Believe it or not, the world wide web turned 30 on March 11th.
Sir Tim Berners-Lee first submitted his proposal for an information management system in 1989 that was designed to manage and disseminate the growing sprawl of digital data being amassed by universities and researchers around the world. Four years later, CERN released the software behind the “World Wide Web” (the source of the “www” prefix) into the public domain and the first sparks of the modern internet caught the world on fire.
To note the 30th anniversary of his invention, Sir Berners-Lee penned an open letter to the world, but instead of heaping typical birthday platitudes on his brain child, he has reiterated a message of caution and guidance that was formalized last year at the Web Summit technology conference through a campaign called “Contract for the Web“. Because I know your time is precious, I’ll boil down his message for you into a TLDR:
- People are using the web with deliberate malicious intent. Governments, businesses and people must hold the perpetrators accountable.
- Profit and power motives are undermining and perverting the most beneficial power of the internet – the quick and democratic spread of information.
- This same beneficial power enables and empowers hatred and divisive discourse with equal force and we are still struggling with how to temper this unintended consequence.
What this means for you
Sir Berners-Lee’s Contract for the Web has the same lofty ambitions as the Universal Declaration of Human Rights or the Paris Agreement on Climate Change in that like the aforementioned accords, the Contract for the Web is not legally binding, but meant to act as a guideline for the betterment of the world, leaving cooperation, enactment and enforcement to individual countries and organizations. But as we can see in today’s political climate, things that are “good for everyone” aren’t always aligned with profit and power which means they don’t get equal time in companies (and governments) ruled by bottom lines and shareholder opinion. Anyone who has spent anytime on the internet, or read even a handful of my blogs on the repeated abuses of our privacy and security knows that we are approaching a tipping point where the negatives of the internet start to outweigh the positives (something we can already see with email), and when this happens, we all lose. For those of us who choose to behave ethically and compassionately, we lose a powerful tool to further our works.
Where does an average person start? Every vote still counts (hopefully) in this country. It’s important to make sure your elected representatives actually represent your values and deserve your vote. Be informed: seek balanced and objective information supported by reputable sources, form opinions and base decisions on facts, not just feelings, and always, always keep an open mind.
Last year was not a good year for Facebook. Starting with the Cambridge Analytica, the social media giant seemed to stumble through a series of gaffes that literally erased billions from Mark Zuckerberg’s net worth. Yet, here we are again with the social media giant continuing to act with cavalier indifference towards its users’ privacy, and at this point, are you really surprised? We’re all adults here – I’m in no position to tell you what you should be keeping private or not, but I feel it’s my duty to make sure you are aware with whom you are sharing data, and that they are NOT here to serve you, but vice versa. And let’s put one big, stinging fact on the table – despite all of this, Facebook’s stock bounced back easily from last year’s drubbing, and is now poised to surge ahead thanks to better-than-expected fourth quarter earnings.
The latest proof that Facebook doesn’t care about your privacy
A few years back, Facebook instituted two-factor authentication for its login process, asking user’s for a phone number as the second factor. At this point, 2FA is the new security hotness, and millions are already smarting from a variety of virus infections, identity theft and account hacks to agree that 2FA was the best way to secure their accounts. While they weren’t (and still aren’t) wrong, could they have guessed that Facebook would start using that phone number as a means for other people to search for you, even if the searcher wasn’t someone you actually knew? How about doing this without even asking if its OK? This setting can be changed, but by default it’s set to allow “Public” access to use the 2FA phone number to help others find you. I don’t know about you, but that feels like the opposite of what everyone thought sharing this number with Facebook would do.
Strike two this month comes in the form of Facebook openly admitting that it receives data from many apps, including ones that help users track menstrual cycles, heart rates and website viewing habits, even if the user didn’t have a Facebook account. If this looks eerily similar to a recent article I wrote about a certain cell provider who was not being a good steward of your data, it is because it is yet another iteration of the same questionable practice.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
Full disclosure – I’ve long been a fan of many of Google’s services. I’ve used Gmail since the first beta, rely on Google search all day long, use a Pixel as my smartphone and listen to music all day long through their music service. It pains me when my favorite tech brands make poor choices, and unfortunately, Googles leadership seem to have forgotten their founders original scree, “Don’t be evil,” in favor of behaving like any profit-driven, ethically-ambiguous megacorp. The latest scandal comes from one of Google’s recent tech acquisitions in the form of a failure to disclose the presence of microphones in the Nest Secure home devices. Now, the presence of microphones in security devices shouldn’t come as a surprise, but Google’s failure to mention it in any documentation is a glaring breach of trust on their part.
What this means for you
When I first heard this news, I though to myself, “Well duh, of course these things have microphones. They are security monitoring devices,” and thought that, once again, naive consumers were purchasing and installing the devices without RTFM (“reading the fine manual” except substitute your own f-word). But no, Google (and Nest) didn’t actually document the presence of a microphone at all until it recently revealed that the Google Assistant technology could now be used on the Nest Secure device which, oh by the way, uses voice control…which, erm, requires a microphone…that is already on the device. According to Google, the microphone was disabled by default and can only be activated when the user specifically enables it. Which doesn’t make the whole failure to disclose any better, because how do we know it wasn’t enabled, and why should we trust them to be telling the truth now?
Unfortunately for you, even if you were being a careful consumer and reading the fine manual (or label, or reviews, etc.) the only way you would have known there was a microphone in the device would have been to dismantle it yourself, but why would you do that because the product documentation clearly lists the device’s specs, doesn’t it? Does this sound familiar? Like some other technology megacorp abusing its users’ trust? Is it going to take dragging these companies in front of Congress to get them stop being so lackadaisical with our privacy? Well, before we do that, let’s make sure we elect Congress critters that know iPhones aren’t made by Google.
There is nothing like severe weather to make you appreciate the benefits of a highly mobile workforce, whether you are the worker, safely ensconced in a warm & dry location, or the business owner, suddenly managing a half-empty office but confident the wheels of commerce are still turning. Thanks to declining technology costs and pervasive internet, using a laptop is no longer a status symbol of the executive or the sale team, nor is being away from the main office isolating and limiting. However, there are some speed-bumps on the highway to the work-from-anywhere ideal.
What you should know before going mobile
- Understand what applications and data are required to do your job. If it’s just internet access and email, you’ve got everything you need on just about any laptop, tablet or even smartphone. If you use industry specific applications that require access to data stored on your office server, can that app be run when you aren’t connected to the office network? Probably not, in which case you are going to need a VPN connection or remote access to your work PC.
- Plan your access to the internet carefully. Using your home internet connection is typically fine for most business users, but be very wary of posting up in a local coffee shop expecting to sip lattes and use their free WiFi without a means to secure your data transmissions such as using a VPN. What will you do if wherever you end up doesn’t have working WiFi? Most modern smartphones can provide a hotspot that should work for light internet work, but make sure you know how to use it before relying on it.
- Wireless internet is unreliable and possibly not secure. If you have a moderately sized home and the consumer-grade router installed by your ISP, you know of what I speak. If you have business-critical work that needs to be done, just know that WiFi can and will make you crazy with an unreliable connection, and doubly so for a smartphone hotspot, so plan accordingly. And don’t get me started on free WiFi provided by your local retail/restaurant/laundromat/etc. That WiFi should be consider as being provided for entertainment purposes only, and never used for business unless you have a proper VPN connection protecting you.
- Do you need to print? There are printers that are built for travel, but they are finicky and prone to fail at the least opportune time. Before any extended jaunt out of the office, make sure the printer is properly provisioned (ink and paper) and charged or equipped with its power cord. You might want to print something out just to be safe.
- Mind your ergonomics. Just because the local coffee shop is comfortable for lounging does not make it ideal for working. A couple hours sitting on a hard wooden stool hunched over your laptop will wreck the healthiest person’s back and neck. And typing away on a smaller keyboard will definitely strain your wrists and shoulders, while the small screen wreaks havoc with your eyes. The most productive and healthy remote workers will know what positions and heights are ideal for working with a laptop, and will equip themselves with things like laptop stands, cordless mice (and keyboards!) and choose environments that allow them to sit properly and comfortably.
- Are you going to be making a lot of phone calls? Those of us that spend most of our work day on the phone usually use a headset. Make sure the one you are planning to use can hold a good charge if it’s wireless, and has a better-than-average mic, as oftentimes you will be in noisy environments. You may be able to hear your caller just fine, but they may have trouble hearing you. Also keep in mind that if you are planning to use your phone as a hot spot, you may not be able to make phone calls at the same time.
- Is your device secure? It may seem like overkill, but consider using a cable lock on your laptop, especially if you are working in a public space and there’s any chance you may have to take your eyes off the device for more than a minute. If you store any sort of confidential company data on your laptop, including email, the hard drive should be encrypted and your laptop protected by a strong login password. Never leave your laptop or laptop bag visible in a parked car, even if it’s only for a few minutes.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
As more and more of you start to explore the possibilities of becoming part of the mobile workforce, I am frequently asked about one area in particular: How do I get access to the things I normally use at work when I’m on the road or working from home? This question is often followed up by: What’s the difference between remote access software and a VPN, and which one should I be using? Even if you think the answers might be more technical than you are ready to handle, I’ll try to provide some plain-English clarity to this complex topic, as understanding which one is appropriate for your work situation will be critical in determining how successful you will be as a true “road warrior”.
Are you ready to harness the power of the internet?
Most often, when the term “remote access software” is used, it is typically referring to commercial platforms like GotoMyPC, TeamViewer, LogMeIn, or VNC. In a nutshell, these programs are installed onto a computer that you wish to remotely access from another computer. For example: let’s say you have an office desktop and a laptop which you use at home. You would install this software on both computers, and it would allow you to “remote” into one from other. Typically this would be set up to allow your laptop to remote into your office desktop, primarily to provide you with access to the applications and data that are only available in your office, but from the “comfort” of a remote location outside of the office.
As you may have realized by now, the reason you need remote access software to work outside of the office is because the office network is separate from your home network by design, and the remote access software provides a “bridge” between the two networks, allowing your separate machines to talk to each other using the internet to do this.
“Wait a minute,” I hear you ask. “If this program can connect my office and my home network together via the internet, why do I even need these programs at all? Can’t my networks just talk straight to each other through the internet?” Well, they could, but it would be akin to you having a confidential conversation with someone by shouting at them across a crowded room full of strangers. Aside from simplifying the process of connecting two private networks together over the internet, they also provide some measure of security and privacy to your data as it crosses the internet.
“Surely the technology exists for our two networks to be connected without having to involve a third party that costs $XXX a month?” As a matter of fact it does, and it’s called a “virtual private network” or VPN, and works by creating a “virtual”, dedicated connection between two networks, usually your office and you (wherever you are). This VPN connection is often referred to as a “tunnel” which is also an apt analog to describe what it actually does.
“OK Chris, but why would I use a VPN over remote access software?” The most common reason is actually something that people often overlook: what if you don’t have an office desktop to remote into? What if your primary office machine is a laptop that goes home with you every night? The data is in the office on your server, but your laptop is on the road with you. This is where the VPN shines – regardless of where you are, if you have an internet connection and a VPN tunnel, your laptop is connected to the office network and all the services that are normally only available when you are sitting in the office. Granted, with the rise in popularity and acceptance of cloud-based services, some businesses are moving away from traditional premise-based services in favor of putting all of their data into the cloud, but for many industries, this is just not acceptable. And for those instances (of which there are legion) the VPN is the solution of choice. Keep in mind, building a VPN is not trivial – it requires the correct hardware and software and a level of technical configuration that is often best left to IT professionals, which is why commercial remote access services exist and are quite popular despite the cost.
TLDR; Use remote access software when you want to access one PC from another. Use VPN when you need to access an entire office network (and all of its private services) from a PC on different network. Keep in mind, certain functions, applications and services will be slower when being accessed over the internet, depending on the mode of access (remote or VPN or both) and the speed of your connection on both networks.
By the time you read this, Apple will be on day two of quarantining group calls in its video chat app, FaceTime. Why? Oh, how about a nasty eavesdropping bug that would allow callers to listen in on recipients before they pick up the call? Not necessarily ground-shaking in terms of espionage or cybercrime, but potentially embarrassing or even relationship-destroying, especially for an app that is heavily used for non-business calls. To add to the embarrassment of everyone, discovery of this bug is credited to young teenager trying to set up a group chat with his Fortnite friends. Thanks, Fortnite?
What this means for you
Probably not much, except if you use FaceTime for group chats which is now unavailable until Apple fixes the issue. At the moment, there is no firm ETA on the fix which “…will be released in a software update later this week,” per Apple’s official statement. Unfortunately, this isn’t the first security bug for FaceTime’s group chat feature which is not even a full year old. Last fall a security researcher was able to exploit a flaw in group chats to bypass the lock screen and view a user’s entire address book. Thanks to the internet and the always connected nature of iOS devices, bugs like these are typically fixed quickly, and unlike Android phones which suffer from a fractured operating system environment and inconsistent update policies controlled by competing manufacturers, Apple is able to react quickly to these situations. Score one for the fruit company!
Due in large part to the wild imaginations of modern media (both Hollywood and traditional news purveyors) and the average layperson’s less-than-thorough understanding of technology, the mythos of the “internet hacker” has grown larger than life, and is all-at-once mysterious, unstoppable, merciless, mercenary and at the same time held with the same regard as the boogeyman, ie. too scary to be real, right? Invariably depicted as leading an “alternative” lifestyle – whether it be mysterious lone-gun, angry anarcho-punk, sallow basement dweller, or “pencil-necked geek,” these stereotypical representations of “hackers” lead the average person to take them less seriously than a lawyer in a three-piece suit or surgeon in scrubs, which can lead to a mental devaluation of the actual threat. A recent presentation at a security conference in Washington, DC offered a different picture: that of an (as of yet) unnamed state-sponsored surveillance team managing a multi-million dollar budget and engaging in the seemingly mundane conversation of weighing the pros and cons of existing software versus building their own tools to covertly spy on and gather data from people’s smartphones.
What this means for you
The “buy or build” decision might sound familiar – it’s one that every modern organization faces numerous times – but that familiarity should alarm, not comfort you. Our biggest mistake is thinking cyber threat teams are like they are depicted in entertainment media instead of how they actually are: well funded, focused, professionally run and taking themselves very seriously. Gathering data, whether it be for political or financial gain, is a booming business for governments, traditional markets and a thriving criminal underworld, and oftentimes it’s impossible to draw clear lines between the three. Instead of a nuisance, the modern “hacker” is now a rival, competitor and threat rolled into one, and instead of some pimply-faced teen in a basement that goes by the handle “hAx4LuLz”, they are well-funded, organized teams operating under names like, “Arity Business Inc.” with well-defined product lines that are professionally marketed.
Don’t miss another important take-away from this: “hackers” are human as well, subject to making mistakes, like the one that unwittingly opened the kimono for this particular group, allowing the security researchers from Lookout to get an eye-opening glimpse into their daily operations. But don’t take false comfort from this fact. This same humanity also means that they are subject to making bad decisions about using their talents in pursuit of ethically questionable goals. They are just as easily swayed by fake news, greed, patriotism, fear or any of the numerous influences around us. In a world where Bill Gates is using his power and money to fight disease and poverty, surely his sociopathic doppelganger already walks among us, rising in the ranks of the cyber threat community and working for someone or thing that has much less noble pursuits in mind.
Image courtesy of Miles Stuart at FreeDigitalPhotos.net
There is no doubt that due to advances in technology and manufacturing we are able to enjoy devices that just a few years ago would have cost a small fortune. Remember when a 40″ big-screen TV cost well over $10k? I have a 42″ flat screen that cost me literally a fraction of that eight years ago, and today I can buy a brand new 42″ TV for a quarter of what I paid for it in 2011. But there is something else offsetting costs on many of today’s shiniest devices, and guess who’s paying the difference? You are!
You should not be surprised.
If you’ve done any TV shopping lately, you’ve most certainly come across numerous “smart TV’s” from all the big manufacturers, including Vizio, a very popular and reasonably priced brand that is also somewhat notorious for tracking viewing habits without consent. Since its very public settlement with the FTC, Vizio has been much more up front with its tracking, and supposedly prides itself on being the most transparent manufacturer about this practice. The company’s CTO openly admitted that tracking viewing habits (among many other things) and reselling that data to advertisers is part of its long-term profitability strategy, primarily because people do not buy new TV’s every year, or even every other year, like they do smartphones.
In previous blogs, we’ve talked about computers made affordable through a similar practice of offsetting manufacturing costs by installing bloatware on your new computer in the hopes you’ll buy something after you just spent several hundred dollars. The fact that this practice is still common even today means that it does work. Thanks to devices that are always online, making money for a manufacturer doesn’t have to end at the device sale. As a matter of fact, it’s just the starting point.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
You may already be aware that the cell carriers provide pin-point location data to various data brokers and advertisers, as well as law enforcement with a warrant. If you aren’t, you might want to stop and read this blog post and the article I refer to therein. What you might not have suspected was that this very confidential data is available to people who aren’t just interested in selling you stuff, but may be interested in your physical location for more nefarious reasons. Joseph Cox of Motherboard/Vice Magazine gave $300 to a bounty hunter to locate a target phone, which was done in a matter of minutes. Though explicit consent was given by the target for the purposes of this investigation, that permission wasn’t required for the deed to be performed. In other words, if someone wanted to find you (by means of tracking your smartphone), all they need is a few hundred dollars and the right contact.
What this means for you
How does this happen? Basically, the cell phone carriers are selling to companies called “data aggregators”, who then sell to vertical specialists that service specific industries, like bail bondsmen. The cell carrier usually has some form of data privacy and consent policy in place governing its first tier vendor relationship, but obviously have less control the further the data gets away from them. Not that I’m implying the bail industry is more shady than any other, but this was the avenue used by the Motherboard reporter. Unfortunately for us, we live in an country that doesn’t regulate data sales, despite it being one of the most profitable industries in modern history. There are many reasons for this, chief among them the fact that data doesn’t have a tangible form and is trivial to transport thanks to the Internet which also makes it hard to trace, on top of a government that still largely doesn’t understand how technology works, and large corporations who answer to investors and not regulators.
In case it wasn’t already clear, there’s not a lot you can do about your cell carriers data sales policy except to not use their services, which, unless you are a professional Luddite, isn’t very practical in this day and age. Aside from making sure you are voting for congress critters that are technologically savvy and pursuing your privacy interests, knowing that your location isn’t private (and probably won’t be in the foreseeable future) while carrying a smartphone is about as good as it gets. And remember, just because you turn off location tracking does NOT mean that the cell phone carriers don’t know your location. If your phone is on, they know where you are, regardless of your settings, and what they do with that information is, ironically, increasingly hard to track.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
Thanks to internet shopping, there’s still some time to get someone a last minute tech gift. Here are some items that I use every day that would make a great stocking stuffer or gift exchange present:
- Travel USB Wall Charger with Foldable Plug: Every family trip, this charger is the first thing to go into the luggage. The folding plug makes it easy to pack, and it has 4 ports so everyone just has to remember their charging cable and not bother with separate, single-port chargers. Knowing that my family is very likely to forget charging cables too, I also grab…
- Magnetic USB Charging Cables: These cables make my mobile life so much easier. Basically, a small magnetic insert goes in your device’s USB or Thunderbolt port, and it will connect to a magnetic USB charging cable (no data, just AC) that just magically connects when they are next to each other, no fumbling around trying to get the charging cable into the device. The convenience really shines in the car and on your nightstand.
- Battery Pack with Flashlight: The only time my phone gets charged is when I’m in one place longer than 15 minutes at a time AND if I happen to remember to plug it in. When I’m on the go and expect to be nowhere near an AC outlet for any stretch of time, I bring a battery pack like this one, either in my backpack or in a jacket pocket just in case. This particular model has an extending light which can turn this battery into a mini lamp or book light, perfect for dark restaurants or camping trips.
- Flexible Arm Mobile Phone Holder: at first this seemed kinda silly, but I came to really like the bendable arm that clamps to my desk and holds my phone up at eye-level. Added bonus is that my magnetic charging cable sticks to it, making it easy to snap on to my phone when I eventually come to roost at my desk. They also make models for tablets and ones that will clamp to you dash or seat in your car. Quite literally very handy!
- Neoprene Laptop Sleeve: My laptop is probably the most expensive thing I carry with me on a daily basis, and it is shoved in and out of my backpack like a Japanese subway commuter. I keep it protected by storing it in a sleeve that maybe cost me $10, and it is probably the best $10 you can spend to protect something that might literally costs a hundred times that. Totally worth it!