Getting rid of Facebook

One of my readers asked me how to go about removing Facebook completely from their online lives. After I pulled together the various links that you’ll see below, I thought I would share with you all. Now, I am not saying that I am contemplating doing this: sadly, my online professional life requires that I continue to be a part of Facebook, whether I like it or not. But that doesn’t mean I have to agree with its corporate policies, as I have made clear in several posts earlier this summer. But read on or save this column somewhere, just in case you are thinking about de-Facing your life.  And be prepared to spend a few hours going through the numerous steps.

Your first to-do is to download all of your data that Facebook has on you. I wrote about this process earlier (and covered the other social networks too) in this post. But if you just want the Facebook archive download, go to this page.  You might have to wait a few days until your archive is ready: don’t worry, you will be notified.

Next, decide whether you want a trial separation or a total divorce. Facebook refers to the former as deactivating your account. This keeps your data in their grubby digital hands, but at least you will disappear from your friends’ social networks. You can change your mind in the future and re-activate your account just by logging back into your account, so if you are somewhat serious about this but don’t want to inadvertently login, make sure you delete the login details from your password manager or any saved websites on your various browsers and computers.

If you still want to stick with Facebook, you might just want to cleanse your privacy settings. This post goes into detail about how to do this. You can see how complex setting up your privacy has gotten, when you need a full page of instructions to naviagate the various options.

Before you opt for the total divorce, take a look at the connected apps that you once allowed access to your Facebook account. You might not have remembered doing this, and in another column I spoke about what you should do for a social media “spring cleaning” for the other networks and for your various privacy settings. You should spend some time doing this app audit for the other networks as well.

Why do you want to deal with your connected apps before total account deletion? Because you might want to still access one or more of these apps, and if you delete your Facebook presence, your access goes away if that particular app depends on that. For example, a web portal that my doctors use to communicate with me could depend on my Facebook login. (It doesn’t, but that is because I decided to use another login mechanism other than Facebook.) By going to the connected apps page, you can see the complete list of whom you have authorized.

Still with me? I realize that it seems as if the scope of this project continues to widen, but that is to be expected. Let’s continue.

Mashable has this nice article that will walk you through the steps of both deactivation and a complete deletion process. I won’t repeat the numerous steps here, but you should take the time to review their post.

If you opt for deletion, remember you have to cleanse your entire computing portfolio of everything Facebook: this means all your browsers, your mobile devices, and your mobile messenger apps too. I don’t particularly like the mobile messenger app, as one friend described it accurately as a “rabid dog” that just grabs your contacts and other data. Indeed, if you have examined your downloaded archive you can see that for yourself.

Now for the final step, the actual deletion. The Mashable piece has a long list of what you have to do, aside from hitting the delete button in the Facebook interface. If you want a more visual aid, check out this screencast that shows you these first steps.

I realize this is a lot of effort, and Facebook has very nicely put in a number of “Are you sure” checks along the path, just in case you aren’t completely ready for the divorce. I would be interested in hearing from you if you do go through the entire process and what your reasons are for doing it.

Watch that browser add-on

This is a story about how hard it is for normal folks to keep their computers secure. It is a depressing but instructive one. Most of us take for granted that when we bring up our web browser and go to a particular site, we are safe and we know what we see is malware-free. However, that isn’t always the case, and is getting harder.

Many of you make use of browser add-ons for various things: Right now I am running a bunch of them from Google, to view online documents and launch apps. One extension that I rely on is my password manager. I used to have a lot of other ones but found that after the initial excitement (or whatever you want to call it, I know I live a sheltered life) wears off, I don’t really take advantage of them.

So my story today is about an add-on called Web Security. It is oddly named, because it does anything but what it says. And this is the challenge for all of us: many add-ons or smartphone apps have misleading names, because their authors want you to think they are benign. Initially, Mozilla wrote a recommendation for this add-on earlier this month. Then they started getting complaints from users and security researchers. Turns out that they made a big mistake. Web Security tries to track what you are doing in your browsing around the Internet, and could compromise your computer. When Mozilla add-on analyst (that is his real job) Rob Wu looked into this further, he found some very nasty behavior that made it finally clear to him that the add-on was hiding malicious code. Mozilla basically turned off the extension for the hundreds of thousands of users that had installed it and would have been vulnerable. This story on Bleeping Computer provides more details.

In the process of researching this one add-on’s behavior, Wu found 22 other add-ons that did something similar, and they were also disabled and removed from the add-on store. More than half a million Firefox users had at least one of them add-ons installed.

So what can we learn from this tale of woe? One thing is the sobering thought when security experts have trouble identifying badly behaving programs. Granted, this one was found and fixed quickly. But it does give me (and probably you too) pause.

Here are some suggestions. First off, take a look at your extensions. Each browser does this slightly differently. Cisco has a great post here to help you track them down in Chrome and IEv11. Make sure you don’t have anything more than you really need to get your work done. Second, keep your browser version updated. Most of the modern browsers will warn you when it time for an update, and don’t tarry when you see that warning. Finally, be aware of anything odd when you bring up a web page: look closely at the URL and any popups that are displayed. Granted, this can get tedious, but you are ultimately safer.

Not yet ready to cut the cable cord

If you want to completely cut the cable cord, it isn’t easy. I have been waiting for technology to become spousal-ready, and we are still about a year or two away. Today you have a lot of choices in the $40/month range that rival what the cable companies offer you for TV programming. The trouble is you have to make a choice between user interface and great TV resolution: you can’t yet have something that delivers both, other than your cable company.

I pay AT&T Uverse $125/mo. for my TV programming. That includes two receivers, one of which is a DVR and a boatload of various taxes and fees. Is it worth it to move to one of the online TV providers and save $85 a month? Eventually, I decided no, after trying two services, You Tube TV and Hulu Live TV. You can follow along with this column if you are brave enough: both offer a free trial of their services for a week, after which the monthly subscription starts. There are other services; my patience wore thin after experimenting with these two however.

Let’s first look at the user interface and mindset of the two online providers. You can obtain your TV programming in one of two ways: either by selecting your shows using a channel via your web browser or via an app that runs on your TV equipment. The web browser has the better UI because the developers working at the providers have more to work with and are more used to building web apps these days. And, you have a real keyboard for input, unlike your TV where you have to navigate around an on-screen one that can be infuriating.

So how do you get the audio and video signals from your computer to your living room TV? Two ways: either by connecting your computer directly to your TV with an HDMI cable or using one of several devices like Google’s Chromecast that does this for you wirelessly. If you use the direct cable connection from your computer, you will have to figure out a wireless keyboard and mouse to control it. If you use Chromecast, you will have to figure out the sequence of controls using the three apps that Google has (Google’s Chrome browser, Google Home and the Chromecast app itself) to get it setup. The workflow isn’t immediately obvious, and I suggest you learn the process before bringing your spouse into the room for the demo.

The nice thing about Chromecast is that any content that is displayed in a browser tab can be quickly transmitted to your TV by clicking a few buttons. I say a few: my wife got immediately weary of the process when I showed her what was involved. Your own experience may be similar. The bad thing about Chromecast is that the resolution is poor: nowhere near HD quality and even below SD video quality. Even if you have an old living room TV (and mine is more than five years old), you will be disappointed with the Chromecast video quality. And by the way, Google sells two different versions of Chromecast: one is for audio only; the other is for video and comes with the HDMI connector.  Make sure you buy the right one.

Another difference is how you access TV shows that have previously aired. Hulu’s web UI is very akin to the Amazon and Netflix web UI. In order to get the entire season’s worth of episodes, you have to click on the name of the show in the “My Stuff” guide. You can’t reorder the shows listed. If you click on the video itself, you are taken to the current episode. You Tube TV lists each episode as separate videos, much like the way ordinary You Tube does for its videos. (You can see the web version of the live TV guide above.)

So far I have only talked about using the web clients of You Tube and Hulu. There is a second method, which uses the native apps that run on your TV equipment. If you have a new TV, chances are it comes with apps for a variety of video providers, including Amazon, Netflix, You Tube and Hulu. I tried the apps that ran on my Samsung Blu-ray player: it didn’t have a You Tube app, again because it was more than five years old.

Sadly, there are UI differences between what you see with your web browser and the TV-based app clients, with the TV apps being far less capable than their web cousins. One big difference is how the onscreen channel or movie guide is shown. Netflix has the longest experience with developing its apps, and there are major interface and stability differences between its Android, iOS, web and embedded TV apps. On my Samsung device, the Netflix app frequently can’t find the Internet, or just quits working entirely. On the web client, that rarely happens.

Like Netflix, You Tube TV and Hulu both allow you to segregate your family’s preferences, so you can keep track of your individual tastes and what you have already watched. You Tube allows up to six different family members. Hulu is more restrictive and confusing, and there is also an unlimited extra-cost option.

Speaking of extra cost options, this is where the two providers are showing their relative youth. If you don’t want to watch live TV programming, Hulu has plans that start at $8/mo., or $12/mo. if you want to skip most commercials. If you want everyone to watch different streams concurrently, that will cost another $15/mo. There are also premium channel fees for HBO, Showtime and Cinemax.  You Tube TV has Fox Sports, Starz, AMC, Sundance and Showtime premium add-on channels.

Finally, Hulu with Live TV doesn’t support viewing live TV streams on all of its devices, according to this very confusing webpage. I read over the caveat several times and didn’t really understand what they were saying.

Alright, let’s move on to discussing the real benefit with using the TV apps from the online providers (or Blu-ray player, in my case).  Your video quality will be as good as anything else you run on the TV, full HD. But you have to put  up with a sub-par UI to get it.

So, what should you do? First, if you are in the market for a new TV, sign up for at least one of the online TV providers before you go shopping, and set up a simple temporary login password too. Go to your store and login to your provider, using the embedded app on the TV, and see for yourself if the UI is going to give you fits in selecting your programming with a couple of sets that you are interested in. If you really want a true A/B test, buy a Chromecast and bring that along with your laptop and see what the resolution will be if you don’t believe me.

If you just bought a TV within the last couple of years, try my experiment at home and see if you get better results that I did with my tests. The apps could be better than I experienced. If you have a large family and many different TV sets scattered throughout your home, you will probably end up sticking with your cable provider.

Watch that keyboard!

We are using our mobile phones for more and more work-related tasks, and the bad guys know this and are getting sneakier about ways to compromise them. One way is to use a third-party keyboard that can be used to capture your keystrokes and send your login info to a criminal that then steals your accounts, your money, and your identity.

What are these third-party keyboards? You can get them for nearly everything – sending cute GIFs and emojis, AI-based text predictors, personalized suggestions, drawing and swiping instead of tapping and even to type in a variety of colored fonts. One of the most popular iOS apps from last year was Bitmoji, which allows you to create an avatar and adds an emoji-laden keyboard. Another popular Android app is Swiftkey. These apps have been downloaded by millions of users, and there are probably hundreds more that are available on the Play and iTunes stores.

Here is the thing. In order to install one of these keyboard apps, you have to grant it access to your phone. This seems like common sense, but sadly, this also grants the app access to pretty much everything you type, every piece of data on your phone, and every contact of yours too. Apple calls this full access, and they require these keyboards to ask explicitly for this permission after they are installed and before you use them for the first time. Many of us don’t read the fine print and just click yes and go about our merry way.

On Android phones, the permissions are a bit more granular, as you can see in this screenshot. This is actually just half of the overall permissions that are required.

An analysis of Bitmoji in particular can be found here, and it is illuminating.

Security analysts have known about this problem for quite some time. Back in July 2016, there was an accidental leak of data from millions of users of the ai.type third-party keyboard app. Analyst Lenny Zeltser looked at this leak and examined the privacy disclosures and configurations of several keyboard apps.

So what can you do? First, you probably shouldn’t use these apps, but trying telling that to your average millennial or teen. You can try banning the keyboards across your enterprise, which is what this 2015 post from Synopsys recommends. But many enterprises today no longer control what phones their users purchase or how they are configured.

You could try to educate your users and have them pay more attention to what permissions these apps require. We could try to get keyboard app developers to be more forthcoming about their requirements, and have some sort of trust or seal of approval for those that actually play by the rules and aren’t developing malware, which is what Zeltser suggests. But good luck with either strategy.

We could place our trust in Apple and Google to develop more protective mobile OSs. This is somewhat happening: Apple’s iOS will automatically switch back to the regular keyboard when it senses that you are typing in your user name or password or credit card data.

In the end though, users need to understand the implications of their actions, and particularly the security consequences of installing these keyboard replacement apps. The more paranoid and careful ones among you might want to forgo these apps entirely.

Practical ways towards more secure logins

Lately, numerous websites have adopted better security practices, supporting a wider variety of multiple factor authentication or MFA. I have been trying these out and for the most part they install relatively easily, although your mileage will vary. The idea is that you want something more than your username (often just your email address) and a password. No matter how complex your password, it can be circumvented by a determined hacker. And many of us (you know who you are) don’t use very complex passwords, or reuse them across various sites.

Let’s start first with the MFA tools that I want to use. First up is Google Authenticator. This is a smartphone app that generates a one-time PIN. You get to the dialog box on your website and enter the PIN and you can complete your login. Google Authenticator is dirt simple to setup: you scan a QR code that is displayed on your screen and it then shows you an entry for your website. The PIN changes every minute, so it is a lot harder to spoof than a code that is sent to your phone via text messaging.

The other tool is the Yubikey, a USB device that supports the FIDO standards from Yubico. There is a small button on the device that you press, and that sends the appropriate code to your website at the appropriate time to complete your login. They are inexpensive and now support a wide variety of website logins. Again, setup is fairly straightforward, and I just leave my key in my desktop’s USB port so I don’t have to worry about losing it.

If you use both methods (and you should, why not), this will prevent someone else from trying to login to your account, even if they know your password. Once you have completed a successful login on one device, you aren’t prompted again for the extra security.

Twitter announced this past week that they support the Yubikey, which adds to their existing support of Google Authenticator and other authenticator apps. Here are the instructions for setting it up. The interface for doing this can be found starting with this menu, under the Security heading. It isn’t all that verbose an interface, but you can choose which of the three methods (text, Yubico key, and mobile app) or all of them to use for the additional security.

Next up is my WordPress blog. If you host your blog on, they have long supported various MFA methods, including Google Authenticator, Authy, Duo and others. If you use WordFence Premium, you can also get the MFA protection. Speaking of WordFence, you really should use it (at least the basic version): it will tell you who is trying to break into your blog and last week I got several thousand attempts, which I think was a new record for me.

So I was more motivated to start having better protection for my login there. Since I use the basic WordFence, I looked around and found miniOrange, another plug-in that supports WordPress as well as Magento, Drupal and Joomla CMS. It works with Google Authenticator as well as its own QR code reader and soft token apps. I used the free version, but if you pay extra for a miniOrange account, you can support more than a single user as well as get additional MFA methods, including Yubikey. There are several other MFA plug-ins for WordPress, but I didn’t try them.

While I was doing these installations, my bitcoin wallet app notified me that they were requiring everyone to add MFA to their logins soon, otherwise I wouldn’t be able to transfer any funds in or out of my account. That is a smart decision, especially given the number of recent exploits in this market space. So I got Google Authenticator working on that as well.

Finally, a few weeks ago I was getting all sorts of notifications that someone was trying to login to my Facebook account, so I wanted to add both Google Authenticator and Yubikey to that login. I ran into problems: when I wanted to add the Authenticator app, Facebook turns on “Allow logins without a code for one week.” You can’t then turn this off without disabling my Authenticator app.  I am not sure this is a good idea, but when I went back to check on it for this post I couldn’t find the setting. Your dialog box when done will look like this.

As you can see, this is still not completely ready for your mom’s logins. (At least, it isn’t ready unless you want to support her when she has problems.) But you should take the time and add these tools to protect your own logins.

Fixing Facebook’s flaws

Facebook has been under fire for the past several months as Zuck does his World Apology Tour, both in DC and in Belgium giving testimony to the EU Parliament. That link takes you to a YouTube video from The Verge which shows him not answering very pointed questions from the body’s members. The EU format was very different from his US Congressional testimony in April: In Europe, the session was just an hour and a half, with much of that time taken up by Members’ speeches. In the States, he was there for a total of ten hours.  Business Insider called the EU appearance “a wash out.” That difference between the two geographies was noted by lawmakers quoted in Vox. “We are here in terms of regulation,” said Claude Moraes of the British Labour Party, gesturing upward with one hand, “And the United States is here,” gesturing downward with the other.

Sadly, the social media giant has paid lip service in protecting users’ privacy. There is this story in the NY Times about how it cooperated with the major cellphone vendors to give them access to vast amounts of private user data.

And the company hasn’t done very well towards policing its content for terrorist and hate speech. This recent post in the UK’s Independent talks about the effort that the vendor is going to try to block hate speech in Germany. The reporter takes us inside a 1200-person cubicle farm where analysts try to screen content in real time.

But to get a more complete picture, you should read this report last month from the Counter Extremism Project called Spiders of the Caliphate. It lays out a chilling analysis of how poorly Facebook has been in policing pro-ISIS propaganda. It documents how their supporters operate on that network and even leverage its features. ISIS’ online networks are growing and are used to plan and direct various terror attacks as well as to mobilize foreign supporters to fight in various places around the world. ISIS’ Facebook presence is pervasive and well organized. According to the authors, ISIS “has developed a structured and deliberate strategy of using Facebook to radicalize, recruit, support, and terrorize individuals around the world.” They found from careful path analysis that ISIS’ “Facebook networks are strong, extensive, and growing.”

The authors selected a thousand Facebook accounts that they claim are ISIS supporters, using positive language and geolocation to specific areas, usernames with pro-ISIS meaning, accounts from people that claimed they worked at ISIS or are from place names that are under ISIS control. You would expect many of these accounts to originate from the Middle East, but there also were accounts from Nepal, South Korea and South America too: ISIS has truly gone global. There were even American accounts.

They examined each account’s timeline and pattern of liking and sharing posts and then recorded the number of their friends or followers and other data. They then visualized this data using the open source network path analysis tool Gephi. While I am not an expert here, it seems their methodology is sound.

They found many disturbing things. There were 28 accounts that were used exclusively to post pro-ISIS propaganda, with some posts that have remained online for more than a year and racked up thousands of views. Also, “a group of American ISIS supporters holds weekly meetings on Facebook Live to discuss topics ranging from ISIS ideology to how to avoid detection from the FBI.” ISIS supporters live in more than 80 different countries. Most supporters had publicly visible posts, too.

Facebook’s misleading efforts to counteract terrorism

Facebook says they have worked hard to try to stem this pro-ISIS tide, but the CEP report documents how they have mislead the public and been largely ineffective. The report says that Facebook has been unable to do anything “in a manner that is comprehensive, consistent, and transparent.” Rather, it has enabled ISIS supporters to flourish and grow their social networks. Of the 1,000 accounts analyzed, less than half of them had been removed by Facebook by March 2018, and many accounts were reinstated multiple times after removal. “Perhaps most concerning is that Facebook’s suggested friends algorithm reveals how the company’s tools have aided in connecting extremist profiles and help expand ISIS networks.” The report goes further and says that Facebook executives have purposely misled policymakers and the public in terms of their cleansing of their network from pro-ISIS activities.

The post in New Europe was quite disparaging and called Zuck’s non-answers before the EU evasive and a disaster. It mentions his claim that Facebook “can flag 99 percent of the ISIS and al-Qaeda related content that we end up taking down before any person in our community flags that for us.” Clearly, that number (apart from being meaningless) is at odds with the CEP report.

One final personal note about Facebook’s inadequacies.  Two months ago, I tried to download information from Facebook and other Internet sites that they have collected about my usage, and documented the experience in my blog here. It wasn’t an easy exercise, but it was sobering to see how many advertisers had my name in their sights, and in their sites as well. None of the Internet properties make this easy for you to do, but the effort is worthwhile and another eye-opener.

The New Europe post says, “It’s not like Facebook doesn’t have the resources to do better. Facebook’s market capitalization is more than the GDP of Belgium. Until Facebook finally tells the truth, it will be difficult for lawmakers and the public to hold it, and other tech companies, accountable for the level of disturbing and harmful content that proliferates online today.” Finally, I speak to this issue of corporate and leadership integrity on Shel Holtz’ For Immediate Release podcast this week. (Skip to 12:15 if you don’t want to listen to the entire hour.)

Having better risk-based analysis for your banks and credit cards

When someone tries to steal money from your bank or credit card accounts, these days it is a lot harder, thanks to a number of technologies. I recently personally had this situation. Someone tried to use my credit card on the other side of Missouri on a Sunday afternoon. Within moments, I got alerts from my bank, along with a toll-free number to call to verify the transactions. In the heat of the moment, I dialed the number and started talking to my bank’s customer service representatives. Then it hit me: what if I were being phished? I told the person that I was going to call them back, using the number on the back of my card. Once I did, I found out I was talking to the right people after all, but still you can’t be too careful.

This heat-of-the-moment reaction is what the criminals count on, and how they prey on your heightened emotional state. In my case, I was well into my first call before I started thinking more carefully about the situation, so I could understand how phishing attacks can often work, even for experienced people.

To help cut down on these sorts of exploits, banks use a variety of risk-based or adaptive authentication technologies that monitor your transactions constantly, to try to figure out if it really is you doing them or someone else. In my case, the pattern of life didn’t fit, even though it was a transaction taking place only a few hundred miles away from where I lived. Those of you who travel internationally probably have come across this situation: if you forget to tell your bank you are traveling, your first purchase in a foreign country may be declined until you call them and authorize it. But now the granularity of what can be caught is much finer, which was good news for me.

These technologies can take several forms: some of them are part of identity management tools or multi-factor authentication tools, others come as part of regular features of cloud access security brokers. They aren’t inexpensive, and they take time to implement properly. In a story I wrote last month for CSOonline, I discuss what IT managers need to know to make the right purchasing decision.

In that article, I also talk about these tools and how they have matured over the past few years. As we move more of our online activity to mobiles and social networks, hackers are finding ways at leveraging our identity in new and sneaky ways. One-time passwords that are being sent to our phones can be more readily intercepted, using the knowledge that we broadcast on our social media. And to make matters worse, attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications.

Of course, all the tech in the world doesn’t help if your bank can’t respond quickly when you uncover some fraudulent activity. Criminals specifically targeted a UK bank that was having issues with switching over its computer systems last month, knowing that customers would have a hard time getting through to its customer support call centers. The linked article documents how one customer waited on hold for more than four hours, watching while criminals took thousands of pounds out of his account. Other victims were robbed of five and six-figure sums after falling for phishing messages that asked them to input their login credentials.

Steve Ragan in a screencast below shows you the phishing techniques that were used in this particular situation.

The moral of the story: don’t panic when you get a potentially dire fraud alert message. Take a breath, take time to think it through. And call your bank when in doubt.


Finding the right escape room for your group

I am a bit slow to the whole escape room phenomenon, but it seems like a great idea to me. While I am not a computer gamer, I have run sites with that editorial content and know many professional gamers as a result. I am also a big Sudoku and crossword fan, having done those puzzles for more than a decade.

The idea, if you are still not tuned in, is to bring a few friends to a facility and try to escape from a locked room within an hour. You have to solve various puzzles. Actually, you have to find the clues and then figure out the puzzle, without a lot of guidance. If you haven’t ever done a room, you first have to be very observant, looking at what objects have been placed in the room, what information is written on the walls or displayed on various monitor screens, and what objects might lead you to other things. For those of you that don’t like solving puzzles, this is probably not something you are going to like. If you do like puzzles, or if you go to haunted houses every fall (or even build your own), this is probably something you have already checked out.

While I am not a computer gamer, I recognize that many years ago I spent weeks of my life trying to solve the puzzles of Myst. Back then, I said that “Myst starts out a total puzzle, and as you gain skills and understand the sequence of play involved, you get drawn into the universe of the game and lose track of real life and elapsed time.” You can say that about many modern computer games too. The problem with this is that you only have an hour to escape your particular room, and you don’t know how many puzzles you will have along your journey.

Given that there are thousands of rooms in cities all over the world, if you want to try one out the next hurdle is going to be to find one that suits your particular skills, experience, and group. Wouldn’t it be nice if someone reviewed rooms with some sort of consistency? Fortunately, there is a site that does called EscRoomAddict. I spoke to one of their editors, named Jeremie Wood. (You can see a sample of one review here.)

The site has teams of reviewers in LA, Chicago, New York, Kansas City, Denver and Toronto, which is where they began four years ago. They have reviewed more than 400 rooms in North America. There are other sites that have reviews, but not as well organized or as consistent in their evaluations as ERA, as they call themselves. The site doesn’t pay their reviewers, but usually the room operator comps the reviewers to do the room. Many of his reviewers have played 50 or more rooms during their tenure, and Wood himself has lost count but thinks he has been party to at least 180 room reviews.

He told me based on his experience that he doesn’t think the escape room craze has peaked yet, and there are still new rooms being built. One opportunity is to try to attract more corporate customers, who use the room as a team-building exercise. And part of that effort is what motivated the founders to start ERA, so that corporate customers could find the best rooms in a particular location.

The escape room landscape is also changing. “Many of the early operators have closed, mainly because the standards for the best experience keep going up.” You might think that the best rooms are the ones that take the most money to build, but that hasn’t been his observation. “I have seen great rooms that didn’t cost much, and lousy rooms that were very expensive,” he said. ”You don’t have to spend huge amounts of cash, but you do have to know what you are doing and design something that has really great puzzles and a great story.”

One of the reasons I like the ERA site is that it attempts to have consistent review metrics for all of its room reviews. The teams from the various cities met earlier this year here in St. Louis to try to iron out consistent style and to set up minimum requirements for their reviews. The reviewers also try to take into account a wide range of puzzle solving ability in their write-ups. Each room is done by at least three different people, who then collaborate on the review, and they usually agree on their evaluation.

Having been to so many rooms, Wood told me that the average Canadian rooms are smaller and more suitable for 4 to 6 people, whereas in the States, they can hold more participants. Also, in Canada, you usually book a room exclusively for your own group, even if it is smaller than the room capacity. In the US, your team is sharing the room with others if the demand is there.

If you have particular room experiences and want to share them with my readers, please post a comment here.

Hedy Lamarr, The First Geek Movie Star

The story sounds almost like a Hollywood plot, except it is true: A young starlet doing nude scenes as a teenager, goes on to invent a critical wartime technology that is ignored by the US Navy but ultimately forms the basis of WiFi and cell phones that we use today. Of course, I am talking about the life and times of Hedy Lamarr, the subject of a 2017 documentary film called Bombshell that is available from the streaming services.

She was also the subject of a 2011 biography from Richard Rhodes. I heard Rhodes back when he was promoting his book. Rhodes is the author of many intriguing history of science works, including the story of the Manhattan Project, and his book is worth reading. So is the film, which is also based on a 1990 taped interview that was recently found.

She is a fascinating study in how someone with both beauty and brains can not necessarily make the best of both thee worlds, but was constantly reinventing herself.

The movie traces her acting career and has various clips, including scenes from the provocative film Ecstasy, the one cited earlier that began her career and was banned by Hitler eventually. Lamarr was even the basis of one character in Mel Brooks’ Blazing Saddles.

Both the film and the book show how one of Lamarr’s many inventions, which she developed with her music composer neighbor George Antheil, came about through an odd inquiry. Lamarr was interested in a boob job and Antheil had written about early efforts in that area, again presaging another important intersection of Hollywood and technology. The duo went on to get a patent for a new technique for frequency-hopping radio communications. While not taken seriously at the time, it ultimately was deployed by the military in the 1960s during the cold war. While the technique involved piano rolls, the basis of frequency hopping continues to be used as part of spread-spectrum radio communications that are in common use today. Along the way, Lamarr made many movies and married and divorced six husbands, the first of whom was a Nazi arms merchant that got her interested in developing new technology for the war effort once she fled to America. She lived to be honored by the Electronic Frontier Foundation a few years before she died in 2000.

It is hard for many of us to grok a movie star with her trips to the patent office and test tube rack in her trailer on the movie set, but she was the real deal.

Lamarr once said that “Any girl can be glamorous. All you have to do is stand still and look stupid.” She was anything but.

Keeping your home safe from the Internet of Bad Things

Back before we had nearly universal broadband Internet in our homes, the only safety electrically-powered device that we had to worry about was to replace the batteries in our smoke detectors every six months. With the Internet of Things, we now have a lot more capabilities, but a lot more worries.

Some friends of mine have 23 connected devices to their home network: a Nest thermostat, security cameras, Alexa, smart TVs, network printers, gaming systems, smart watches and their computers. I am sure I have forgotten a few others. All of them can be exploited and used for evil purposes. Think of them as that back door to your home that is wide open.

This exploit for smart TVs was a news item last year. It uses a special digital broadcast signal to gain access to your TV’s firmware. I have been trying to update my firmware for weeks with no success, but I guess hackers are more adept. Still, this is a major concern for IoT devices both in the home and in the workplace. Many device makers don’t have any firmware update mechanism, and those that do don’t make it easy or automatic for users to do it. And devices are usually not monitored on corporate endpoint protection tools, which are usually designed for Windows, Mac and Linux machines.

Part of the problem is that the number of IoT devices continues to climb, with estimates in the tens of billions in the coming years. These devices are seemingly everywhere. And they are an attractive target for hackers. Hajime, Mirai, Reaper, Satori and Amnesia are all IoT-based malware that has been seen in the past couple of years. The hackers understand that once you can discover the IP address of a device, you can probably gain entry to it and use it for evil purposes, such as launching attacks on a corporate target or to leverage access to a corporate network to steal information and funds.

So what can you do? One friend of mine is so concerned about his home network that he runs his own firewall and has two different network-attached storage devices that make copies of his data. This enables him to get rid of having any data on his computers and removes all at-risk programs on them to further secure them. That is probably more than most of us want to do, but still it shows the level of effort that you need to keep things safe.

If you aren’t willing to put this much effort into your home network, here are a few easier steps to take. First, make sure you change all of your devices’ default passwords when you first install them – if you can. Some products have a hard-coded password: if security is a concern, toss them now. Second, if you don’t have a firewall/router on your home network (or if you are using the one supplied by your broadband provider), go out and get one. They now cost less than $100 and are worth it if you can take the time to set them up properly to limit access to your networked devices. Next, make sure your Wifi network is locked down appropriately with the latest protocols and a complex enough password. If you have teenagers, setup a guest network that limits their friends’ access.

Granted, this is still a lot more work than most of us have time or the patience for. And many of us still don’t even replace our smoke detector batteries until they start beeping at us. But many of you will hopefully be motivated to take at least some of these steps.