Web/Tech

Why I Don’t Trust Social Login and Why WiFi Remote Access Should Be More Secure

Do you use social login? How about for remote access to your home WiFi router when you’re not at home? Unless you have good password practices and multi-factor authentication, I recommend you do NOT enable remote access of any kind, and maybe consider never using social login ever again.

I am very pleased with our Amplifi Mesh Wi-Fi System installation but have one security-related issue: For remotely logging in to the router from my smartphone, the remote-access, social login credentials are only ones from two providers: Google and Facebook.

While implementing social login is far easier for developers than building a custom login solution — and social login is often assumed by them to be the path of least resistance since these big companies can protect user credentials better than a smaller company — that “big company is more secure” assumption has been proven false and highly risky:

Use of social login also assumes that the user has excellent password practices and/or uses multi-factor authentication, which is usually not the case. So if the user doesn’t implement those best-practices when it comes to protecting their Google or Facebook logins, then Amplifi’s parent company, Ubiquiti, may feel they are off-the-hook in the event of a breach?

I would argue that a blackhat hacker obtaining a social login email and password is trivial (e.g., I can name twenty-five friends and family that have had social accounts hacked in to).

Unless the user has implemented multi-factor authentication, then those social login credentials could be used to gain access to a home WiFi router that use social logins for remote access.

I’ve added this suggestion on the Amplifi community forum to ask the company to have a Ubiquiti-driven login with multi-factor authentication, and in it asked these questions:

  • What is your position on security and privacy where it comes to enabling Google and Facebook to potentially monitor outbound traffic from an IP address?
  • As such, do you have a security/privacy white paper that outlines how you use the Google and Facebook social APIs, and specifically what you allow Google and Facebook to monitor? (like router IP address).

While I appreciate that our Amplifi Mesh Wi-Fi System is focused on simplicity first and granular level detail on security and privacy second, I’d like to see a public/private key, encrypted, Ubiquiti-delivered remote access login (where I hold both keys) along with multi-factor authentication … at a minimum.

Firefox Releases ‘Firefox Send’ a Free, Simple & Private File Sharing Service

After I switched from Google Chrome back to Firefox, I’ve never second-guessed my decision. Especially because I use Firefox Quantum: Developer Edition every day as well, but primarily it’s when something as cool and useful as Firefox Send debuts.

Mozilla, the non-profit behind the Firefox browser, just released Firefox Send and, even though I’d used the beta version some weeks ago, I tried the final released version just now.(Please note that the servers are slammed this morning so be patient as the Send app loads).

With Firefox Send you can share files up to 2.5 GBs in size through your web browser and they will be end-to-end encrypted to its destination.

To get started:

1. Go to https://send.firefox.com

2. In the upper right click “Sign in/up”

3. Create a Firefox account and activate it via the email sent to you

4. Go back to https://send.firefox.com and try uploading one or more files (up to 2.5 GBs, of course). You can choose to have the file(s) download expire after 1 – 100 downloads and/or by placing a time limit the download will be available of 5 minutes | 1 hour | 1 day | 7 days. Most importantly you can also protect the file(s) download with a password .

5. Once your up-to-2.5 GBs of file(s) are uploaded, you can copy the link to share with one or more people:

Yet another reason I’m glad I made the switch to Firefox and away from Chrome.

Get Secure *Before* You Get Hacked

As I’ve been dubbed “Mr. Security” by my friends, family and clients (I pay significant attention to, and use, cybersecurity, privacy and software measures) but my pleadings with them to be secure often are ignored…until they get hacked. Then they plead with me to help them out and get their digital life on track. Usually it’s too little, too late, and the work to recover is enormous.

You should care deeply about your digital life and its security, especially since the risk of getting hacked is exploding! The World Economic Forum in its 2018 report (PDF) said blackhat hackers are gaining the upper-hand in cyber warfare…and they are coming after you…and even the experts can’t keep up:

“Offensive cyber capabilities are developing more rapidly than our ability to deal with hostile incidents.”

Here’s the good news: if you haven’t yet been hacked it’s likely you will at some point, so lets get you cyber secure NOW!

SECURITY CHECKLIST

I was delighted this morning to discover this Security Checklist, “An open source checklist of resources designed to improve your online privacy and security. Check things off to keep track as you go.

The Security Checklist is very comprehensive, easy to follow, and one you should look at and implement as quickly as possible. It gives you the “why” and specific resources to use for each category, making this pretty brain-dead-simple to follow and implement:

  • Password Manager
  • Create a strong device passcode
  • Use two-factor authentication
  • Set up a mobile carrier PIN
  • Encrypt your devices
  • Freeze Your Credit
  • Use 1.1.1.1 for DNS resolution
  • Use a VPN
  • Cover your webcam
  • Use a privacy-first web browser
  • Use a privacy-first search engine
  • Review app permissions on your devices
  • Review your social media privacy settings
  • Educate yourself about phishing attacks

Go to Security Checklist

Apple Didn’t Include a USB-A to USB-C with the iPad Pro?

UPDATE today at 1:15pm Pacific
One thing that I should have put in this post…somewhere…was that I love this iPad Pro. The display is beautiful, the machine is FAST, and the Apple Pencil always being charged-up is a big win.

Glad I bought it.

On the day you could order the new iPad Pro 11 inch for 2018, I enthusiastically ordered mine as soon as I had a moment to do so and it arrived yesterday about 3pm. With the Smart Keyboard Folio, the 2nd generation Apple Pencil, and the iPad Pro 11″ 1TB model, my total with tax was $2,167.54.

Unbeknownst to me when I began to open the iPad’s packaging, that enthusiasm would soon turn to disappointment and then outright anger! Especially since I’d intended to set this new iPad Pro up and then restore my older 9.7″ iPad Pro with my wife’s iPad’s backup so she could take it on her trip which she left on this morning. Instead I ended up wasting TWO HOURS of driving and in-store time to chase down a cable that Apple should have included in the box.

WHAT…NO DONGLE OR CABLE?
As you may know, Apple decided to move to USB-C for these new iPad Pros, a move I see as a good one. In fact, I had already made somewhat of a switch to USB-C with my MacBook 12″ and its USB-C connections. As such, I already owned several USB-C cables and dongles.

What I did NOT expect was the included USB-C and charger was like the MacBooks: USB-C on both ends! No USB-A to USB-C dongle (or cable) was included. Setting up this new iPad Pro was therefore impossible for me since the 27″ iMac Retina I bought in 2015 for $4,800 had Thunderbolt 2 and USB-A connections. Without USB-A to USB-C in some fashion, I had no way to perform the required connect-to-iTunes step to begin the set up on this new iPad Pro!

I thought, “Wait a second…Apple couldn’t be this stupid…or could they?” so I got on ‘the Google’ and confirmed that yes, Apple had been that shortsighted and I had to go and buy a USB-A to USB-C charge/sync cable. Shit.

Read More

Google’s Motto ‘Do The Right Thing’ is for Them and Not Us — Especially with Chrome 69

UPDATE on September 25, 2018
Looks like Google blinked since so many of us were SO upset about what they were doing. While this is good news, I’ll be sticking with Firefox for the foreseeable future:

“Chrome 70 Will Allow Users to Opt-Out of Controversial Automatic Sign-in Feature”

For years I’ve been a staunch supporter and trusted Google, loved their services like Google Suite, Gmail, Google Voice, and others, all while admiring their machine learning and artificial intelligence research. One thing I specifically trusted was Google’s Don’t Be Evil motto which was baked in to their Code of Conduct for the company.

Then, back in May, I became troubled when they removed Don’t Be Evil and replaced it with Do The Right Thing. At the time I joked with a friend of mine asking him, “Is ‘do the right thing’ for us, or for Google?

It appears the motto change was focused on Google.

The biggest shift away from that “Don’t Be Evil” motto that Google has ever done just happened. Though this thread started on Hacker News a few weeks ago, a cryptographer and professor at Johns Hopkins University whose blog I follow, Matthew Green, wrote a post entitled, Why I’m Done with Chrome. In it he said:

A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.

Green also sees this move as having serious implications for privacy and trust. Do you think!?! My trust-level in Google has plummeted. So much so that I have now shifted 100% back to Mozilla’s Firefox browser and away from Chrome. I will no longer use Chrome until they change the way they infiltrate my privacy.

SO WHAT EXACTLY DID GOOGLE DO?

Google’s recent update to Chrome (browser version 69) has done something unprecedented in their history:

a) Once you login to Chrome as a user, Google can (and does) track EVERYTHING you do in the browser. Every site you view, every login. The change? If you login to any Google service in the Chrome browser, Google will log you in to that browser to give them access to everything you’re doing within Chrome.

b) As a user you can no longer delete ALL the cookies in your browser. Google’s cookies remain no matter what you do. (Hat tip to Christoph Tavan for discovering this breach)

c) Google is increasingly using “dark pattern” user interfaces in their services to hide or obfuscate what something does when you check, uncheck or choose an option. In ExtremeTech’s article Chrome 69 Is a Full-Fledged Assault on User Privacy, they describe how Google’s dark pattern user interfaces obscure their intent to get you to enable them to do the right thing for Google:

These changes are all part of what’s known as a dark pattern. If a pattern is defined as a regularity in the world (designed or naturally occurring) that repeats in a predictable manner, a dark pattern is an attempt to trick users by designing interface options that look like the options users expect to see.

I, for one, don’t want to research, study or figure out how a company I trust might be trying to trick me in to do something that is in THEIR best interest…and not mine. I’d rather pay for offerings and am growing tired of “being the product“.

FOR MORE

The World Wide Web’s Father is Disappointed in His Child

The promise of the World Wide Web and the Internet was the democratization of information and the ability for the people to participate. In many ways it has devolved in to a tool for mass surveillance, hacking and monetization that is unrecognizable from what the Web’s founder, Sir Tim Berners-Lee, envisioned…and he’s not happy about it.

Vanity Fair has a great piece that is definitely worth a read:

I WAS DEVASTATED”: TIM BERNERS-LEE, THE MAN WHO CREATED THE WORLD WIDE WEB, HAS SOME REGRETS. Berners-Lee has seen his creation debased by everything from fake news to mass surveillance. But he’s got a plan to fix it.

I’ve always wanted to meet him and still hope to do so one day. I’d let him know all the ways his creation has changed my life and the positives FAR OUTWEIGH the negatives.

Because this is a fun-fact-to-know-and-tell, below is the original NeXT machine Berners-Lee created the World Wide Web on in 1991 and used as the world’s first “web server”:

This NeXT workstation (a NeXTcube) was used by Tim Berners-Lee as the first Web server on the World Wide Web. It is shown here as displayed in 2005 at Microcosm, the public science museum at CERN (where Berners-Lee was working in 1991 when he invented the Web).

The document resting on the keyboard is a copy of “Information Management: A Proposal,” which was Berners-Lee’s original proposal for the World Wide Web. The partly peeled off label on the cube itself has the following text: “This machine is a server. DO NOT POWER IT DOWN!!

Just below the keyboard (not shown) is a label which reads: “At the end of the 80s, Tim Berners-Lee invented the World Wide Web using this Next computer as the first Web server.” The book is “Enquire Within upon Everything“, which TBL describes on page one of his book Weaving the Web as “a musty old book of Victorian advice I noticed as a child in my parents’ house outside London“.

This image is a new upload by Coolcaesar of the original JPEG file on en:September 22, en:2008 directly to Commons in response to continued vandalism of the original. It has been re-published on Connecting the Dots under a CC BY-SA 3.0 license.

A Bug in the Apple Store App on iOS “Removed” a Gift Card from My Apple Wallet

It is likely that I discovered a bug in Apple’s Apple Store app for iOS that could make one of your Apple Store cards in your Apple Wallet vanish.

Two days ago I had three Apple Store cards in my Apple Wallet with varying amounts on them which were pretty close to the total amount of a new HomePod with tax — only $6.21 wasn’t covered by the Apple Store cards in my wallet so would, of course, be paid for using my archived credit card on file with Apple — so I decided to try to order the HomePod using the Apple Store app on my iPhone and go and pick up the unit at a nearby Apple Store in Southdale Mall (Edina, MN).

To my surprise the charge to my archived-at-Apple credit card for $6.21 kept failing! The credit card is used all the time so I tried the transaction three more times. It kept failing so I called my credit card provider Chase who told me that the card was just fine.

I then reached out to Apple Support and they basically had no idea what had happened. They did offer to order it for me or suggested I go in to an Apple Store. Of course, that completely misses the point that there is some sort of bug that disallowed me from using my credit card do I decided to give up and deal with it this coming weekend.

But here is where it gets REALLY WEIRD… Read More

Wavebox – Finally…All Of My Web Apps In One Place!

Whenever I come across an app or method that can radically streamline my workflow, I not only embrace it but have to share it with friends, family and write about it as it might help you too.

To say I was excited to find Wavebox is an understatement. Wait until you see what it can do for you and, most importantly to me, it’s open source so there are no shenanigans going on with backdoors and such.

First some background. My workday consists of wearing several “hats” and I need to have multiple web applications instantly available all day, every day:

  1. My own, personal stuff with my Gmail account as the ‘hub’ with calendar, Google Voice, and a ToDo list in Google Keep
  2. My secure Protonmail email account
  3. A postmaster email account for my server
  4. Two Google Suite email accounts for one of our businesses and a third Google Suite email account for yet another of our businesses
  5. My SteveBorsch.com Google Suite account and website
  6. My primary Slack account
  7. …and several other web applications I need to have available to me at the click of a mouse.

Using multiple Google Suite accounts within a single browser meant that ALL of them were active all the time AND, for anyone who uses multiple accounts in a single browser, you know how unworkable that is on a daily basis.

Each email account and calendar had to be open and ready. If you use Google Chrome to manage multiple Google accounts within the same Chrome instance, you know how problematic it can be to know which Google Account’s calendar you’re in at the moment!

After discovering apps that would let me generate site-specific browsers (SSBs) — which are essentially “clones” of Google Chrome and Safari but completely self-contained — I ended up with about 20 SSBs and each had multiple tabs open. (e.g., Fluid App; Coherence 5; Unite).

Fortunately my iMac has 32GBs of memory, but I was always maxing-out on memory since each tab in each browser has a “worker” process running in the background, consuming LOTS of memory on a machine. It was getting pretty crazy so I began the hunt for a solution that would be better.

Enter Wavebox…  Read More

Stay Secure With The Always Improving Signal App

Staying secure with our communications is finally easy and, only recently, Signal added a computer-client for Mac, Windows and Linux which ties to your smartphone’s Signal app and works flawlessly.

Using encryption for your critical communications has always been a challenge, even for those of us who are hard-core technoweenies. But all that changed when an American computer security researcher and cypherpunk named Moxie Marlinspike created the Signal protocol and later an app called Signal (which is available here for iPhone, Android or desktop/laptop computers).

Signal is widely regarded as the most secure and easiest to use encrypted texting and calling application. It’s a vital tool for journalists, whistleblowers, and ordinary citizens. But it is also so good that the U.S. Senate approved the use of Signal by its staffers due to its end-to-end encryption and bulletproof security.

Even WhatsApp, the communication app that boasts well over 1 billion users, leverages the Signal protocol as the underpinnings of their wildly successful messaging platform.

Why should you use it? With Signal you can send high-quality group, text, voice, video, document, and picture messages anywhere in the world without SMS or MMS fees (obviously you need an internet connection on your phone or computer). But rather than re-hash all the reasons why you should use it, take a peek at a post I wrote in October of 2016 that will detail Why You Should Use the Signal App.

Don’t just take my word for it though:

Note to Online Publishers: STOP THE AUTOPLAY VIDEOS AND BLARING AUDIO!!

Ever been in a public place, go to a web article in your browser, and suddenly AUDIO STARTS BLARING FROM AN AUTOPLAY VIDEO!?!

Me too. All it does is PISS ME OFF so I will immediately tweet to leadership of whatever publication is the offending one. They never reply. As it turns out, the tech industry is doing something about it as is a new Coalition for Better Ads.

Hopefully publishers will wake up and realize that if they make the experience all about them and their advertisers WE, the readers, won’t come back….ever.

I don’t use ad blockers in my main browser as it interferes with web work I do. Sometimes I forget to mute my audio which, of course, I don’t want to do since I might miss notifications on my work machine.

How to stop this autoplay and unable-to-exit popups crap? There are a few ways suggested in this article:

The interesting thing is that advertising groups are furious at Apple for blocking ad-trackers and Google has warned the industry that they’re going to be adding an ad-blocker next year in their Chrome browser.

Again, publishers are their own worst enemy and unless they wake up and change their approach, the tech industry will do it for them.