Archive

Archive for the ‘Security’ Category

iCloud: Possession Is Nine Tenths Of The Law

August 7th, 2012 No comments

An Apple Support Article of note: iCloud: What to do with your iCloud data before selling or giving up possession of your Mac: http://support.apple.com/kb/HT5189

Take the time to read it and consider all the implications. It’s not an issue of ‘bugs’ but rather that sync can have unintended and unpleasant consequences when it performs exactly as it’s designed to.

 

 

Post to Twitter Post to Facebook

Flashback-More Info

April 13th, 2012 No comments

Steve Ragan of Security week tells us Everything You’ve Always Wanted to Know About Flashback (but were afraid to ask)

The above just about covers it all. I’ll add that my earlier post: Apple shoddiness so easily fixed remains relevant but Apple has improved the documentation for the two latest updates:

About Java for Mac OS X 10.6 Update 8 and  About Java for OS X Lion 2012-003 continue to have different names for the Snow Leopard and Lion updates and continue to link to files with uselessly unclear file names. (JavaForMacOSX10.6.dmg and JavaForOSX.dmg respectively). The good new is that now Apple includes this in both documents: “Java for Mac OS X 10.6 Update 8 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for [OS version].” so, some forward motion there.

The key take away from this very real malware event on Mac OS X is this: It may be true that Mac OS X, when configured and managed properly, is less of malware risk than Windows. It’s clearly true that the Mac is not now, never was and never will be immune. Even iOS has not been immune if you acknowledge that some less than ideal behavior has been allowed in Apple-approved apps. Just because something is better doesn’t mean it’s perfect and informed users and well managed I.T. are a necessity no matter what. Apple would have been wise not to oversell the Mac’s historical advantage in this regard as a future guarantee of safety. I said that to Apple loudly and repeatedly for years. I said this to clients. Now the truth has been thrust upon us: No, the Mac is not the insta-p0wn Windows was. Yes, I’d still much rather use a Mac but the Mac’s not perfect and Windows is getting better. We all need to be smarter. We all need to realize we have a responsibility to protect ourselves and learn caution.

One final thought. I’ve picked on Intego a lot before.  The most aggressive of my posts about them being “When your protection tools can’t be trusted: Intego“and another later post where I made some significant technical errors Intego pointed out and I corrected.

In truth a side effect of the Flashback story for me is that my frustrations with Intego have crystalized nicely. I understand more completely why I express such frustration with them. I also fully acknowledge that they have made useful and meaningful contributors to the research and documentation of issues with Flashback for the Mac community.

What I said in the past was that they don’t seem to understand that as a vendor of security tools they need to be above moral reproach in the way they communicate.  This is a blog of a person. A person who happens to run a business but a person none-the-less. You don’t see these posts at my company site. Here, I’m a Mac IT and media production consultant blogging on a personal blog some might say has an attitude. That’s, in part, what a personal blog is for. A touch of the ‘tude. A bit more of the personality than corporate communications.

My clients will tell you when it’s business,  I may be gruff but I am always one hundred percent transparent about the issues involved in a problem or project and I never, ever, take a markup on services or products I specify for a job. I sell my opinion and my skill and my willingness to say “I’ll do what you ask but I think it’s bad for your business for these reasons.” and let my clients decide. This is a business value system I am proud of. It’s what I believe a good consultant strives to do. Help the client, be honest even if it costs you revenue. This attitude has, I hope, been a major reason I’ve stayed in business.

The concern I have with Intego I now understand better and  it’s well encapsulated in a quote from the article linked at the top of this post:

“Intego promoted the trial of their Anti-Virus product, while Sophos promoted their free Mac-based Anti-Virus. F-Secure, Symantec, and Kaspersky Lab also released tools. However, on April 12th Kaspersky had to temporarily pull its tool out of circulation, after a handful of the people downloading it reported that its usage could result in erroneous removal of certain user settings. Kaspersky fixed the tool and released an update a day later.”

Look what other companies did. Note even that Kaspersky made a mistake that they had to publicly acknowledge and then promptly fixed. Contrast the others with Intego. Intego promoted their commercial product as a fix and offered a 30 day free trial. A free trial you could only get if you gave them your email address. There’s a sort of sticky ooze all over that approach.

True, no company has to provide product or tools for free but a smart company, a company you want to do business with, might have recognized that there are more customers to be won if you provide a simple and basic free tool for one issue as a promotional loss-leader for the product they can, and should BUY to provide protection in the future.

What Intego did was say “Here’s a fix. If Apple doesn’t really solve this for 30 days, you’ll have to pay us.” and “Here’s a fix but we want your email so we can try and sell you stuff later.” and to me, that’s a tone-deaf approach.

A tone-deaf approach defined by a naked marketing agenda. Tone deaf marketing makes me feel like I can expect tone-deaf support. If I think I’m going to get tone-deaf support, I won’t trust a security tool provider. It’s just that simple. The past issues I’ve had with Intego all boil down to the same thing.  Dumb down UX at the expense of good practice.  Post alerts that convey more urgency than there is.  Do these things and your company doesn’t feel trustworthy.

Flashback is a real threat now. Now Intego can (and should!) enjoy revenue that comes with more global awareness of the truth that Mac users do need to be a lot more security aware than, in general, they had been. But don’t over-play that hand. Don’t miss a chance to be the best and most transparent.

If you sell security tools, you have to recognize that value of your product is defined by ‘trust’ and trust is, in large part, engendered with tone. So, is Intego useless? No. Are they buggy? No more or less than anyone else necessarily. What they are is tone-deaf and it’s just sad. They are a Mac company selling to Mac users and we need them to be better.

 

Post to Twitter Post to Facebook

Facebook just bought Instagram and now 0wns you

April 9th, 2012 No comments

**** UPDATES: See Bottom of Post *******

Facebook just bought Instagram for one billion dollars. What did they buy? An iOS/Android app that lets you apply ‘very quickly get tacky’ photo filters to your cell phone snaps?

Nah…ugly, hopelessly hipster photo-effects does not a billion dollar business make.

Did they buy a tool that lets users upload images to a free service and share those pics on Facebook and Twitter from their cell phones?

Nah… it’s not that hard to do.  Facebook and Twitter phone apps already support this functionality and that’s not worth one beeeeelyon dollars.

Well if they didn’t buy these two defining features of Instragram what did they pay a billion dollars for? Facebook paid a billion dollars to own more of you. Well, dear readers, I hope not literally you because I hope you, like me, were smart enough not to sign up for Instagram in the first place but a lot of other people did. A lot of people I sincerely respect as technologists did. Even a lot of real photographers I know did and, from day one, it baffled me.

Well, now the bill for the ‘free’ they enjoyed comes due.

Now, Facebook, who many ‘digerati‘  have managed to completely avoid (or, who, like me, regret joining and now try to manage more closely) owns all the information you uploaded to and shared on Instagram. No, they don’t own the copyright to your photos. They don’t even really own the metadata but they own you in the  l337 sense of the word ‘own’ or should I say p0wn you.

They’ve now dominated, defeated, fragged you and made you their… Well you get the idea.

Cameras, your phone cameras included, store  time, technical and often (usually on a phone) location metadata. Metadata is data about data. In this case, data about your pictures. Not just data that could be extrapolated with facial recognition or some other high tech fun, it’s simple and highly revealing data attached to the digital photo. It’s metadata uploaded right alongside the retro-sepia-lomo-shot of  your latest achievement in home canning. The metadata can often be extracted, aggregated and analyzed and, if it included GPS data (and again, on a cell phone camera, it usually does), you’re ‘checking in’ every time time you upload a picture.

All the metadata from GPS data you may have allowed to have stored and uploaded with your photos to whatever contexts you’ve shared them in, to the kinds of content you’re keen to photograph, to when you tend to take pictures to share. All of it. Owned.

The metadata Instagram have uploaded from your phone with your photos. The choices you’ve made about content. The pictures you took of every craft-brewed beer you’ve drunk. All of that is now in Facebook’s hands.

If you use Facebook, if you’ve shared your Instragram pics on Twitter, that’s all correlatable into one more-disturbing-than-you-can-likely-imagine profile of who you are, who you interact with, where you go, when you go there and, given the proclivities people have for the content of cell phone photos, what you eat, drink, smoke or otherwise ingest.

Now all that information is right there in the same mine-able cache of data along with everything you told Facebook about yourself, your friends and your family. And, worse yet, right in the mix along with everything your less than cautious friends might have decided they thought was ok to share about you.

“Big deal Jon you paranoid recluse, get a life!”

Oh yeah? Read this: This Creepy App Isn’t Just Stalking Women Without Their Knowledge, It’s A Wake-Up Call About Facebook Privacy and when you’re done and you say “But Jon, I don’t check in with Foursquare and besides, they took down that nasty stalker app.”. Bzzt… wrong answer. No Winnebago for you.  No autographed picture of Randy Mantooth either. They know more, not less than you think.

A decision or an accident by Facebook that shows this data to anyone able to access your page and a web scrape will make a “Girls Around Me” level of resolution and tracking  easy work for for any serious but average developer. By serious but average I mean the guys who work in your employer’s IT department. The PI your soon to be ex-husband’s lawyer hires. The PI his lawyer uses to build his case in effort to use custody of the kids as a cudgel. The kid who gets mad at you, teacher, for failing his plagiarized term paper. The stalker with resources. Your political opponent. Anyone with, frankly not especially hard to come by, resources who wants to do you harm or who wants to look in a general geographical area for somebody to do harm.

Never forget dear readers, we’d all be much better off if we started thinking of our personal information as currency and our opinions as monetizable content. Even if you’re not worried about any of the above, and the truth is, really most of shouldn’t. All of this makes you more the target for advertisers including charities and political campaigns. It’s more information about you that search engines can use to skew what results you get to help support your preferemces, or preconceptions.

The real lesson here is, a free service to help you share your content isn’t free. It’s costing you every time you use it. Start choosing more carefully. Start taking more control of your data.

 

***UPDATES 4.11.12***

Check out Andy Ihnatko’s piece in the Chicago Sun Times

I’m told by a reliable source that Instagram defaults location data to “off”. I didn’t remember. While I do actually think that’s good behavior, I’d guess many users turn it on because they like the ability to define place as part of what they post. I know there’s a lot of EXIF and other photo metadata to be mined all over the web.  It’s also not an Instagram-only issue. The point above is that you should know what you reveal where.  See this post on Aperture’s lookups though that post isn’t about what you post but rather how Apple looks up location info from GPS coordinates.

Post to Twitter Post to Facebook