Go check your Mac updates. If you have ever used GoToMeeting or similar, then you have Java installed. Let’s be safe out there kids.
By way of TUAW
Security
31
Mar 12
Backup Box
I received an email from Eric Warnke at Backup Box a little while ago mentioning their new service. Backup Box is a general backup service for online resources. It can backup a Web site or FTP, GitHub, etc. to Dropbox, FTP, GitHub, etc. It’s not a real time sync, but rather a scheduled backup. It’s kind of like Ifttt but designed specifically for backups between online services. It looks very cool and I’m just now starting to play with it.
The same list is available as a destination. The pricing model is interesting too. Manual or monthly backups are free. The prices increase based on the regularity of transfers with daily being $10/month. It’s worth a look since, even if I already have my own home-grown solution.
2
Mar 12
Private Google Search from DuckDuckGo (Correction)
CORRECTION: After testing on multiple machines, I’m not so sure this is true. If you can confirm or deny, please leave a comment.
Want to use Google search, but don’t want to leave a “cookie” trail for them to aggregate? DuckDuckGo can help.
Prefix a search with !g to forward the search to Google. DDG anonymizes the search for you. Even if you’re not paranoid, this is a good way to get less-biased results from Google. Since it is anonymous, Google does not weight results by your previous searches.
18
Feb 12
DNSChanger Infects Fortune 500 and Federal Agencies [Link]
Half of all Fortune 500 companies and federal agencies are infected with DNSChanger malware according to a Verge article.
I sure feel more secure that so much money is spent on busting straight-A students for a gram of pot rather than on protecting federal infrastructure.
13
Feb 12
Contacts in 1Password
After my wife lost her first gen iPhone, I moved all of the sensitive data out of our Address Book entries1 and into 1Password. 1Password has built in support for identities which can be used as an address book. I prefer to keep mine as secure notes. The Address Book.app is not a secure application. 1Password is rock solid, syncs between devices and is as secure as any software you can buy.
-
I moved social security numbers, maiden names, even many birthdays out of the address book application ↩
12
Feb 12
The Window Into Gmail [Link]
An interesting article from Waxy.org about linking accounts to Gmail. I’m pretty sure this is the way Google wants us to use their services. It benefits their business if they become the hub for all data. I’m not sure it’s as dire as this article puts it, but I’m happy to be out of Google services.
11
Feb 12
Clean-up Permissions [Link]
Thanks to @viticci on Twitter for re-tweeting the mypermissions.org site. The service is really just a bunch of links to the permissions pages of the common web services. It’s still a good reminder to go back and revoke permissions if they are not needed.
Here’s what my Dropbox permissions looked like, and I curate the list regularly: 1
-
Yeah, I test A LOT of iOS writing apps. ↩
8
Feb 12
Industry Standard
Another app that uploads address books to servers unencrypted. I just don’t get people thinking this is the price of using social apps.
That’s like thinking that FedEx might open my mail and make a photocopy and store it in an unlocked file cabinet in their waiting room because I chose to use their service. “That’s just the price of being social. It makes it easier for us to send you packages later.” Please stop suggesting this is the inevitable result of having data. It’s the inevitable conclusion of VC funding, that’s all.
By way of Big Week
29
Jan 12
Archiving GMail
As I’ve said before, my goal is to get as far off of Google services as possible or reasonable. This past weekend, I migrated my primary mail off of Google. Here’s how I did it.
Mail Forwarding
Many people and services still use my GMail addresses. I have many. So I set each account to forward my to my new mail server. Google makes this easy. Just setup the forwarding account. My theory is that eventually any person or service I care about will catch up with the new address and in a year, I can abandon the GMail accounts all together.
Mail Archiving
This was less straight forward. I want access to the old mail but I don’t want to maintain the archive in Mail.app. I want to be able to search the archive when necessary, but I don’t want the messages showing up in my normal search results.
My solution was two fold. Have Mail.app download the complete Mail digest with attachments and then archive the messages and attachments with MailSteward.
Mail Steward will copy the messages and attachments into an archive file. More importantly, it will also index the messages for searching. That means when I want to find something in that old Google account, I can load up the Mail Steward database and perform a separate search. The majority of my searches will normally be through Mail.app but this Google archive is a nice backup.
Once Mail Steward is done indexing. I delete the Google mail box from Mail.app and move the Mail Steward archive off to my networked Drobo.
Searching a large Mail Steward archive off of a network drive is slow. That doesn’t bother me. I do not expect to need this option very often.
Address Book
Not a concern. I’ve never added contacts to GMail for fear of providing a spam index for Google. I don’t know if they currently do such things, but I have no idea where their business model is headed.
-
Trust me, if you’re buying MailSteward then you want the $50 pro version. NOT the app store version. There are significant and important differences. ↩
28
Jan 12
Dropbox and Security, Again
Yes, the Dropbox security story is still lingering. Patrick Rhone posted an updated article about the FTC complaint recently filed against them for deceptive language in their privacy terms. Read it for yourself, but Patrick argues that all data is at risk so be cautious and accept it.
I don’t like the tone of the piece[1] but his advice is sound. Whenever I store sensitive data on Dropbox, I encrypt it myself before it is uploaded. I create encrypted sparse images that hold the files. They can be easily opened on a mac and used as any other volume. I tend to use Knox because it makes the whole process easy. Knox keeps a list of sparse images in a menu bar drop down and provides direct access to the disk compression utility. However, the images can be created, used and resized using the built-in Apple Disk Utility application.
These files are not accessible through iOS though which makes Dropbox less useful to me. Unfortunately Spideroak, which does provide real encryption, is not ready for primetime. It’s awkward and not well supported by third party developers. I’m watching it though, because I like their model better.
UPDATE: I guess Patrick decided to delete his post. Maybe because the referenced page is the original 2011 article from Wired. I’m not sure, but this post still tells the story I wanted it to. Encrypt your own data and do not rely on anyone else to do it for you; If you care about that sort of thing.
- I think the attitude that there is no expectation of privacy once someone agrees to use a service is a little patronizing. What Dropbox did was wrong and misleading. They admitted to it and now I don’t trust them. I still pay them money every month, but I also go out of my way to secure a lot more stuff on Dropbox and I use Dropbox less than I did before. ↩
21
Dec 11
Holiday Security Chores
I’ll be taking advantage of some vacation time over the holidays to do a clean sweep of my secure credentials. I’m a 1Password user, so it’s pretty easy. However, it’s still time consuming. The first step for me is to make a list of the accounts to update. I keep a text list of the services I frequent but there are still a lot that gather dust. For example I have an Amazon S3 account that I almost never need to login to. There are also services that may contain sensitive information like Simplenote, Dropbox and Pinboard that need some attention too.
I try to update all of my primary accounts like bank and email login every 60 days, but I also want to clear out all of those old passwords for services I forgot about, like user forums or web app trials. It’s tedious, but tedium is better than panic.
Of course 1Password makes it all easy:
- Search for a password to find all sites that share that password.[1]
- Browse my list of encrypted disk images[2] to refresh my memory of all of the squirrel holes I store encrypted data.
- Use smart folders to find passwords that have not been updated in the past year.
- … Or that are just plain bad passwords
29
Nov 11
Facebook Mistakenly Hands Merck KGA Account Over To Merck & Co. [Link]
To be clear, these are two different companies that are competitors. Yeah, more reason for me to never use Facebook.
9
Sep 11
MAS Revolt
Looks like there is a small uprising over at the AgileBits forum. The issue centers on their decision to go all-in on the Mac AppStore (MAS). There are two camps:[1]
- People angry that they have to repurchase the application and will not get upgrade pricing
- People that are concerned the MAS will reduce the functionality and update cycles
For the people hanging out in camp 1: If you derive $20 additional value out of MAS and the upcoming version 4 of 1Password, then pay for it. If you are using version 3.8 right now and are happy with it, then don’t buy any future versions. You should always make your purchase based on what you are delivered and not what you are promised.
For people in camp 2: Welcome to camp 2. I’m right there with you. As my last post detailed, the MAS version has already broken my Dropbox syncing.
I wanted to use the MAS version of 1Password for a couple of reasons:
- It’s simple and I don’t need to track serial numbers
- I don’t need to hunt for the installer when I get a new machine
- It’s great advertising for a great product
- I want to support the MAS model
There’s just one problem with reason #4. It doesn’t work for everything. To be on the MAS an application must obey some specific guidelines. That means totally awesome applications like LaunchBar, Keyboard Maestro (EDIT: KM actually is in the MAS. So, I guess I’m wrong with that one) and PathFinder probably will not make it to the MAS in their current form. They NEED to violate Apple’s guidelines to do their job. They need to live free and loose.
I can’t hold it against AgileBits for wanting to go MAS only though. It simplifies their business a lot. They don’t have to manage application distribution and licensing. They don’t have to manage a store. They even get a bit of “free” advertising by making it to the front page. The Agile team deserve a break for experimenting and taking a chance. I can’t name many products that have such aggressive development and improvement cycles. They also really care about what they are making.
On the other hand, I’m concerned this is a bruise that might take a long time to heal. A password manager is an intimate application. I trust it with the security. When someone threatens the future of that security I get nervous. There’s a reason I refuse to event look at Apple’s Keychain application. I’m already taking a look at alternatives to 1Password just in case they can not fix Dropbox syncing. I would have never considered an alternative before yesterday. I probably would have continued to buy every major release of 1Password and included the master password in my Estate Plan and Will.
- These camps are note mutually exclusive ↩
