post

Got an iPhone or iPad? You Need a Better Password NOW

There is a new tool for hacking in to an iOS device (i.e., iPhone or iPad) you should be aware of and why you should change your password NOW…but also make it a strong one.

A Motherboard investigation has found that law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors.

According to Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said on Twitter that GrayKey has an exploit that disables Apple’s passcode-guessing protections (i.e., SEP throttling) AND that a 4-digit passcode can be cracked in as little as 6.5 minutes on average, while a 6-digit passcode can be calculated in roughly 11 hours:

Another Motherboard article emphasized that you should immediately Stop Using 6-Digit iPhone Passcodes and yes, you should.

Why a Long, Secure Password Now?

Security and convenience are always a trade-off. But I’ve set up a password for my devices that, according to this password checker, will take 44 thousand years to crack BUT it is easy for me to remember, and to use, as my iOS “custom alphanumeric code.” This password has numbers, upper/lower case letters, along with a few special characters (e.g., !@#$%^&*()).

Do I have something to hide? Nope. But the reason I lock my front door, have security cameras and alarm system, and don’t invite random people in to dig through my drawers or important-papers in filing cabinets, IS THAT MY STUFF IS *MY* STUFF AND PRIVATE! I intend to keep it that way so I protect the shit out of things I want to keep private AND SECURE.

If you travel outside the U.S. like my wife or I do and come back in with your device, TURN IT OFF. That is because U.S. Customs is increasingly grabbing traveler’s devices and disappearing with them to a back-room, apparently to hook them up to a device to suck off all the data. While this hasn’t yet directly affected U.S. citizens, there is nothing stopping other countries from doing the same thing.

Plus, once all of your data is captured, there are enough cracking resources available to government agencies to be able to take their time to crack your device data they have previously stored. It might take them a year or, after quantum computing becomes a reality (if it isn’t already real) in the next several years, those times to crack may be reduced to minutes instead of days or years.

Police agencies within the United States may also be less adherent to the U.S. Constitution and Bill of Rights when it comes to the gray area surrounding digital search and seizures, even though in 2014, the U.S. Supreme Court addressed two cases, Riley v. California and United States v. Wurie, dealing with cell phones searches and the search incident to arrest exception to the warrant requirement. During searches incident to arrest, the high court has not required warrants under certain circumstances where protecting officer safety and preventing evidence destruction are at issue. For more, read this at FindLaw.

The U.S. Border Patrol also could be in a position to do whatever they damn well please — within 100 miles of the U.S. border — as you can see from this article at the American Civil Liberties Union (ACLU):

Why Can You Do?

post

A Bug in the Apple Store App on iOS “Removed” a Gift Card from My Apple Wallet

It is likely that I discovered a bug in Apple’s Apple Store app for iOS that could make one of your Apple Store cards in your Apple Wallet vanish.

Two days ago I had three Apple Store cards in my Apple Wallet with varying amounts on them which were pretty close to the total amount of a new HomePod with tax — only $6.21 wasn’t covered by the Apple Store cards in my wallet so would, of course, be paid for using my archived credit card on file with Apple — so I decided to try to order the HomePod using the Apple Store app on my iPhone and go and pick up the unit at a nearby Apple Store in Southdale Mall (Edina, MN).

To my surprise the charge to my archived-at-Apple credit card for $6.21 kept failing! The credit card is used all the time so I tried the transaction three more times. It kept failing so I called my credit card provider Chase who told me that the card was just fine.

I then reached out to Apple Support and they basically had no idea what had happened. They did offer to order it for me or suggested I go in to an Apple Store. Of course, that completely misses the point that there is some sort of bug that disallowed me from using my credit card do I decided to give up and deal with it this coming weekend.

But here is where it gets REALLY WEIRD… [Read more…]

post

Dept of Homeland Security Setting Up Database to Track Journalists, Bloggers & ‘Media Influencers’


The Department of Homeland Security (DHS) is doing something unprecedented for a tactical government bureau: they just released a draft request for companies to bid on their “Media Monitoring Services.” This request from DHS seeks a firm that could build them a searchable database that has the ability to monitor up to 290,000 global news sources:

Services shall enable [the DHS’s National Protection and Program’s Directorate] to monitor traditional news sources as well as social media, identify any and all media coverage related to the Department of Homeland Security or a particular event. Services shall provide media comparison tools, design and rebranding tools, communication tools, and the ability to identify top media influencers.

They’re claiming “standard practice” but DHS is NOT an intelligence service and global monitoring is what the National Security Agency performs as does the Central Intelligence Agency. WTF is DHS going to do with this sort of database? Why do they need “media influencers” and “bloggers”? The request specifically requests:

24/7 Access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.

Most troubling was their intent to have this database indicate what the coverage “sentiment” is:

[The database shall have the] ability to analyze the media coverage in terms of content, volume, sentiment, geographical spread, top publications, media channels, reach, AVE, top posters, influencers, languages, momentum, circulation.

Why am I concerned and bringing forth a story like this one? Because our Department of Homeland Security potentially has an enormous tactical advantage set forth in the Constitution that could allow them to subvert our protections under that very Constitution and our Bill of Rights. Don’t believe me or think I’m paranoid? Then read this about our Constitution and the 100-mile border zone that DHS could essentially do whatever they damn well please within, like searching our “sentiments” when within a border zone and restricting our movements if we’re deemed a threat to homeland security.

To say the shit-hit-the-fan after this release is an understatement. Here is a Google search that has articles from Forbes, Bloomberg, CBS News, CNN, Chicago Sun-Times, and a host of others. Here is a Twitter search to allow you to read thousands of tweets questioning why in the world DHS needs such a database.

Many of we “bloggers” also leapt on this story as it is clearly easier for DHS to level suspicions at us. It’s also significantly easier to intimidate an individual than it is an institution filled with journalists like CBS News or CNN.

That said, other government agencies, like the FBI, have adopted secret rules to spy on journalists who publish classified information and hunt down their anonymous sources.

While all the articles I read were questioning the ‘why’ behind having this database, DHS’ spokesperson, Tyler Q. Houlton, had this to say in response to their sh*t hitting media’s fan:

My gut tells me that the “why” behind this database is that DHS wants to have a searchable one so they can perform quick lookups for those crossing our borders, being stopped at checkpoints, and potentially for those of us who happen to be within 100 miles of any border.

I’d argue that questioning is healthy and an imperative in a democracy, and having the DHS spokesmodel suggest otherwise is disingenuous.

Read the bid yourself below or download it here:

RNBO-18-00041_SOW_-_Draft (1)
post

Journalism Is Now More Important Than Ever

We are living in a time when the President of the United States calls any news organization whose reporting he doesn’t like “fake news.” When news organizations struggle to remain relevant when the internet enables that news to travel around the planet in milliseconds. With all the options for news, few are willing to spend any money to support them.

This morning I donated $50 to The Guardian, a paper headquartered in London with a major U.S. presence in New York and is one I read almost every day. Their journalism is top-notch and they’ve revealed numerous important stories like the National Security Agency’s PRISM program and the Panama Papers.

My support has also been continual for my local paper, the Minneapolis StarTribune, but also to the phenomenal New York Times and The Washington Post, organizations that have continued to demand truth from the powerful, report on them when they go astray, and help keep us on track as a nation.

I absolutely believe that a free press is vital to our democracy and freedom. The founders of the United States of America knew how important freedom of the press was to democracy, so they made the very first amendment to the Constitution one that would protect it.

Without the press — and I’m including television and internet-based news too — who would hold accountable those who would seize power? The ones in power who seemingly delight in telling us untruths, make up their own facts, and lie to our faces like our current administration does?

It made me realize that I have to vote with my pocketbook. Think about the news organizations you read often and make a donation or subscribe. You don’t want to rely on some blog or, God forbid, what some government mouthpiece wants you to believe. You want the truth. We all need the truth.

Democracy will die without truth. Take a moment right now to choose one or two news organization and donate something to them.

post

Wavebox – Finally…All Of My Web Apps In One Place!

Whenever I come across an app or method that can radically streamline my workflow, I not only embrace it but have to share it with friends, family and write about it as it might help you.

To say I was excited to find Wavebox is an understatement. Wait until you see what it can do for you and, most importantly to me, it’s open source so there are no shenanigans going on with backdoors and such.

First some background. My workday consists of wearing several “hats” and I need to have multiple web applications instantly available all day, every day:

  1. My own, personal stuff with my Gmail account as the ‘hub’ with calendar, Google Voice, and a ToDo list in Google Keep
  2. My secure Protonmail email account
  3. A postmaster email account for my server
  4. Two Google Suite email accounts for one of our businesses and a third Google Suite email account for yet another of our businesses
  5. My SteveBorsch.com Google Suite account and website
  6. My primary Slack account
  7. …and several other web applications I need to have available to me at the click of a mouse.

Using multiple Google Suite accounts within a single browser meant that ALL of them were active all the time AND, for anyone who uses multiple accounts in a single browser, you know how unworkable that is on a daily basis.

Each email account and calendar had to be open and ready. If you use Google Chrome to manage multiple After discovering apps that would let me generate site-specific browsers (SSBs) — which are essentially “clones” of Google Chrome and Safari but completely self-contained — I ended up with about 20 SSBs and each had multiple tabs open. (e.g., Fluid App; Coherence 5; Unite).

Fortunately my iMac has 32GBs of memory, but I was always maxing-out on memory since each tab in each browser has a “worker” process running in the background, consuming LOTS of memory on a machine. It was getting pretty crazy so I began the hunt for a solution that would be better.

Enter Wavebox…  [Read more…]

post

Is Geek Squad ‘Inadvertently’ Stumbling Across Images? They Say ‘Yep’. I call ‘Bullshit’.

Photo courtesy Electronic Frontier Foundation

Though I’ve been following this story at the Electronic Frontier Foundation’s website (see Geek Squad’s Relationship with FBI Is Cozier Than We Thought) it was today’s Ars Technica article that really got my blood boiling (see Best Buy defends practice of informing FBI about child porn it finds).

“In a statement sent to Ars on Tuesday, Best Buy wrote that it continues to “discover what appears to be child pornography on customers’ computers nearly 100 times a year. Our employees do not search for this material; they inadvertently discover it when attempting to confirm we have recovered lost customer data.”

Inadvertently? Bullshit.

While I’m the last guy to defend anyone who has child porn they’ve gathered and stored on their computer or device the big issue is this: Best Buy **must be** using forensic tools to actively search the entire hard drive — including cached images — and then Geek Squad humans ARE ACTIVELY VIEWING every .jpg, .png, or raw image on the computer or device and getting paid to do it!

Otherwise, how else could they possibly determine something is “child porn” without looking at it?

On my main computer (and external hard drives) I have nearly 50,000 images I’ve taken, scanned, or my family has taken and I’m storing them in a central location (and, before you ask, there is NO porn…child or otherwise). If you were a Geek Squad worker, there is no way you could be recovering one of my hard drives and have a clue what those images are, unless you looked at them OR had a forensic tool that enabled you to find every image on a computer or device so you could skim through them.

That EFF article had this to say about Geek Squad using forensic tools (my emphasis):

But some evidence in the case appears to show Geek Squad employees did make an affirmative effort to identify illegal material. For example, the image found on Rettenmaier’s hard drive was in an unallocated space, which typically requires forensic software to find. Other evidence showed that Geek Squad employees were financially rewarded for finding child pornography. Such a bounty would likely encourage Geek Squad employees to actively sweep for suspicious content.

Even if a computer owner inadvertently ends up on a website that has such images — by following some link and then takes their computer in for Geek Squad service — those images are in the browser cache so that person could be instantly branded a child porn lover or pedophile and turned over to the FBI. Unless you are smart enough to use FileVault on the Mac or TrueCrypt for Linux or PC and encrypt your drives (like I do), they can see anything-and-everything once recovered.

What if a rogue Geek Squad person looked at your important documents? Maybe copying down account or social security numbers, poking through email text files, or otherwise digging through all your digital files when your computer or device was in there for repair? 

Remember: Defending against illegal searches and seizures means forcing law enforcement to abide by the Constitution and get a warrant. Not pay-off or otherwise coerce a company’s employees to do the FBI’s illegal forensic for them.

Especially when everyone knows that if an illegal search and seizure is labeled an investigation in to “child porn” or “terrorism” then the stupid usually rollover and let law enforcement do whatever they want unless you, like I do, find this practice and Best Buy collusion an illegal search and seizure (especially since the FBI paid them to do it) and get mad about it and take some action.

For more see these:
post

Shooting Smartphone Video: A Great Solution is Available Now

I’ve been shooting iPhone X video with a $15 app called Filmic Pro using my Steadicam Volt (though with Filmic Pro’s stabilization feature, I can capture almost the same quality doing it handheld without the Steadicam). Sure wish I had this set up five years ago!

The video I can shoot with my iPhone X is absolutely stunning but, unfortunately, capturing good audio from any smartphone’s internal microphone alone sounds horrible. I have a cheap lavalier microphone but doing an interview — or setting it up so my wife can easily and quickly do one on her own with her iPhone X at trade shows — is simply too hard. One would need two lavalier mics and the gear needed to have two audio feeds going in to a single iPhone input. This is not something she can do nor I want to do.

There is good news though: Today I found an audio solution — JK Audio’s BlueDrive-F3 — and read a couple of reviews about it. Though it’s a butt-ugly adaptor, the buzz from a videographer buddy of mine is that “it just works”, has great battery life (6 hours) and has no Bluetooth-like latency so lips stay in sync with voice-audio.

I already own the best-selling mic in the world (Shure SM-58) which will work flawlessly with this device. Check out the video below, especially to hear the “with BlueDrive-F3” and “with just the iPhone internal microphone” so you’ll know the impact that good audio will make in your next iPhone video.

The BlueDrive-F3 is essentially the same price everywhere I looked ($236.55). If interested in this kind of a solution, watch the short video on the page to learn more.

post

Save on Cyber Insurance with Apple & Cisco

This just in from TechCrunch:

Apple and Cisco announced this morning a new deal with insurer Allianz that will allow businesses with their technology products to receive better terms on their cyber insurance coverage, including lower deductibles – or even no deductibles, in some cases. Allianz said it made the decision to offer these better terms after evaluating the technical foundation of Apple and Cisco’s products, like Cisco’s Ransomware Defense and Apple’s iPhone, iPad and Mac.

There is no question in my mind that Apple is inherently more secure than Android, Windows and other technologies. The operative word here, however, is “more” since there really isn’t any truly secure device. Or security is only as good as what we each are savvy enough NOT to do…like clicking on links in emails, inadvertently trusting a website that’s actually a phishing scam, and so on.

That announcement in Apple’s newsroom includes Aon as well: Cisco, Apple, Aon and Allianz today announced a new cyber risk management solution for businesses, comprised of cyber resilience evaluation services from Aon, the most secure technology from Cisco and Apple, and options for enhanced cyber insurance coverage from Allianz.

This is good in many ways but sure won’t hurt Apple and Cisco’s businesses, that’s for certain.

post

What the Film ‘Jeremiah Johnson’ Meant to Me

When I was in high school in the early 1970s, Robert Redford’s film Jeremiah Johnson came out. Even as a teen I would oftentimes prefer living (or just being) in the wilderness than surrounded by human-made stuff, and the movie seemed to connect directly to my soul.

The movie’s meaning to me became clearer as I would watch it over-and-over-and-over again as the years have gone by. After the DVD came out in 1997 (and the BluRay in 2012 which I also own) my watching increased, especially as I traveled more, my jobs grew increasingly stressful, and I would constantly find ways to physically, mentally and spiritually escape to wilderness.

The plot is about this man, played by Robert Redford, who is a Mexican War veteran named Jeremiah Johnson. It starts out with him taking up the life of a mountain man, supporting himself in the Rocky Mountains as a trapper, and all the things that happen to him on this adventure.

But that plot description doesn’t do justice to the impact it made on me since it transported me to the mountain wilderness. It also doesn’t really zero-in on the essence of the film itself, though later on the director, Sydney Pollack, said this in a video interview:

“It’s a picture that was made as much in the editing room as it was in the shooting,” said Pollack. “It was a film where you used to watch dailies and everybody would fall asleep, except Bob and I, because all you had were these big shots of a guy walking his horse through the snow. You didn’t see strong narrative line. It’s a picture made out of rhythms and moods and wonderful performances.

THAT is the essence of the film: “a picture made out of rhythms and moods and wonderful performances” and why it connected with me. I could smell and sense the places depicted in this film and the movie filled me with a sense of peace (though native people’s struggles against the encroaching Europeans have always filled me with sadness about the injustice, and this movie depicted that well too).

The connection was so strong that in 2013, on one of my many road trips to experience places and take photos, I sidetracked to go up to Robert Redford’s Sundance resort in Utah. I’d hoped to find some of the filming locations in the nearby park, but the ranger told me that they were never publicized in order to keep people from disturbing the areas. Still, it was a place I wanted to be since the quiet, peace and serenity of this resort was evident from the moment I began walking the grounds.

So thank you Robert Redford for making this film. You, and Minnesota’s own Sigurd Olson (see Listening Point and Listening Point Part 2) are what allowed me to maintain my inner sanity during a 10-15 year span of time when I was internally struggling to “be” in wilderness while living in the hustle-and-bustle of a human-made world.

Check out the movie’s trailer:


Download a large version of the movie poster here.

post

Is This a Scam by Symantec?

Can’t help but think that “Norton by Symantec” is trying to scare the beejeesus out of website owners with something that sure smells like a scam to me…or at least a really spammy marketing effort to bolster their contact lists.

One of my businesses, Innov8Press, recently began rebuilding a long-time client’s new website. Before the rebuild started we moved the client to a new webhost as their existing one wasn’t up to handling what the new site will require for technical resources.

This is a site we had built (but were not managing at the time) and is one we cleaned up after a hack two years ago and it has been clean ever since. FOR THE LAST TWO YEARS Google says it is clean. Sucuri says it is clean. The premium Wordfence security suite says it is clean.

So imagine my surprise that, after we’d moved the site, we saw this at the new webhost’s dashboard:

Then I go back to Sucuri — which again, had shown the site to be clean for TWO YEARS until we just moved it last week — and now this appears:

We’ve now invested a couple of hours:

  • Creating an account at Norton Safe Web
  • Interacting on the community forum (basically to ask, “WTF?”)
  • Downloading the verification file
  • Uploading it to the site’s server
  • Requesting a verification as the “site owner”.
SCAM OR JUST SPAMMY MARKETING?

Every fiber in my being tells me this is a spammy attempt to get website “owners”, whether the actual owner or developers like us, to signup for their services. At the very least it’s an attempt to identify website owners so they can email the shit out of us.

If Norton starts spamming us I’ll create a filter in Gmail to instantly set all their emails to “spam.” They’d better not think they can market to us in this fashion like some no-scruples startup, and basically waste the time of website owners like this.

 

Why Do I (and why you should) Use SiteGround?

READ THIS PAGE to learn how I finally found "the one" web hosting company which
I can now absolutely endorse and use. Or learn more at SiteGround directly and sign up: