If you use iCloud, make sure it is properly secured — now

A friend told me this tale of woe that someone he knows had all their Mac Things compromised to the point where they were no longer working. Before I describe the situation, if you use iCloud, do these three things now:

  1. Change your iCloud password now. Pick something unique, complex enough to satisfy all of Apple’s requirements (lower case, upper case, a number and a symbol). For easy typing on phones, I use a series of words with the other adornments. I know changing passwords is a pain. But please do this now. Really. I will wait.
  2. Go to the iCloud security settings page and make sure you are using a two-factor method that isn’t SMS-based (and if you dare, uses passkeys).
  3. Go to your photo collection, and delete pictures of your ID documents, like driver’s license or passport. If you travel (remember travel?), one of the things they tell you is to make copies of your ID in your photo stream. I don’t think that is safe advice now, and will explain later. If you want to keep copies of these documents, make a printed photocopy and keep it in a different place from your actual documents.

Now, why go through all this? If you don’t know about SIM swapping, take a moment to click on that piece that I wrote a few years ago and learn more about it. Basically, once a criminal knows your cell phone number, they can impersonate you and get your phone number reassigned to their own phone and the fun begins.

What if you don’t use iCloud but use Google’s Account? You should follow a similar path, particularly if you have an Android phone.

Now, why the business of deleting your identity docs? This is because once someone has control over your iCloud, they look through your photo stream and find these things, and then use that as the authentication process to recover your other accounts. And if you employ the “fake birthday” dodge (as I do and described here) you will have additional pain and suffering if you have to show your ID and the person you are talking to can’t match it to your fake birthday that you set up when you first created your FaceTwitTok account.

Happy holidays folks. Don’t respond to texts from out of the blue. Don’t click on anything in email, even from someone you correspond with. And don’t reuse your passwords and eat your veggies while you are at it too.

My 30-year love affair with TCP/IP

Is it possible to fall in love with a protocol? I mean, really? I know I am a nerd, and I guess this is yet further evidence of my nerdom. But to properly tell this story, we have to go in the Wayback Machine with Mr. Peabody to 50 years ago, when Vint Cerf and Bob Kahn were working at Stanford and inventing these protocols. I was too young to appreciate the events at the time, but later my life would change drastically as I learned more about TCP/IP and how to get it working in my professional life.

You can read the original 1974 paper here as well as watch an interview with both men that was recorded earlier this year.

In the mid 1990s, I would meet Vint and so began our correspondence that has lasted to this day. I posted an interview with him in 2005 here that is still one of my favorite profiles. This was when he was about to start at Google and when I was running Tom’s Hardware. I asked him to recall the most significant moments of TCP/IP’s development:

  • 1/1/1983 – The cutover on Arpanet to TCP/IP
  • 6/1986 — The beginning of NSFNET
  • 1994 — Netscape supports HTTP over TCP/IP and when Berkeley BSD 4.2 unix release with support for TCP/IP
  • 2007 – The introduction of the iPhone

That is a pretty broad piece of computing history.

TCP/IP spent its first couple of decades growing up. Few people used it, and those that did were more akin to being members of a secret society, the keepers of the flame called Unix. (Unix would evolve into Linux, as well as the MacOS, and then into containers.) But then something called the Internet caught hold in the early 1990s. I wrote a blog post not too many years ago about the early tools we had to suffer with during that era to get TCP/IP working on other computers, such as DOS and Windows and Netware. It was far from easy, and many businesses had all sorts of pain points to get TCP/IP working properly. BTW, that link also has a hilarious clip about “the internet” that has held up well.

Netware is actually where my love for the protocols blossomed. Many of you might recall how powerful this early network operating system was, and how it could run multiple protocols with relative ease. They saw the importance of TCP/IP and invested heavily in equipment that would bring it to ordinary desktops, and by ordinary I mean the versions of Windows that we had to suffer with back then. Setting up a computer to connect to something else then was made a lot easier with Netware’s TCP/IP support.

But it wasn’t just Netware, but the web that really turbo-charged TCP/IP. That also took off during the 1990s, and it went from curiosity to standard practice seemingly overnight. The web really changed how we interacted with information. In my own case, I saw the publications that were making millions of dollars selling printed magazines go to a much reduced online form, and editorial staffs drop dozens of people from their mastheads. Now it is rare that a publication has more than a single full-time editor, which is great if you are a freelancer (which I am) but then budgets continue to shrink too, which is not great.

But in spite of these cataclysmic moments, I still say that I love TCP/IP. I don’t blame the protocol for the transformation of my industry. Au contraire, it made my computing life so much easier. Its beauty was its extensibility, its universal connectedness that was useful in so many different situations. And it also enabled so many apps, both then and now. And every app tells another story, which is after all my bread and butter.

This week, I bought a lighting controller that supports TCP/IP, for example. And that brings up another point. Today, we don’t give TCP/IP much attention, because it has been woven into the fabric of our computing systems so well. It is pervasive: you would be hard pressed to name a computer that doesn’t support TCP/IP. And by computer, I mean our smart TVs and other home appliances, our cable modems, our networks, our cars.

Vint wrote me after he read this essay: “TCP/IP has been improved over the years by people like Van Jacobson and David Taht among others. Google introduced QUIC which provides TCP-like functionality with some additional features. But it has certainly been a workhorse for the world wide web and its applications.” Note what he is doing here: giving credit to other innovators and extensions who have built some interesting things on what he and Kahn came up with 50 years ago. A class act.

So much love to spread around. I count myself lucky to have been present for the last 30 years of the tenure of TCP/IP, and chronicle its growth and popularity.

The decline of Skype

About 20 years ago, Skype was the backbone of my telecoms. I used it to stay in touch with a worldwide collection of editors when I was running Tom’s Hardware and to make all of my international calls for pennies per minute. Some of you are old enough to remember when these calls cost dearly, if they could be made at all.

When you think about this broad stretch of time, and that you can now reach people on the other side of the world, with usually solid audio (and in some cases video) quality, it is pretty amazing. And it is nice to have lots of choices for your comms too.

If you want some perspective on how much this tech has changed since 2006, check out this piece that I wrote for the NY Times about the business instant messaging use. Remember Lotus Sametime? Jabber? AOL? Yahoo?

I wrote about this most recently in 2020 here, where I staked out the entire messaging interoperability problem, and when Teams was just muscling into this market.

This week I gave up my subscription and last remaining Skype credits of some $3. I haven’t used the thing in months, and it was time to say goodbye. Since being absorbed by the Redmond Borg, it has gotten less usable and useful. I almost always get stuck trying to figure out how to authenticate myself into live.com among my numerous accounts.

My choices for international communications is now plentiful. If I have to actually talk to someone, the most used is WhatsApp, which works reasonably well and is almost universal among people that I connect with. In second place is texting, either using SMS/iMessage or sometimes with Facebook Messenger. If I were younger I would probably put texting in first place. I use Microsoft Teams or Slack to communicate with my business colleagues, depending on which platform they are using. Sometimes I use Google Talk to make a few calls from my computer. My mother-in-law has an Alexa show, which makes for yet another channel to use.

Juggling all this tech can be tiresome to be sure. But it meant that Skype was gradually marginalized as time went on.

The decline of online shopping

I have been writing about online shopping for more than 25 years, starting in the mid-1990s when I became so enmeshed in it that I taught classes for IT folks to implement it in practice in their companies. I reviewed that history in an earlier post here.

Back in those early days,​ I had fun assignments like trying to figure out how long it took staff from an online storefront to respond to me-as-a-customer email queries, or documenting how hard it was to actually buy stuff online. Yes, someone actually was paying me to write an article about online stuff, which then would be published in a printed magazine weeks later. It seems so quaint now.

I also had a two-day seminar at various international trade shows about understanding internet commerce, payment systems, and installing and operating your own web storefront. One group of the attendees were from the US Postal Service, who were trying to put up a storefront selling stamps. Seems simple, right? What happens when your inventory can’t reflect the actual real-time situation — then you have a lot of angry stamp collectors. As I said, fun times.

Today I want to vent about a more basic issue: why has the online storefront become such a shopping hellscape? Let me explain.

Last week I wasted about an hour of my life trying to purchase two toiletries: shaving cream and deodorant. For many things, I am not brand-sensitive, but for these two items I am. Being a Prime Family, I went first to Amazon, where I was presented by dozens of online merchants that would try to sell me the exact item that I wanted. Except, they weren’t actually Amazon itself, but third parties. Many of which had “only 2 items left” warning labels — the latest come-on employed by online scammers everywhere. Create that sense of urgency, fueled by Covid supply chain issues, and get the customer to commit NOW! I moved on.

Next was Target.com, where I was greeted by first making sure that I had captured my account password before I attempted to buy anything. Then I had to decide which of three methods to get my stuff: by mail, pickup in the nearest store (what was my zip code, since I neglected — deliberately — to have that in my account profile), or same-day delivery. Each had a raft of options depending on how quickly I needed my items. And I hadn’t yet gotten to where I actually could search for my two precious toiletries. Forget Target.

Walgreens and CVS websites weren’t much better. I almost bought something here — I can’t recall which drug store — that would have one item mailed, one that I could pickup. Only it wasn’t at the nearest store, but one a few miles away. What was I doing? That was when I came to my senses.

I closed my computer in disgust and got on with my day.

Yesterday, I resumed my quest. There is a local drugstore that is a few blocks from my house, and I happened to walk by and thought, let’s just go in and see what they have in stock. Now, this is a small family operation not affiliated with the big chains. But that is a good thing because of three reasons. First, if you call them, you can actually talk to a live pharmacist within a moment, without having to wait on hold for 20 minutes or more. Second, they don’t lock away their stuff, like the big chains do, because of theft problems. But they get around that with an interesting twist: their shelves look very bare, because only one item of a given product is put there. That is their solution to shoplifters and the effect initially is quite eerie. But they didn’t have my brands, so I went away empty handed. (The third reason is that I have gone there to get my shots, because again they are easy to deal with.)

I came home frustrated. Then I thought I would try the small grocery store literally across the street from my home. Finally — and ironically — success. After running around in circles, the solution was simple, and the prices just a little more for the convenience of not having to navigate a series of lengthy menus and other effluvia.

Mission accomplished.

So what has happened to online storefronts in the past 25 or so years? In the quest to make everyone able to buy just about anything, they have become unusable. Menus are inscrutable, choices confound, and delivery mechanisms are so plentiful that they can paralyze consumers. So as I am looking through my slide deck for those c.1997 seminars that I taught around the world, I happened upon this summary of the implications of ecommerce:

  • Consumer control of privacy is essential  — most folks simply want the choice of opting out
  • The granularity of control must be fine, e.g.,
    • over number and frequency;
    • over categories of interests; and/or
    • over (indirect) dissemination to third-parties

In some respects, we have come a long way since those early days. In others, we are still learning these basic concepts. And next time I need something, I will head across the street to my local shop first.

How to protect yourself from Predator and other spywares

I wrote about the insidious operations of the spyware known as Predator for SiliconANGLE today. This nasty piece of work infects your phone and can capture everything going on around you, and what you type, and where you go, among other things. If this sounds familiar, it is. Remember the Pegasus spyware that was sold by the Israeli NSO Group?

A consortium of international researchers and reporters have published a coordinated expose about the spyware, just like what happened a few years ago with Pegasus. What I want to talk about in conjunction with this effort are things that you can do to protect yourself. While you may not be a target, if you are sufficiently paranoid, you might want to implement at least one of the suggestions from the main Amnesty International report to protect your privacy.

I have annotated their recommendations with my own experience.

  • Update your web browser and mobile operating system software as soon as any security updates are made available for your devices. Many of the latest updates have been triggered by these spyware revelations.
  • Enable Lockdown Mode (Settings/Privacy and Security) if you use an Apple device. This can make a successful compromise of your device more challenging for an attacker. I have implemented this and so far it doesn’t seem to mess things up with normal phone operations. It does produce a regular series of warning messages saying that it is still on.
  • Be wary of clicking links from anyone, but especially strangers or people you haven’t heard from recently. Do not rely only on the preview of the URL displayed on messaging apps or social media platforms as that might be deceptive.
  • Pay attention to any changes in your devices’ functioning (i.e., shortened battery life or overheated phones). However, this by itself is not a strong indicator of suspicious activity.
  • Disable the ‘Direct Messages from Anyone’ option on Twitter. Better yet, don’t reply to anyone there.
  • On your personal Facebook accounts, manage privacy settings to limit your profile’s visibility to existing friends.
  • Speaking of Facebook, I would also carefully evaluate any new friend or Messenger requests before accepting. Also, review your post comments for any entreaties from unknown contacts and delete them quickly. I almost always get several of these each time I post. And I have deleted the Messenger app from my phone, and just wait until I am back at my desktop and use the web version. The app collects all sorts of information about your contacts.

Going to a protest? Here is your digital privacy survival kit

If you are thinking of attending a protest, take a few moments to review the EFF’s recommended strategies for protecting your digital assets and privacy in this blog post. It is  both an interesting document and a sad testimonial to the state of our present day that the document had to be written at all.

Here is the issue: police are increasingly counting on protesters’ cell phones to be used as evidence, so information on them — your contacts, your photos, your text messages — can be used against you. And not just during protests, either: border crossings can be problematic too. So as the scouts say, be prepared.

The suggestions span the gamut from things to do before you attend a protest, what to do during the protest, and what to do if you are arrested and if your phone and other digital devices are seized. EFF recommends leaving your regular phone at home and buying a burner that just has the Signal messaging app on it; Signal provides end-to-end message encryption, something that I spent some time thinking about. I put together a series of recommendations for business IT managers about how to enable and use this feature across other messaging services for SiliconANGLE earlier this summer.

One of the aspects of Signal is that you can use it to scrub the metadata from your photos. This is important if you intend to post any of the pictures online. You can also take screenshots of your photos if you don’t care about image quality.

There are other helpful suggestions too, such as taking pictures without unlocking your phone, and disabling the facial or fingerprint ID feature, in case a law enforcement officer forces you to unlock it. They explain: “Under current U.S. law using a memorized passcode generally provides a stronger legal footing to push back against a court order of compelled device unlocking/decryption.” They explain the difference between encrypting the data on the phone and encrypting an external SD memory card might require two different steps. And there are numerous suggestions on how to turn off location tracking, Bluetooth, and other radios. That may only be a temporary solution, however: once you turn these radios back on, your phone may send the stored data once you reconnect. The best solution is to turn your phone off entirely.

Finally, they sum everything up with this piece of advice: “It’s important to carry the bare minimum of data with you, and use the strongest level of encryption, when going into a risky situation like a protest.”

SiliconANGLE: California stays ahead on state privacy protection

California has become the latest state to enact a special law regulating how consumers can remove themselves from data brokers. The Delete Act was passed this week and it’s now up to Governor Gavin Newsom to sign it into law. But it has already led to similar laws and bills being proposed in other states in next year’s legislative sessions.

My summary of the past summer’s privacy laws enacted across the country, what makes California stand out, and the problem with data brokers all can be found in my latest piece for SiliconANGLE here.

SiliconANGLE: Beware of insecure networked printers

Despite promises of a paperless office that have origins in the 1970s, the printer is still very much a security problem in the modern office.

And even if Microsoft Corp. will succeed in its efforts to eradicate the universe of third-party printer drivers from its various Windows products, the printer will still be the bane of security professionals for years to come. The problem is that the attack surface for printer-related activities is a rich one, with numerous soft targets.

Taking care of insecure printers isn’t easy, here is a trip down memory lane for my latest post for SiliconANGLE.

Me and my Ecobee

For the past month, I have been messing around with an Ecobee “smart” thermostat for my condo’s heat pump. The reason for the quotes will become clear as you follow along in my journey.

I live in a high-rise condo and it was time for the regular servicing of our heat pump, if by regular you mean a spousal request that I should finally get the AC tech out to tend to it. The tech came, said everything was looking good but that you might want to get a new thermostat, for reasons that I don’t recall now. That provided enough motivation for me to start down my Ecobee journey, which is the brand that the tech recommended.

My electric utility was offering half off if I bought it through them. They also had free Nest thermostats, which my tech said I should steer clear of. Given that they were free I figured that something was wrong with them. So I got the mid-priced model and it arrived a few days later. It did take three phone calls to find the webpage to order the thing, let’s just put that there in terms of pain points.

Now, I have to say right up front that I am not a handy guy. Generally, I know my limitations. I was going to give the Ecobee a try, until I saw that I had to deal with putting a bunch of tiny wires in the right places. (You can see what I mean in the photo above. The putty around the edges is to block out airflows from behind the wall, which was suggested by the hot line folks.) I put in a call to my AC repair folks, who happily charged me more than I paid for the device to come install it with tech #2 (a different guy from the first one). Some drilling was involved. I made the right choice not to fly solo on this install.

I was impressed with the level of support from Ecobee: their smartphone app will take you step by step through the initial installation and also help troubleshoot any problems. There is also a phone hotline that is answered promptly and by native English speakers who have tremendous patience to deal with your issues, and I had plenty. One concerned the fact that the temperature reported by the thermostat was off by four degrees with a thermometer that we were using to verify that it was working. After several calls to the hot line, they told me that I could adjust the temperature with a “fudge factor” (that wasn’t the term they used but that is what it was) so they could match.

But we also had another problem, which the kind folks at Ecobee put the blame squarely on my heat pump. It turns out the water drain from the unit would clog up, but only after the unit would operate for an hour. Another visit from the AC tech, at least this one was free where tech #2 (the same guy who installed the thermostat) found the problem.

So I think we finally have all systems go. One issue that still remains is that the Ecobee has three different ways to control its operation: a touch screen on its front panel, a web page or via its smartphone app. All three have slightly to majorly different user interfaces. Some things are quickly accessed with one or the other interface, which doesn’t make it spousal friendly. But one nice thing is that you can control it when you aren’t home, which is helpful in debugging problems and also when you are on vacation and want the home cooled or heated to your requirements before you walk in the door.

Do I regret buying the Ecobee? No. I regret that it takes an IT guy 10 phone calls and an outlay of cash to get professional help to get it operational. Hence why I put the “smart” in quotes: maybe if it was used by a “smarter” home owner I would feel differently. Now if only I could get my “smart” TV to work the way I want it to.

NYC subway adventures in zero-factor authentication

Most of you know by now the meaning and importance of MFA, having multiple pathways to authenticate yourself for your various logins. But here is a story that is somewhat chilling: thanks to the NYC subway authority MTA, someone who knows your credit card number could track your movements about the system, thanks to their implementation of zero factor authentication.

Before Joe Cox, the business journalist who now writes for 404media (I know, miserable branding IMHO), wrote a story about this, you could bring up a page on the MTA’s website, enter the card number and you could see a week’s history of the station entry and exit times for each station you swiped your contactless fare card (or Apple or G payments on your phone). Well, you used to be able to do this, until Cox’s story ran exposing this vulnerability. Then the MTA wisely took this down a day after the story ran, saying they were evaluating the “feature.” Well, it is a feature for your estranged spouse (or someone who is looking to do you harm) to track your movements and establish a pattern of life. For the vast majority of us, it is a major-league problem and privacy disaster. Credit card numbers are remarkably easy to obtain.

Now, I call this somewhat ironically zero factor authentication, although sadly many security vendors are now using this term to refer to ways to authenticate your account without using passwords, which technically it is. But There Is No Authentication Involved Here Folks.

Contactless cards — and the phone-based payment apps — are a big convenience. You don’t have to touch any public turnstiles or fumble with putting your card inside those pesky slot readers upside down and backwards. But the MTA went overboard and for some reason was completely brain-dead when they turned this “feature” on.