Full disclosure – I’ve long been a fan of many of Google’s services. I’ve used Gmail since the first beta, rely on Google search all day long, use a Pixel as my smartphone and listen to music all day long through their music service. It pains me when my favorite tech brands make poor choices, and unfortunately, Googles leadership seem to have forgotten their founders original scree, “Don’t be evil,” in favor of behaving like any profit-driven, ethically-ambiguous megacorp. The latest scandal comes from one of Google’s recent tech acquisitions in the form of a failure to disclose the presence of microphones in the Nest Secure home devices. Now, the presence of microphones in security devices shouldn’t come as a surprise, but Google’s failure to mention it in any documentation is a glaring breach of trust on their part.
What this means for you
When I first heard this news, I though to myself, “Well duh, of course these things have microphones. They are security monitoring devices,” and thought that, once again, naive consumers were purchasing and installing the devices without RTFM (“reading the fine manual” except substitute your own f-word). But no, Google (and Nest) didn’t actually document the presence of a microphone at all until it recently revealed that the Google Assistant technology could now be used on the Nest Secure device which, oh by the way, uses voice control…which, erm, requires a microphone…that is already on the device. According to Google, the microphone was disabled by default and can only be activated when the user specifically enables it. Which doesn’t make the whole failure to disclose any better, because how do we know it wasn’t enabled, and why should we trust them to be telling the truth now?
Unfortunately for you, even if you were being a careful consumer and reading the fine manual (or label, or reviews, etc.) the only way you would have known there was a microphone in the device would have been to dismantle it yourself, but why would you do that because the product documentation clearly lists the device’s specs, doesn’t it? Does this sound familiar? Like some other technology megacorp abusing its users’ trust? Is it going to take dragging these companies in front of Congress to get them stop being so lackadaisical with our privacy? Well, before we do that, let’s make sure we elect Congress critters that know iPhones aren’t made by Google.
There is nothing like severe weather to make you appreciate the benefits of a highly mobile workforce, whether you are the worker, safely ensconced in a warm & dry location, or the business owner, suddenly managing a half-empty office but confident the wheels of commerce are still turning. Thanks to declining technology costs and pervasive internet, using a laptop is no longer a status symbol of the executive or the sale team, nor is being away from the main office isolating and limiting. However, there are some speed-bumps on the highway to the work-from-anywhere ideal.
What you should know before going mobile
- Understand what applications and data are required to do your job. If it’s just internet access and email, you’ve got everything you need on just about any laptop, tablet or even smartphone. If you use industry specific applications that require access to data stored on your office server, can that app be run when you aren’t connected to the office network? Probably not, in which case you are going to need a VPN connection or remote access to your work PC.
- Plan your access to the internet carefully. Using your home internet connection is typically fine for most business users, but be very wary of posting up in a local coffee shop expecting to sip lattes and use their free WiFi without a means to secure your data transmissions such as using a VPN. What will you do if wherever you end up doesn’t have working WiFi? Most modern smartphones can provide a hotspot that should work for light internet work, but make sure you know how to use it before relying on it.
- Wireless internet is unreliable and possibly not secure. If you have a moderately sized home and the consumer-grade router installed by your ISP, you know of what I speak. If you have business-critical work that needs to be done, just know that WiFi can and will make you crazy with an unreliable connection, and doubly so for a smartphone hotspot, so plan accordingly. And don’t get me started on free WiFi provided by your local retail/restaurant/laundromat/etc. That WiFi should be consider as being provided for entertainment purposes only, and never used for business unless you have a proper VPN connection protecting you.
- Do you need to print? There are printers that are built for travel, but they are finicky and prone to fail at the least opportune time. Before any extended jaunt out of the office, make sure the printer is properly provisioned (ink and paper) and charged or equipped with its power cord. You might want to print something out just to be safe.
- Mind your ergonomics. Just because the local coffee shop is comfortable for lounging does not make it ideal for working. A couple hours sitting on a hard wooden stool hunched over your laptop will wreck the healthiest person’s back and neck. And typing away on a smaller keyboard will definitely strain your wrists and shoulders, while the small screen wreaks havoc with your eyes. The most productive and healthy remote workers will know what positions and heights are ideal for working with a laptop, and will equip themselves with things like laptop stands, cordless mice (and keyboards!) and choose environments that allow them to sit properly and comfortably.
- Are you going to be making a lot of phone calls? Those of us that spend most of our work day on the phone usually use a headset. Make sure the one you are planning to use can hold a good charge if it’s wireless, and has a better-than-average mic, as oftentimes you will be in noisy environments. You may be able to hear your caller just fine, but they may have trouble hearing you. Also keep in mind that if you are planning to use your phone as a hot spot, you may not be able to make phone calls at the same time.
- Is your device secure? It may seem like overkill, but consider using a cable lock on your laptop, especially if you are working in a public space and there’s any chance you may have to take your eyes off the device for more than a minute. If you store any sort of confidential company data on your laptop, including email, the hard drive should be encrypted and your laptop protected by a strong login password. Never leave your laptop or laptop bag visible in a parked car, even if it’s only for a few minutes.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As more and more of you start to explore the possibilities of becoming part of the mobile workforce, I am frequently asked about one area in particular: How do I get access to the things I normally use at work when I’m on the road or working from home? This question is often followed up by: What’s the difference between remote access software and a VPN, and which one should I be using? Even if you think the answers might be more technical than you are ready to handle, I’ll try to provide some plain-English clarity to this complex topic, as understanding which one is appropriate for your work situation will be critical in determining how successful you will be as a true “road warrior”.
Are you ready to harness the power of the internet?
Most often, when the term “remote access software” is used, it is typically referring to commercial platforms like GotoMyPC, TeamViewer, LogMeIn, or VNC. In a nutshell, these programs are installed onto a computer that you wish to remotely access from another computer. For example: let’s say you have an office desktop and a laptop which you use at home. You would install this software on both computers, and it would allow you to “remote” into one from other. Typically this would be set up to allow your laptop to remote into your office desktop, primarily to provide you with access to the applications and data that are only available in your office, but from the “comfort” of a remote location outside of the office.
As you may have realized by now, the reason you need remote access software to work outside of the office is because the office network is separate from your home network by design, and the remote access software provides a “bridge” between the two networks, allowing your separate machines to talk to each other using the internet to do this.
“Wait a minute,” I hear you ask. “If this program can connect my office and my home network together via the internet, why do I even need these programs at all? Can’t my networks just talk straight to each other through the internet?” Well, they could, but it would be akin to you having a confidential conversation with someone by shouting at them across a crowded room full of strangers. Aside from simplifying the process of connecting two private networks together over the internet, they also provide some measure of security and privacy to your data as it crosses the internet.
“Surely the technology exists for our two networks to be connected without having to involve a third party that costs $XXX a month?” As a matter of fact it does, and it’s called a “virtual private network” or VPN, and works by creating a “virtual”, dedicated connection between two networks, usually your office and you (wherever you are). This VPN connection is often referred to as a “tunnel” which is also an apt analog to describe what it actually does.
“OK Chris, but why would I use a VPN over remote access software?” The most common reason is actually something that people often overlook: what if you don’t have an office desktop to remote into? What if your primary office machine is a laptop that goes home with you every night? The data is in the office on your server, but your laptop is on the road with you. This is where the VPN shines – regardless of where you are, if you have an internet connection and a VPN tunnel, your laptop is connected to the office network and all the services that are normally only available when you are sitting in the office. Granted, with the rise in popularity and acceptance of cloud-based services, some businesses are moving away from traditional premise-based services in favor of putting all of their data into the cloud, but for many industries, this is just not acceptable. And for those instances (of which there are legion) the VPN is the solution of choice. Keep in mind, building a VPN is not trivial – it requires the correct hardware and software and a level of technical configuration that is often best left to IT professionals, which is why commercial remote access services exist and are quite popular despite the cost.
TLDR; Use remote access software when you want to access one PC from another. Use VPN when you need to access an entire office network (and all of its private services) from a PC on different network. Keep in mind, certain functions, applications and services will be slower when being accessed over the internet, depending on the mode of access (remote or VPN or both) and the speed of your connection on both networks.
By the time you read this, Apple will be on day two of quarantining group calls in its video chat app, FaceTime. Why? Oh, how about a nasty eavesdropping bug that would allow callers to listen in on recipients before they pick up the call? Not necessarily ground-shaking in terms of espionage or cybercrime, but potentially embarrassing or even relationship-destroying, especially for an app that is heavily used for non-business calls. To add to the embarrassment of everyone, discovery of this bug is credited to young teenager trying to set up a group chat with his Fortnite friends. Thanks, Fortnite?
What this means for you
Probably not much, except if you use FaceTime for group chats which is now unavailable until Apple fixes the issue. At the moment, there is no firm ETA on the fix which “…will be released in a software update later this week,” per Apple’s official statement. Unfortunately, this isn’t the first security bug for FaceTime’s group chat feature which is not even a full year old. Last fall a security researcher was able to exploit a flaw in group chats to bypass the lock screen and view a user’s entire address book. Thanks to the internet and the always connected nature of iOS devices, bugs like these are typically fixed quickly, and unlike Android phones which suffer from a fractured operating system environment and inconsistent update policies controlled by competing manufacturers, Apple is able to react quickly to these situations. Score one for the fruit company!
Due in large part to the wild imaginations of modern media (both Hollywood and traditional news purveyors) and the average layperson’s less-than-thorough understanding of technology, the mythos of the “internet hacker” has grown larger than life, and is all-at-once mysterious, unstoppable, merciless, mercenary and at the same time held with the same regard as the boogeyman, ie. too scary to be real, right? Invariably depicted as leading an “alternative” lifestyle – whether it be mysterious lone-gun, angry anarcho-punk, sallow basement dweller, or “pencil-necked geek,” these stereotypical representations of “hackers” lead the average person to take them less seriously than a lawyer in a three-piece suit or surgeon in scrubs, which can lead to a mental devaluation of the actual threat. A recent presentation at a security conference in Washington, DC offered a different picture: that of an (as of yet) unnamed state-sponsored surveillance team managing a multi-million dollar budget and engaging in the seemingly mundane conversation of weighing the pros and cons of existing software versus building their own tools to covertly spy on and gather data from people’s smartphones.
What this means for you
The “buy or build” decision might sound familiar – it’s one that every modern organization faces numerous times – but that familiarity should alarm, not comfort you. Our biggest mistake is thinking cyber threat teams are like they are depicted in entertainment media instead of how they actually are: well funded, focused, professionally run and taking themselves very seriously. Gathering data, whether it be for political or financial gain, is a booming business for governments, traditional markets and a thriving criminal underworld, and oftentimes it’s impossible to draw clear lines between the three. Instead of a nuisance, the modern “hacker” is now a rival, competitor and threat rolled into one, and instead of some pimply-faced teen in a basement that goes by the handle “hAx4LuLz”, they are well-funded, organized teams operating under names like, “Arity Business Inc.” with well-defined product lines that are professionally marketed.
Don’t miss another important take-away from this: “hackers” are human as well, subject to making mistakes, like the one that unwittingly opened the kimono for this particular group, allowing the security researchers from Lookout to get an eye-opening glimpse into their daily operations. But don’t take false comfort from this fact. This same humanity also means that they are subject to making bad decisions about using their talents in pursuit of ethically questionable goals. They are just as easily swayed by fake news, greed, patriotism, fear or any of the numerous influences around us. In a world where Bill Gates is using his power and money to fight disease and poverty, surely his sociopathic doppelganger already walks among us, rising in the ranks of the cyber threat community and working for someone or thing that has much less noble pursuits in mind.
Image courtesy of Miles Stuart at FreeDigitalPhotos.net
There is no doubt that due to advances in technology and manufacturing we are able to enjoy devices that just a few years ago would have cost a small fortune. Remember when a 40″ big-screen TV cost well over $10k? I have a 42″ flat screen that cost me literally a fraction of that eight years ago, and today I can buy a brand new 42″ TV for a quarter of what I paid for it in 2011. But there is something else offsetting costs on many of today’s shiniest devices, and guess who’s paying the difference? You are!
You should not be surprised.
If you’ve done any TV shopping lately, you’ve most certainly come across numerous “smart TV’s” from all the big manufacturers, including Vizio, a very popular and reasonably priced brand that is also somewhat notorious for tracking viewing habits without consent. Since its very public settlement with the FTC, Vizio has been much more up front with its tracking, and supposedly prides itself on being the most transparent manufacturer about this practice. The company’s CTO openly admitted that tracking viewing habits (among many other things) and reselling that data to advertisers is part of its long-term profitability strategy, primarily because people do not buy new TV’s every year, or even every other year, like they do smartphones.
In previous blogs, we’ve talked about computers made affordable through a similar practice of offsetting manufacturing costs by installing bloatware on your new computer in the hopes you’ll buy something after you just spent several hundred dollars. The fact that this practice is still common even today means that it does work. Thanks to devices that are always online, making money for a manufacturer doesn’t have to end at the device sale. As a matter of fact, it’s just the starting point.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
You may already be aware that the cell carriers provide pin-point location data to various data brokers and advertisers, as well as law enforcement with a warrant. If you aren’t, you might want to stop and read this blog post and the article I refer to therein. What you might not have suspected was that this very confidential data is available to people who aren’t just interested in selling you stuff, but may be interested in your physical location for more nefarious reasons. Joseph Cox of Motherboard/Vice Magazine gave $300 to a bounty hunter to locate a target phone, which was done in a matter of minutes. Though explicit consent was given by the target for the purposes of this investigation, that permission wasn’t required for the deed to be performed. In other words, if someone wanted to find you (by means of tracking your smartphone), all they need is a few hundred dollars and the right contact.
What this means for you
How does this happen? Basically, the cell phone carriers are selling to companies called “data aggregators”, who then sell to vertical specialists that service specific industries, like bail bondsmen. The cell carrier usually has some form of data privacy and consent policy in place governing its first tier vendor relationship, but obviously have less control the further the data gets away from them. Not that I’m implying the bail industry is more shady than any other, but this was the avenue used by the Motherboard reporter. Unfortunately for us, we live in an country that doesn’t regulate data sales, despite it being one of the most profitable industries in modern history. There are many reasons for this, chief among them the fact that data doesn’t have a tangible form and is trivial to transport thanks to the Internet which also makes it hard to trace, on top of a government that still largely doesn’t understand how technology works, and large corporations who answer to investors and not regulators.
In case it wasn’t already clear, there’s not a lot you can do about your cell carriers data sales policy except to not use their services, which, unless you are a professional Luddite, isn’t very practical in this day and age. Aside from making sure you are voting for congress critters that are technologically savvy and pursuing your privacy interests, knowing that your location isn’t private (and probably won’t be in the foreseeable future) while carrying a smartphone is about as good as it gets. And remember, just because you turn off location tracking does NOT mean that the cell phone carriers don’t know your location. If your phone is on, they know where you are, regardless of your settings, and what they do with that information is, ironically, increasingly hard to track.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
Thanks to internet shopping, there’s still some time to get someone a last minute tech gift. Here are some items that I use every day that would make a great stocking stuffer or gift exchange present:
- Travel USB Wall Charger with Foldable Plug: Every family trip, this charger is the first thing to go into the luggage. The folding plug makes it easy to pack, and it has 4 ports so everyone just has to remember their charging cable and not bother with separate, single-port chargers. Knowing that my family is very likely to forget charging cables too, I also grab…
- Magnetic USB Charging Cables: These cables make my mobile life so much easier. Basically, a small magnetic insert goes in your device’s USB or Thunderbolt port, and it will connect to a magnetic USB charging cable (no data, just AC) that just magically connects when they are next to each other, no fumbling around trying to get the charging cable into the device. The convenience really shines in the car and on your nightstand.
- Battery Pack with Flashlight: The only time my phone gets charged is when I’m in one place longer than 15 minutes at a time AND if I happen to remember to plug it in. When I’m on the go and expect to be nowhere near an AC outlet for any stretch of time, I bring a battery pack like this one, either in my backpack or in a jacket pocket just in case. This particular model has an extending light which can turn this battery into a mini lamp or book light, perfect for dark restaurants or camping trips.
- Flexible Arm Mobile Phone Holder: at first this seemed kinda silly, but I came to really like the bendable arm that clamps to my desk and holds my phone up at eye-level. Added bonus is that my magnetic charging cable sticks to it, making it easy to snap on to my phone when I eventually come to roost at my desk. They also make models for tablets and ones that will clamp to you dash or seat in your car. Quite literally very handy!
- Neoprene Laptop Sleeve: My laptop is probably the most expensive thing I carry with me on a daily basis, and it is shoved in and out of my backpack like a Japanese subway commuter. I keep it protected by storing it in a sleeve that maybe cost me $10, and it is probably the best $10 you can spend to protect something that might literally costs a hundred times that. Totally worth it!
Surprisingly, most people don’t realize that the popular idiom, “The Devil is in the detail” is actually derived from the more encouraging phrase, “God is in the detail,” i.e. pay attention to the small things as they are important. Both adages are more relevant now than ever, particularly because the average human is now daily agreeing to privacy policies with which, if they were to actually read the fine print, would probably not agree to at all. Such is the case with the numerous policies you are “accepting” when you install apps on your smartphone. What policy acceptance? The one hidden behind a small pop-up that says your data will be shared with other parties to improve your experience, or some other vaguely worded reminder that you are sharing data with a company in exchange for the free (or sometimes paid) use of an app.
What this means for you
“Yeah, yeah, I know, they are watching my every move,” my clients have said to me, “I’ve got nothing to hide.” Or, “It’s a small price to pay for this wonderful app/service/game.” Except most aren’t aware of how much data is being tracked, or what it can used for, aside from advertising. If you’d like a small taste of how this data is being assembled and the level of detail it can offer into everyone’s daily routines, read this article from the NY Times, “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret” – it’s a very easy read and has some nice interactive visual aids to bring the point home. Despite its approachable tone, the content of the article should be unsettling for everyone. For example, when asked to explain why their prompt to grant access to very precise coordinate data and permission to share with 16 companies was instead presented as a way to “recommend local teams and players that are relevant to you,” a spokesperson for the app responded (emphasis ours):
…the language in the prompt was intended only as a “quick introduction to certain key product features” and that the full uses of the data were described in the app’s privacy policy.
Let’s be honest here: I’m in this business up to my neck, and even I don’t read those privacy policies, but only because I know exactly what I’m trading for the use of a “free” app. You have a much more relatable excuse: “Ain’t nobody got time for ‘dat.” You are not wrong, but in the pursuit of better deals, faster commutes, cheaper gas or just weather updates, we have traded a precious commodity: privacy. And lest you forget, privacy is not about hiding secrets, but about not wanting to share everything about your life with complete strangers who only view you as a profit center. This is yet another glimpse of the elephant on the internet around which everyone is still carefully tip-toeing. Make sure you are paying attention!
Image courtesy of TAW4 at FreeDigitalPhotos.net
Hold onto your hats, ladies and gents, because this latest breach is a doozy! Up to 500 million individuals who have transacted with Starwood Hotels & Resorts (now owned by Marriott) have had their information exposed in a massive breach. According to the statement released by Marriott, the Starwood guest reservation database was compromised as early as 2014 and information up to September of this year is considered exposed. Compounding the severity of this issue, already ranked as one of the largest so far, is the amount and type of data exposed “… includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
What this means for you
If you happened to be one of the 500M who has stayed at a Starwood, even if it was before 2014, it’s still likely that some of your personal information was exposed in this breach. Though Marriott has said they started contacting individuals affected, for some of us who stayed at a Starwood hotel before email address collection became common place (myself included), and have since changed mailing addresses, Marriott may have some difficulty contacting you to let you know you were impacted. To be on the safe side, you should definitely consider a credit freeze (if you haven’t already put one in place from the previous Equifax breach) and you should take advantage of Marriott’s offer of a free year of WebWatcher monitoring service. As the name suggests, this service will monitor the web for your personal information (which you can enter yourself) and alert you if any of those data points appears somewhere on the web. Granted, that might actually be you entering that info, but if not, you have a head start on countering a possible identity theft in progress. And while you are at it, why not sign up for an alert from HaveIBeenPwned.com which keeps track of all the major breaches and will also alert you if your email address is on the growing list of breaches occurring almost weekly now.