Facebook