Wed, 28 Sep 2016 00:00:00 +0700
(image) Since water damage is one of the most common problems experienced by so many, getting a phone that can protect itself makes sense.
The technical definition of water resistant is that it’s able to resist the penetration of water to a certain degree but not entirely.
Waterproof technically means that it’s impermeable to water, no matter how much time it spends in water.
Unfortunately, these terms are thrown around as if they were interchangeable by so many.
With Apple throwing it’s ‘water-resistant’ hat in the ring with the iPhone 7, joining others like Samsung, Sony, Motorola and Kyocera, understanding the technical differences is helpful.
What the ‘IP’ Rating Means
Today’s smartphones generally have certifications published when it comes to resisting the elements signified by ratings such as IP67 or IP68.
The IP marking for International Protection or Ingress Protection (depending upon who you ask) is followed by two numbers.
The first number designates its ingress protection against solids, such as dust with numbers ranging from 0 to 6 (the higher the number, the better the protection).
When you see a 6 for the first number, then the smartphone is ‘Dust Tight’ which means it’s completely protected against contact with dust.
Having this rating an be important for hikers, mountain bikers or anyone that wants to use their smartphone in dusty environments.
The second number refers to the ingress protection against liquids, with numbers that can range from 0-9 (again, higher is better).
Can I Swin With My Smartphone?
Apple’s recent iPhone 7 announcement included news that it was water-resistant with a certification of IP67.
This means that it’s completely dust-proof and it can technically be submersed in water of up to 1 meter (@3 feet) for a duration of up to 30 minutes.
Many Samsung and Sony smartphones have an IP68 rating, which technically means that they are completely dust-proof and water-resistant in depths ranging from 1 to 3 meters for a duration as determined by the manufacturer (usually 30 minutes).
These descriptions may make it sound like you can use your smartphone in the pool to take underwater pictures, but none of the manufacturers will recommend it.
The actual laboratory tests are done with smartphones in standby mode, meaning they aren’t being used in any way during the tests.
What it does tell you is that with either an IP67 or IP68 rating, if you get pushed into the pool with your smartphone, the chances of its survival are very high.
I’ve actually owned a Sony Xperia Z3 for years, which was one of the first consumer handsets designed to be water-resistant and the few times that it has been in water, it’s done just fine.
If water gets on the screen while it’s active, it’s not going to respond like it normally would because water conducts electricity just like your finger which is why using it underwater isn’t recommended.
Another thing to keep in mind is if the screen on a water-resistant phone gets cracked, replacing it will likely break the factory seal that protected it, so it will no longer be water-resistant.
Wed, 21 Sep 2016 00:00:00 +0700
(image) This question illustrates the ongoing challenge we all have to face when it comes to balancing convenience with security.
Having your passwords stored in your browser is certainly a big convenience, but no matter how you look at it, the price you’ll pay is some level of security.
If you never save a password in your browser, technically speaking it’s certainly safer, but what you really need to do is weigh the actual risks against the convenience.
How and where you use your computer should also be a consideration as a laptop, smartphone or tablet is much more likely to be lost or stolen then a desktop computer in your home or office.
Saving passwords on your home computer that only you use is far safer than saving passwords on a mobile laptop that you’re whole family shares.
Saving passwords on benign sites that contain very little personal information is also less of an issue than saving passwords for any of your financial institutions.
Every major browser offers some form of encryption that securely stores the saved passwords on your computer, but we don’t really know exactly how ‘hackable’ their security may be.
The reality for most of us is that we're a lot less likely to be the victim of a hacker that’s specifically targeting saved browser passwords then we are to be the victim of theft or a lost device.
A stolen device loaded with a plethora of saved passwords is a cyber-thief’s dream, so it’s imperative that you setup some form of access code and auto-locking feature to reduce the potential damage should it go missing.
Installing some form of remote tracking and deletion software, such as https://preyproject.com on all your mobile devices is also a good idea, whether you’re saving passwords on them or not.
To Sync or Not to Sync
Another ‘convenience’ feature you’ll have to decide whether to use or not is the browser ‘syncing’ option.
Syncing allows you to share your browsing history and passwords across all your different devices, but in order for it to work, your information has to be stored by the browser company on their servers.
Once again, they offer various levels of encryption and with the exception of one company, Opera, we’ve yet to hear of any breaches of this particular secured data, but you’ve technically added another way to be exploited.
For its part, Google has created a central place that allows you to manage what passwords the Chrome browser saves which you can also password protect separately with a sync passphrase at https://passwords.google.com.
A Better Way
Security experts all tend to agree that if you’re going to use software to store your passwords, using a dedicated password storage tool such as LastPass, KeePass or RoboForm is more secure than using your browser to store your passwords.
Products that focus solely on protecting passwords instead of relying on browser developers that have to focus on many other things besides security should provide you with a better layer of security.
Wed, 14 Sep 2016 00:00:00 +0700
(image) If you only had one or two to remember, creating long, complex passwords that you could easily remember wouldn’t be too difficult, but estimates are that most people average between 25-30 distinct online accounts.
This has led to the common, but unsafe practice of using the same password on multiple online accounts, which the security community has warned against ad nauseam.
All Security Eggs In One Basket?
Companies like LastPass, RoboForm. 1Password and Dashlane offer a solution that may seem a bit counter-intuitive: put all your security eggs in one basket.
On its face and from a purely technical standpoint, storing everything in one place seems a bit risky, but you need to compare it to what you’re currently doing.
No process is 100% secure, but if you’re using the same password everywhere, you’re in about the highest risk category that exists.
Password managers allow you to use strong unique passwords for every account, but only require you to remember a single master password.
Encryption Is The Key
Every password manager uses some form of encryption to secure your basket of passwords. This doesn’t make them impossible to compromise, it just makes it more difficult and a less desirable target.
Even when a breach occurs at an online password management service, the stolen data is encrypted, which means the thieves still have to spend the time to crack the security. By the time they can actually crack the encryption, you’ll have been notified to change your passwords by the breached service, rendering the stolen info useless.
Online vs Offline Managers
There are generally two ways that password managers store your encrypted passwords; in the cloud or on your computer.
Online password managers tend to trade a bit of security for convenience, because there is nothing to download or install and you aren’t limited to using the service on specific devices. Any device that has an Internet connection can potentially be used to access your accounts, but that also means that it’s potentially accessible by others.
Offline password managers are technically more secure because the only place that your information exists is on your computer or mobile devices, but that also means you’ll only be able to access your accounts from those specific devices.
This can become problematic if your computer goes down or you’re using a computer that you don’t own to try to access your accounts.
If you decide to use a password management system, the single most important password you’ll create is the master password.
Making sure it’s long (at least 12 characters) and complex as well as activating 2-factor authentication (https://twofactorauth.org) is critical to keeping everything secured.
Keep in mind, if you lose your master password, most of the services can’t help you recover it because they generally don’t store it anywhere as a security precaution.
Making Your Decision
If you’re not tech savvy, using an online password manager is likely more secure then what you’re currently doing and it’s a lot less complicated.
If not, you can always use my low-tech password management suggestion: https://goo.gl/v8Rvjo
Wed, 7 Sep 2016 00:00:00 +0700
(image) With the unveiling of the iPhone 7, the usual chatter about the latest features seems to be dominated by this seemingly odd design decision.
It would appear that Apple will eliminate the traditional 3.5mm analog headphone jack on all of its new devices in favor of the Lightning connector or their new proprietary wireless technology.
They actually aren’t the first smartphone maker to make this decision as Chinese manufacturer LeEco and the Moto Z line from Lenovo (formerly Motorola) have already eliminated the headphone jack.
The iPhone 7 will ship with Lightning earbuds and a special ‘dongle’ that converts the lighting connector at the bottom to a standard headphone jack so you can still use older headphones.
Apple wants to get away from analog technology that was created in the 1960’s and use a more advanced digital audio output.
The Lightning connector at the bottom of the phone is capable of providing more than just a way to charge the iPhone and digital audio is just one option.
While the new Lightning headphones are certainly capable of delivering higher fidelity audio, I’m not sure the average listener will hear the difference, especially if the quality of the audio file isn’t all that great.
Many companies, including Apple, are trying to roll out higher fidelity music services, so having higher fidelity headphones is a natural part of their strategy.
More Room Inside
Another benefit of getting rid of the headphone jack is that it frees up space inside the phone itself. Space is extremely tight in all smartphones, so every millimeter counts, especially when it comes to something as large as a 3.5 mm headphone jack.
That extra space can be devoted to larger screens, bigger batteries, better antennas or a slimmer form factor.
The Wireless Future
We must remember that Apple was the first computer company to get rid of floppy disk drives and CD/DVD drives in their computers and in the name of innovation, the headphone jack had to go.
Unveiled along with the iPhone 7 were the new AirPod wireless earbuds, which uses proprietary wireless technology and will sell for $159.
Apple knew that relying on the current Bluetooth standard for wireless audio would be too problematic, so they chose to create their own wireless connectivity technology to make thing easier and more reliable.
3 Billion More Reasons
Many analysts scratched their heads when Apple agreed to pay $3 billion to acquire headphone maker Beats, but it’s now a little clearer how they plan to leverage that acquisition.
Whether you end up using Lightning headphones or the wireless earbuds, they’re both going to be more expensive than traditional headphones which plays right into Apple’s ‘premium products’ strategy.
Some of the initial concerns being voiced over this radical change include the inability to listen to music while charging the phone, owning headphones that only work on Apple devices, losing the special dongle or if you opt for the expensive wireless earbuds, losing them (they aren’t much bigger than traditional hearing aids) and having yet another thing to remember to recharge.
Wed, 31 Aug 2016 00:00:00 +0700
(image) Since its humble beginnings in the 1950’s, voice recognition technology has made great strides over the years, but there are still many challenges to making it work the way most people envision is should work.
Managing your expectations about what it can and can’t do will have as much impact on your success as the technology itself.
If you’re looking for the kind of perfection portrayed in sci-fi movies, don’t bother looking at anything that’s commercially available just yet. Frankly, I’m not sure we’ll ever see an error free speech-to-text recognition system any time soon.
Understanding Accuracy Claims
You’ll likely see various claims being made about the accuracy rate of today’s technology, but keep in mind, a 90% accuracy rate means that every 10th word could be wrong. Even at 95% accuracy every 20th word could be wrong.
This means you’ll always have to spend time reviewing and correcting anything you generate, especially when it comes to things like homonyms and punctuation.
If you’re okay with that, then you’re ready for the next step.
Hardware Is Crucial
Everything starts with the microphone that generates the sound patterns that the software will attempt to recognize, so trying to use the built-in mic on a laptop or webcam isn’t going to cut it.
Ambient noise can make recognition even tougher than it already is, so you’ll need to invest in a decent headset mic so you’re providing the program with the cleanest audio possible.
Cadence Is Key
To get started with any voice recognition program, you always have to go through a training process so the software can get to know your voice and, more importantly, you train yourself on how to talk to the program.
Your cadence is the first thing you’ll need to change, because speaking to the program like you would to another human being is going to generate more errors.
This one area is where I’ve seen most people give up, because they aren’t willing to go through the learning/training curve in order to make the system provide a reasonable level of productivity.
Let’s face it, if you’re spending as much time cleaning up errors as it would have taken to type it out in the first place, it’s pointless.
Start With What You Already Have
You most likely already have voice recognition capabilities in your computer if the OS is reasonably recent.
Mac users can follow these instructions http://goo.gl/vQu4x2 to try using the Dictation tool that’s built in, while Windows 7, 8 and 10 users can go to the Control Panel and click on Ease of Access then Speech Recognition to turn it on.
None of these built-in technologies will compare with what most consider the industry leading software from Nuance called Dragon Naturally Speaking (http://goo.gl/yU6IbJ) which can range from $75 to $500.
Nuance also offers a smartphone app called Dragon Anywhere that you can try out for free to see if using your mobile devices works better for you.
Wed, 24 Aug 2016 00:00:00 +0700
(image) A recent decision issued by the Ninth Circuit Court of Appeals is just the latest story to take on a life of its own because of the incessant need to create ‘clickbait’ across the Internet these days.
Headlines claiming that “’sharing your Netflix password is now a federal crime” seem to be lingering thanks to social media.
What the court ruled on was that sharing your passwords can be grounds for prosecution under the Computer Fraud and Abuse Act, but the case was specifically ruling on unauthorized access by a former employee after the company had revoked his access to a protected system.
The former employee left the company to start a competing business and got a current employee to share her password so he could continue to access company records himself.
The majority opinion stated that the case was about stealing intellectual property and not about password sharing, but a dissenting judge disagreed.
This is apparently where the rumor mill started that evolved into the salacious headlines that you may have seen shared on Facebook or Twitter.
No part of this ruling directly addresses password sharing of your streaming services, although one of the judges did try to address the unintended consequences of the ruling because it was so broad.
What it does signal is that it’s now easier for businesses to go after current and former employees for sharing access credentials to protected systems with this ruling.
Most companies like Netflix, Hulu Plus and HBO have viewed password sharing as a viral marketing tool and wouldn’t be likely to ‘go after users’ even if this ruling does get interpreted in that way.
What can get you in trouble is if you sell your credentials to others, but simply sharing your credentials with a friend or family member isn’t suddenly a federal crime.
Netflix provided Snopes.com with this response to their inquiry into password sharing: “Netflix members can create up to five profiles on each account and the only limit is on how many devices that can be used to access Netflix at the same time, which is by plans. The $11.99 plan allows four devices to stream at the same time; the $9.99 plan allows two. As long as they aren't selling them, members can use their passwords however they please.”
Other services like Amazon have guidelines for sharing Prime Benefits by creating an Amazon Household posted here: http://goo.gl/jahmbg.
Cord cutting millennials that are no longer at home use their parent’s password so they can watch popular shows like Game of Thrones and HBO is well aware of that.
HBO’s CEO Richard Plepler told Buzzfeed last year ““It’s not that we’re unmindful of it, it just has no impact on the business.” In many ways it’s a “terrific marketing vehicle for the next generation of viewers,” he said, noting that it could potentially lead to more subscribers in the future.
You can expect things to change as streaming services grow in popularity, but for now, you don’t have to worry about the Feds knocking down your door because you shared your Netflix password.
Wed, 17 Aug 2016 00:00:00 +0700
(image) Passwords tend to be the only thing separating criminals and thieves from our online accounts, which is why they spend so much time creating sophisticated means in which to compromise them.
Just about all the advice you’ll ever hear about creating ‘strong passwords’ is generally designed to thwart sophisticated guessing schemes commonly referred to as ‘brute-force attacks’.
Brute-force attacks, which are generally performed off-line by high-speed computer networks, are a systematic process of trying every possible combination of letters, numbers and special characters until the correct combination is figured out.
Long, complex passwords are the best way to combat this type of attack.
Understanding Brute-Force Attacks
If you were to only use 2 characters for your password, you can see how a high-speed computer could guess every possible combination in the blink of an eye.
In fact, the Gibson Research Password Haystack Tool (https://grc.com/haystack) suggests that any 2-character password can be broken in 0.0000000000354 seconds or less.
Each additional character that you add exponentially increases the number of possible combinations, so the longer your password is, the longer it will take for a brute-force attack to be successful.
Most of you have been trained to use complex 8 character passwords, which are hard for you to remember and easy for attackers to crack. With today’s sophisticated password cracking technology, GRC’s tool suggest it’ll take just over 1 minute to break any 8 character password, no matter what combination of characters you use.
By stretching the password to 10 characters, that 1-minute goes to 1-week, as long as you have included uppercase characters, numbers and special characters.
Use Passphrases, Not Passwords
If you don’t follow the guidance on using all the required characters, the number of possible combinations drops exponentially.
For instance, the time that it takes to crack a complex 10-character password that does not include an upper case letter goes from 1-week down to just over 6 hours.
The key to creating strong complex passwords that you can remember is to stop using passwords and start using passphrases.
My go-to example of ‘I H8te Passwords!’ is a 17-character passphrase (including spaces) that GRC’s tool suggests would take 13.44 billion centuries to crack.
By creating a passphrase that is personal to you, you have a much better chance of creating a long complex password that you can easily remember.
For example, I’m Going To Aruba in 2017! is 27 characters long and uses all the required characters. Some sites don’t allow you to use spaces, but it would still be 22-characters long.
I personally shoot for at least 12-character passphrases these days, knowing that brute-force cracking technology is going to get faster as time goes on.
If time wasn’t a factor, any password of any length can eventually be broken, but time is a factor with cyber-thieves, so make yours long and complex enough so that your accounts aren’t worth their time.
Wed, 10 Aug 2016 00:00:00 +0700
(image) Passwords are often referred to as the weakest link in security by many cyber-security professionals primarily because of the human element.
Most systems require users to include upper and lower case letters, at least one number and in some cases, at least one special character.
Human behavior is very predictable by sophisticated hackers and when left to their own abilities, the average user will create weak passwords that are easy to break because it’s just not an intuitive process.
With this in mind, many researchers are suggesting that forcing users to regularly change their passwords, which is common in corporate settings, can actually encourage the creation of weaker passwords.
Creating strong passwords for each of your accounts is hard enough, so forcing users to regularly come up with new ones tends to create an environment where human nature takes over.
It Makes Technical Sense
From a purely technical viewpoint, regularly changing passwords makes sense as it renders compromised passwords useless, but it ignores the reality that humans are involved.
Several researchers have published studies over the years warning of the unintended consequences of regularly forced password changes and one of the more prominent figures to speak out on this common practice is the Chief Technologist for the FTC, Lorrie Cranor.
Her FTC blog titled “Time to rethink mandatory password changes” (https://goo.gl/MerJfN) points to a UNC research paper that showed users tend to use predictable patterns they call ‘transformations’ (like just adding the next number) when regularly required to change passwords.
Cyber-thieves know that this behavior is common and have been using password cracking tools that can guess the highest probability for new passwords based on old passwords that have been compromised.
This common human behavior can render the technical benefits of forced password changes useless because cracking the ‘new password’ can actually be made easier over time through pattern recognition.
When You Should Change Passwords
Large scale data compromises seem to be in the news just about every week and whenever a company that you do business with has been compromised, you should immediately change your password.
Likewise, if your company knows that an outsider may have gained access to their network, forcing everyone to change their passwords is a no-brainer.
If you discover that your computer has been infected with malware, especially since often times, one infection can lead to many others, you should change your online passwords from another computer or after your computer has been disinfected as a precaution.
A Better Security Measure
Since data breaches and malware are a fact of life these days, assuming that your password is going to be compromised at some point is a good strategy.
Activating 2-factor authentication or login approvals (How to Setup Password Fraud Alerts: http://goo.gl/SCa64p) on all of your online accounts provides you with an extra layer of protection when the inevitable occurs.
Virtually every major online service offers this protection and it’s far more effective than regularly changing your passwords because it prevents thieves from gaining access even if they do steal your passwords.
Fri, 5 Aug 2016 00:00:00 +0700
(image) The Windows 10 Anniversary Update is a combination of bug fixes and feature updates that would likely have been called a ‘service pack’ in the past.
Whether you love or hate Windows 10, it’s the future of the platform and with it comes many changes to the way we’re all used to working with Microsoft.
To better understand this update, it’s important to understand the changes in the way Microsoft is going to support and update Windows from now on.
For starters, Microsoft has referred to Windows 10 as ‘the last version of Windows’ not because they plan to abandon Windows altogether, but because they plan to abandon the numeric upgrade cycles that they have followed since the very first version was released.
Instead of creating completely new versions with new numbers on disks that you buy, Microsoft is following Apple’s approach of delivering all future Windows upgrades as downloads.
Microsoft’s ambition is to get you thinking of the Windows interface like you do Gmail or Facebook, where upgrades to the platform ‘just happen’.
The business case for this shift in approach is very clear: they don’t want to have to support multiple old versions of Windows decades after they are released like they’re having to do today.
They want to get everyone on one platform so they don’t have to employ different programmers to support old versions that users have chosen not to upgrade.
If you look at the current global OS market share numbers, you’ll better understand their problem:
Windows 7 – 47% Windows 10 – 21% Windows XP – 10% Windows 8.1 – 8% Windows 8 – 2%
Windows 10 – 21%
Windows XP – 10%
Windows 8.1 – 8%
Windows 8 – 2%
Of the 5 versions listed above, only one is no longer supported (Windows XP) yet there are as many users still using XP as there are using 8 and 8.1 combined.
Microsoft knows today’s users are much less inclined to make a change to their operating system than in the past, so they want to control all of that in the future.
This brings us to the current state of Windows updates for anyone that’s using Windows 10; they’re just going to happen.
If you’re tech savvy and don't mind dealing with new issues, you can manually download the Windows 10 Anniversary Update (https://goo.gl/hWNxAd) which was released on August 2nd, but for most, I’d recommend waiting for the auto-update process to deliver it.
We have seen a few issues in our tests of the Anniversary Update, especially with third-party software like security programs and there are the usual early complaints posted in various tech forums outlining various other issues.
Many of these issues will be resolved as third-party software vendors work through the compatibility issues and provide updates of their software to work with this new Windows update.
There are many interesting new features and tweaks included in the Anniversary Update, but I wouldn’t get into a hurry to download it just yet.
Wed, 27 Jul 2016 00:00:00 +0700
(image) We’ve all been taught to look for HTTPS: (HyperText Transfer Protocol Secure) at the beginning of a website whenever we’re going to make a purchase online.
This ensures that the information you’re typing on the page is encrypted between you and the trusted website so that your information stays secure.
The warning message you’re asking about typically appears on sites that require this level of security, such as any site that requires you to log in or make purchases online.
A security certificate is a means to ensure that the site owner is who they say they are resulting in the famous ‘lock’ image that helps you know that you’re on a secure site.
Think of them as a way to authenticate the owner of a website much like your username and password are used to authenticate you as a user.
The complexity involved in Internet security can get a bit technical, but for the most part, whenever you see this error on a site where you are being asked to provide sensitive information, you should be very cautious.
When you see this message pop up, your browser is essentially telling you that it can’t verify the authenticity of the website you are visiting because there is a problem with the security certificate.
The causes for this warning message can vary greatly and often times does not necessarily mean that something nefarious is in play, but you should still always be cautious.
Something as simple as your computer’s date and time being off can cause this but so can a slightly mistyped URL that lands you on a scam site.
A common cause is that the website owner hasn’t renewed their security certificate (as in it was once valid, but has since expired) or they’re using a free Certificate Authority service such as CAcert.org (http://cacert.org) that isn’t necessarily trusted by some browsers.
If you know for sure that the website is legitimate, you should alert the website owner of the warning so they can fix the problem on their end.
Keep in mind, this can also be a clear alert that the site you’re visiting isn’t a legitimate site and can’t be trusted.
Creating very convincing duplicate websites is not very hard to do these days, so you’ve got to always pay close attention to security indicators like the picture of the lock and these security warnings that can come from Google, your browser or from your security software.
If you’re not sure about a site, you can use a third-party site checker such as Sucuri’s SiteCheck scanner (https://sitecheck.sucuri.net) to get a full report on the site that will check for known malware, blacklisting status, website errors and out-of-date software.
If you regularly visit a site that you know is legitimate but gives you this error, there are ways to bypass the message for just that site, but I’d only suggest this for tech savvy users (by doing a Google search).