Use Your Phone’s Gmail App for Two-Factor Authentication

Email is your most important application whether you access it in a web browser or with an app on your smartphone or tablet. If your email gets hacked, it is trivial for a blackhat hacker to go to your online accounts with a bank, stock brokerage, ecommerce site, and reset your passwords

…and then gain control of all your accounts!

But you can easily and quickly protect your email. If you set 2FA up and turn it on, a hacker would have to have both your email password and your smartphone in order to gain control over your email account!  In the case of Gmail, you can set up another layer of protection though: two-factor authentication (2FA…also called 2-step verification). 2FA makes your smartphone an additional, secure method of proving it is you trying to login to your Gmail.

The good news? Google has made 2FA quite easy to set up and use but they have recently made it even easier to use. Read on to learn how it works.  Read More

Is Congress Really Gearing Up for an Encryption Battle?

bitsAfter the attacks in New York on September 11, 2001, Congress passed the poorly thought-out Patriot Act. Friday’s Paris attacks seem to be (once again) providing Congress with another excuse to try and legislate making United States encryption weak and putting another obstacle in the way of U.S. technology companies selling overseas.

That’s right….weak. Virtually every single cryptography expert on the planet knows that a force-mandated “backdoor” in software or devices will not work and will make the systems vulnerable to attack by black-hat hackers or state-run military cyberattacks.

Today’s Wall Street Journal had this front-page article, “Paris Attacks Fuel Debate Over Spying – Growing belief that terrorists behind assaults used encrypted communications prompts re-examination of U.S. policy on surveillance.” A few things from the article leapt out at me:

“A growing belief among intelligence officials that the terrorists behind Friday’s Paris attacks used encrypted communications is prompting a far-ranging re-examination of U.S. policy on data collection and surveillance.”  

No kidding. Anyone on this planet with intermediate technical skills can encrypt their communications.

Senator Richard Burr

Senator Richard Burr

Sen. Richard Burr (R., N.C.), chairman of the Senate Intelligence Committee, said Tuesday his panel will launch a review of encryption use. “It is likely that end-to-end encryption was used to communicate in Belgium and France and Syria,” Mr. Burr said. He said encryption was likely because no direct communication among the terrorists was detected.”

Really Senator? Maybe they met in person?

But this is the part of the article that made me choke on my breakfast muffin:  Read More

Backing Up Your Digital Life


You are probably like me when it comes to backing up computers and digital devices: It is SUCH a pain-in-the-butt that only the terrified-of-disaster actually take any action. Make sure you look at the Newegg deal at the bottom of this post (and no, I’m not an ‘affiliate’ and get nothing from Newegg for linking to the deal).

Fortunately I’ve never had a house fire but have experienced multiple hard drive failures over the years. Only once, 10 years ago, did I have a hard drive crash to the point where it was unrecoverable. Ever since I’ve been of the mindset that hard drive failures and disasters are not a matter of “if” but rather “when”.

During that 10 years, however, I’ve heard so many personal stories of drive failures (or stolen drives), house or business building fires, a laptop accidentally being dropped overboard while on a cruise ship (and it contained vital, one-of-a-kind business planning documents), that I get after friends, family, and colleagues to backup; backup; and backup!

mom-n-kidAfter hearing one of those stories this past April, I wrote Your Mom DEMANDS That You Backup Your Computer! to see if it would kickstart conversations. It did, but specifically the two friends I was hoping would backup their mission-critical files, tens of thousands of one-of-a-kind digital photos, and other irreplaceable digital stuff….did nothing.

What happens if you have a fire in the house? Or the fireman spray water all over your office—even though the fire hasn’t yet reached in to it—and effectively ‘drowns’ your computer and drives?

Basically you’re screwed. Unless… Read More

Chrome & Firefox Users Are Leaking Their IP Address…Even While Using a VPN

conf-com-usrThe only way you can guarantee your privacy while using a computer or mobile device, is to just disconnect them from the network. Or become a security expert. But if you must be online and want (or need) to be as secure as possible, you won’t want to use Google’s Chrome or Mozilla’s Firefox browsers until you make some changes since your IP address can be easily discovered.

You may know about (and already use, as I do) AdBlockPlus or Ghostery. These browser add-ons are used to block advertisements and also let you control who can track you by blocking services and advertisers from doing so.

So imagine how stunned I was to learn that the very cool and new WebRTC technology (for using video, audio and screensharing right inside your web browser) can leak your internet (IP) address.

Advertisers, and tracking services, love to set tracking cookies that map to your IP address. Then they can follow you around as you use that browser to surf the internet. Intelligence agencies love to discover the IP address of someone since they then can go right to the spot from where they’re connecting.

This flaw in WebRTC is especially troublesome since it would compromise someone whistleblowing, in a country with an oppressive regime in power, businesses communicating online with WebRTC, or anyone legitimately wanting their online activities to be private…especially when they believe they are safe while using a VPN.

Using Chrome or Firefox? Click here to check and see if you are vulnerable.

Test your browser here. If you see Is WebRTC Enabled ! true” appear, you are vulnerable. If you are vulnerable, click the link on that page that says, “How to Disable WebRTC” and follow the instructions.

That IP address leakage is bad enough, but what is worse is that your IP address leaking is NOT able to be detected by any current plugins (e.g., Ghostery) or even the developer tools in Google’s Chrome or the Mozilla Firefox browsers (the primary ones that support WebRTC currently).

ThreatPost has this excellent article on this leak problem:

A recently publicized hole in WebRTC, a protocol for web communication, is revealing the local IP addresses of users, even those who go to extra lengths to hide theirs by using a virtual private network.

Daniel Roesler, a San Francisco-based researcher who’s dabbled in encryption, posted a demonstration on GitHub last week to illustrate how the vulnerability works.

Roesler’s proof-of-concept shows how websites make requests to STUN servers. STUN – or Session Traversal Utilities for NAT, servers – send a ping back that contains the IP address and port of the client–from the server’s perspective. The local and public IP addresses of the user can be gleaned from these requests via JavaScript.

So basically an advertiser, tracking service or intelligence agency can easily setup a STUN server and all requests to a page on that server—with special javascript code loading in a Chrome or Firefox browser—would reveal the IP address of the visitor and allow that page to set a tracking cookie.

Of course, you shouldn’t be doing anything online—even if using a VPN—that’s illegal like pirating movies or music, or buying stuff from a drug ecommerce site like Silk Road. But be especially careful if you are in a country, or situation, that means your life might be in danger if you are caught communicating using something like WebRTC.

How to Disable WebRTC

In Firefox:

  • To disable WebRTC, go to about:config and click-to-toggle media.peerconnection.enabled to false.
  • Or install this Firefox add-on

In Chrome:

  • Bad news? You CAN’T turn off WebRTC on desktop version of Google Chrome.
  • Good news? Install this Chrome Extension: WebRTC Leak Prevent

Backup Factoids to (Hopefully) Get You Off Your A$$

infographic-snippetIf you already backup all of your digital data on all devices—or have a company strategy that takes care of it all for you along with your mission-critical data—go ahead and watch this instead of reading this post.

If you don’t, or are looking for some data on the costs of loss or downtime, you need to peek at what the gang over at Singlehop sent me after reading my post, Your Mom DEMANDS That You Backup Your Computer!. In it they asked if they could send over an infographic they’d created which I could share with you.

Normally I decline when I get these sorts of requests, especially since they number 2-3 per week, but I am passionate and adamant about backing up and hopefully these factoids will motivate you to take steps NOW to do the same for yourself or your organization. Besides, it has some really interesting factoids within it you will undoubtedly find interesting.

Here is that infographic:

Read More

What Caused Bluehost’s MASSIVE FAIL

Click '+' for an email from Bluehost's CEO on Friday, April 18. Too bad he couldn't be bothered to say anything earlier.
Click '+' for an update from Bluehost Support which, ironically, arrived 24 hours after yesterday's 1pm outage.
I would like to offer my sincerest apologizes for this lack of communication and to provide you with some details as to what happened. We experienced a degradation of network service in one of our data centers due to a firmware bug in one of our vendor’s hardware solutions. This was an undocumented bug and we worked with our partner to diagnose the issue and deployed a firmware update to the systems to remediate the problem. Only websites that were being served by this hardware were affected. This is unrelated to any previous outages and we have reviewed our entire network to make sure this problem will not occur elsewhere. Please let us know if there is anything else we can provide; whether information and other, but I would like ensure you I personally understand your frustrations and can appreciate your stance on the situation. Best regards – Ryan, Supervisor,

An unknown number of Bluehost servers went down yesterday, April 16th, at 1pm central time. This may have been limited to their Dedicated (which I own) and virtual private servers (VPS) but that’s unknown too. It’s also unknown what caused it, even approximately when it will be fixed, or other pretty basic items a paying customer wants to know when a service is failing.

In this post I will tell you about two fails Bluehost made: them communicating to customers about the outage and what caused the outage in the first place.


Outages do occur at webhosts…they just do. But why so many unknowns and a clear reluctance to be transparent? Because Bluehost has failed dramatically at THE MOST BASIC customer relations item: communicating with customers about why something isn’t working as promised. Rather than have a status page at that either has status updates on it or embeds their Twitter and Facebook feeds, they ask people to follow them “and check our Twitter feed and Facebook page for updates.” How incredibly bush-league.

A few cut-n-paste tweets from Bluehost Support

For hours and hours and hours they have been telling people essentially, “I dunno” which is unacceptable. Not only is this impacting an untold number of people (the tweets are numerous) this is a PR disaster and customers will undoubtedly flee. Especially those who have clients on Bluehost due to their recommendation, one that now makes those recommenders look like a bunch of clueless imbeciles.

I’ve also been evangelizing Bluehost’s new Dedicated server offering since it has been very fast and their Level III tech support access the best I’ve ever had with any host I’ve ever used. Several of my clients have purchased Dedicated servers (and yes, ALL of them pinged me about where they should go next because they are absolutely getting off Bluehost!).

From 1pm Wednesday April 16th through today, Bluehost Support can only tell customers “I dunno”

From 1pm Wednesday April 16th through today, Bluehost Support can only tell customers “I dunno”

Will I continue to evangelize? Nope. I might have cut Bluehost some slack IF they had been communicative. I may continue to evangelize IF Bluehost provides recompense for my server downtime and IF they provide a plan on how NOT to repeat a fiasco like this in the future. If they say or do nothing I’ll take my business and that of my clients elsewhere.

But here is what caused the outage.

Read More

Adobe’s Bizarre Digital Publishing Approach

Adobe Systems is clearly the leader in print publishing with InDesign and all of the supporting tools it ships. But their digital publishing approach is like saying to you, “Oh…if you want to send your print job to a printing company that uses a digital press than you have to spend A LOT more money.” 

One of our businesses publishes a six-times-per-year print newsletter and multiple ebooks (i.e., PDF-based) as trend publications for the home furnishings industry. After weeks of research I’ve determined that the best solution is Adobe’s Digital Publishing Suite and it’s what drives many major publications who have made the switch to digital tablet publishing.

The good news? Adobe’s Digital Publishing “Single Edition” is $395 (or you can join the “Creative Cloud” and get ALL of Adobe’s apps as well) and you can create and ship “unlimited iPad apps” publications.

The really bizarre bad news? To publish multiple issues within one of those iPad publications — or to publish to Android or Kindle — one needs to step up to the “Professional Edition” which costs $495 per month!

While I appreciate that Adobe thinks that their position in publishing will enable them to escape disruption from others who will deliver tools to cross-platform publish, this is ridiculous. If I was going to just publish to the iPad I wouldn’t pay Adobe a nickel. I’d much rather use the far more robust and easier to use iBooks Author from Apple.

I suspect Adobe’s strategy is to to make the on-ramp to digital publishing simpler for their print publishing designer base. I hate to be the bearer of bad news, Adobe, but most of them have gone on to other gigs like house painting or selling insurance. It’s a stupid strategy to make the Single Edition affordable and the price delta to go “Pro” like moving up from a Honda Civic to a Ferrari.

Comcast Web App Fail

Shouldn’t someone in charge of web applications for a major company like Comcast review error messages and customer processes? I sure thought so until today when I attempted to set up my wife as a user on our Comcast account and it wouldn’t accept my password attempts.

Here’s what happened and why Comcast failed me as a customer (though their social media support caught me). The reason why it failed will surprise you. Why should you care about something as mundane as an online password issue that happened to some guy who blogs?

Because the issue I just experienced goes beyond a simple online password process that didn’t work very well. You should care if you, like many of us are, responsible for overseeing web and mobile app creation and care about customers and their experience with your company or brand. You should care if you are a user of web or mobile applications and give a damn at all about password security. You should care if you don’t want to invest your personal time, energy and effort in dealing with password security when the web or mobile application is broken and has been that way for years.

Here is what unfolded in the space of 15 minutes:

  • Logged on to (their consumer site) and went to add my wife as a new user on our account
  • Completed the username info, password and security question
  • Received an error message that the password was incorrect and was informed that, Your password must be 8 – 16 characters. It must contain at least one letter, and at least one number or special characters (!”#$%&’()*+,-./:;<=>?@[\]^_`{|}~), may not contain your first name, last name, User ID, username, and cannot contain spaces.” 

No-shit-Sherlock…I do this all day, every day and know how to create and use secure passwords and usually can grasp the underlying algorithms and how they work (if they’re done correctly, that is).

  • Tried again. And again and again. 
  • Used a different browser with zero cache (cookies, etc.). Didn’t work.  Read More

Chrome ‘Gorges’ on RAM

Starting last night and concluding very early this morning was my main production machine upgrade to OS X Mountain Lion. Everything went smoothly — I did a ‘clean install’ so cloned my startup drive, installed, and then migrated everything over — which took HOURS but fortunately was pretty much working without my involvement.

Coming back after my lunch meeting, I was somewhat surprised to hear my hard disk whirring and crunching. Not in a bad way, but that there was a lot of disk activity going on. Since I’m someone who typically has fourteen tabs open in one window (all my ‘workspace’ stuff like Gmail, Docs, my hosting provider CPanel, etc.) but typically I’ll have a second window open with client’s work in it. 

In addition, like you probably do there are numerous other apps open and running: Photoshop, Skype, maybe Firefox or Safari (or both), Keynote and others. 

OS X’s Activity Monitor showing all the Google Chrome processes loading and running in system memory. Yikes. (click for larger view)

But Chrome was acting like a guy at a Coney Island hot dog eating contest: with all the tabs open, Google Talk running and so on, Chrome was using OVER 4GBs OF RAM! Wow.

Fortunately my MacPro has 10GBs in it and I know enough about how my machine runs that I know when something is awry and I manage it (e.g., closing that second window full of tabs!). While I love have sessions open in other tabs — and that Google Chrome was architected from the beginning to have each tab be independent so a crash in one wouldn’t crash the entire browser and all tabs — it still sucks up so much memory that I have to shut Chrome down when I’m doing any other intensive task like video editing, screen recording and the like.

So if you are experiencing machine slow downs, or if you have 2GB, 4GB or so of RAM in your machine, either run just a few tabs or quit it altogether when things get slow. Hopefully Google will find ways to optimize Chrome in new ways so this will quiet down and not shove RAM in its mouth like that contestant above!

Google Locks Me Out of Gmail. Seriously?

UPDATE: Two hours after locking me out I’m reinstated. What happened? Who the buzz knows but of course, that’s the point.

While at lunch today I checked my email on my iPhone but it wasn’t working. Tried the Gmail client on my iPad and it wasn’t working. I thought, “Gmail is probably temporarily down.

It wasn’t. For some unknown reason Google locked me out of Gmail apparently for “Unusual Usage – Account Temporarily Locked Down.

The ONLY thing that could be possible is “3. Being logged into or synchronizing Gmail on many computers, clients, or mobile devices.” But isn’t that the point of a cloud-based solution Google? Especially in a day when an accelerating number of people like me have a desktop, laptop, iPad and iPhone? Is it because I logged in at the office on another computer as well?

I use Google’s 2-step verification too. The main problem for me is that Gmail is my communications hub. I have 8 email accounts all managed within that hub and purchased the 25GB upgrade to my account as well. As such, I’m locked out of three email accounts I use daily for business. With dozens of emails per day I need to manage, the likelihood of me missing something important is incredibly high.

I’m not the only one. This guy had the same issue but so have hundreds of others and there is NOTHING WE CAN DO!

Gotta tell ya, if THIS is how Google treats a long time user like me — someone who uses multiple of their services (even ones like the lame G+) — then organizations considering Google Apps should seriously re-consider. My suspicion? This is a veiled attempt at scaring the beejeesus out of people in order to get them to buy in to a Google Apps account. Having one (and paying for it) is the ONLY way to have an actual human throat-to-choke when bullshit like this happens.