Crackers are getting help from sloppy updates to web sites… change your passwords

I was going to push an article about something completely different that has been on the back burner for a good amount of time, but this is more important. Sorry for the lack of detail and my terse tone, but I expect better of large sites making amateur moves. I’m not saying I have never messed up: I have, but I learned from it* (“never push prototypes”) and never at this scale. The basics I sent to the site admins are enough for them to act on.  I sent this out tonight. (Note: this is also why I don’t use email addresses for half of an account’s login credentials.)

Hi,
Upon trying to login today to create a *******, I got a warning that the login page (now a pop-over) is not running through port 443 (SSL encrypted). I have decided to abort the login process because my email and password would be transmitted over the internet in the clear. My previous visits did have encrypted login. So thanks to someone who updated the site without running a regression test nor searching for glaring security hole you guys probably have a some users whose passwords have already been mined and exposed (LPH * HSU to calc how many people have been exposed) to allow crackers to get more pieces of info on account holders in order to steal their identity.

Combined with enough info (such as the recent Chase crack, Yahoo crack, or Sony crack) the crackers can try collected emails and passwords attached to them against known accounts with the same email to see which users use the same password on multiple sites. Then it is a simple matter to just run a script to try to login to all the popular sites — FB, G+, Amazon, Bank sites etc. to get into people’s accounts. Good job ;\
Very sloppy update.

About all I can say is that no matter how good your password is, reusing the same password on multiple sites means if someone else is sloppy with it, as above, you are exposed to having someone take over every account that uses this same password, and any account linked to an email with this recycled password. And since it is difficult to come up with unique passwords and not write them down, using a password manager such as 1Password is recommended (just use a good unique password for your password manager).

Obscurity and Encryption are not the only tools, just a few layers of in-depth defense I myself learn a bit more about every day. If you want to learn more about securing your site, check out SecurityPatterns.org.

(*The mistake I mentioned above didn’t cause a data breach, but still: now even my prototypes sanitize the input because I formalized a utility class with a static input filter method.)

UPDATE: this article published today http://appleinsider.com/articles/14/10/14/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach and my prior article on Dropbox Email Scams could be inter-related as well as the above. Again, this could very well be an example of what happens when you use the same password on multiple accounts. So, be safe and don’t do it. Other than making myself type that a thousand times on a blackboard page of my site, (which would be cool if the Simpson’s opening used this BTW), I can’t emphasize strongly enough how dangerous using the same password (or dictionary words with a few numbers like “protected123”) is.

Oh yeah: I forgot my usual sign off in my haste to post last night: Thanks for reading.

UI Missteps: Form over Function

Don’t get me wrong. The people at MacUpdate usually do a great job of managing and taking user feedback. But even with their careful curation of Mac & iOS apps that receive updates (sometimes numbering close to 100 OS X apps alone in one day), things slip through the cracks. I wasted about 5 minutes trying to figure out why an updated app was not available via one-click update using the built in software updater nor MacUpdate’s Desktop app. After going to MacUpdate, it was only by reading the comment and then hovering above the download link that the answer was clear: the app was a beta, and using the built-in update tools both within the native app & the MacUpdate Desktop App wouldn’t work. Even though I have “show beta/pre-release” unchecked, it still showed up in the MacUpdate Desktop list.

I realized the problem when looking at the comment and the confusion about version numbers used and how Adobe doesn’t distinguish betas with “b” or “(beta).” Then I took a few minutes to write this. The focus is not what MacUpdate did — it is an edge case which reflects more poorly on Adobe. Instead it is a example of what UI designers everywhere are doing to the detriment of both advanced and novice users everywhere.

Making Simplicity Difficult (Form Over Function)

If you accept that the purpose of computers is to make tasks easier to accomplish than doing them without them, then what follows is logical. When the interface gets so polished the labels are rubbed off, advanced features are hidden or removed, and labels are replaced unlabeled/undocumented icons, it leads to problems using an application no matter what type of device the application runs on. Here is my brief comment on that.

I don’t mind clean, nice-looking interface (I strive to balance aesthetics with easy-to-access, powerful features), but don’t let streamlined designs actually slow productivity; whether that productivity is actually getting work done or doing administrative tasks such as updating your software.

This confusion is a clear case of form over function, which is the wrong direction (unless you’re selling soda or commodities…) for computing interfaces to head because it handicaps learning via obscuring helpful, orientating/navigating details and slows advanced users.

If the trend in UIs were to spill over in the real word, we would see street signs replaced with pictures of maps and street addresses removed from the front, and instead only inside each building. Menus boards would have descriptions and prices hidden, until a person opened a flap to read the price and description.

In houses rather than work aesthetics around function, some streamlined houses would only have one control panel that controlled all the lighting, heating, etc. but that panel would be fixed next to the circuit breaker box. If a house had individual light switches, they’d be placed at whim of a designer who never lived or had even been in a house. Some would be oriented at any angle the designer liked and on any surface — some nowhere near the door or on one or both sides of the door. Some switches would glow only when they were off, and not when they are on, and vice versa which is actually happening with electronic switches. All building layouts would depend on the whim of a designer that had no concept of architectural design patterns nor a care about the building’s function.

This current trend toward “flatness” that was a backlash against “skeuomorphic” design of last generation all dance around the real point of GUIs: to make things easier by giving feedback to users that allows them to assess both current application state and orient where they are in the system. The trend is stripping away both of these, making things harder to use, not easier. Sadly, people think simplifying the interface will help users whose learning is being retarded by confusing inconsistent and low-feedback designs. This over-simplification is in fact hurting more than helping. This is because simple is not necessarily a synonym for easy. (Easy things are simple, but simple things are not always easy oddly enough.) Product managers and designers think people want simple, when they really want easy. Making things easy should be the focus. The easier a more complex the task is, the more useful your software.

Making Complexity Easy (Form Follows Function)

Designers should look for the frustrating points and the complex points and make complex tasks as easy as possible — which means removing steps if it can be done without making the user’s knowledge have to ramp up greater than the complex steps.

This is my Menubar. This is easy:

menubar

It is very dense with information. By looking at it you can see with a glance that Bluetooth is on, I’m connected to the network with light traffic, my processor load, my sound volume, the day & date, my current battery level (full) & that I am plugged in, the time, the moon phase, the CPU temperature & CPU voltage draw. I could have the default OS X menubar, but then I wouldn’t be able to see this without opening applications, slowing me down. I often refer to network speeds and CPU load when something seems bogged down. I often check the date and time, and that calendat icon pulls down so I can see my schedule in Fantastical without opening the Calendar App. The functionality is available if I pull down my sound menu is Audio Switcher.

audio-switcher

All these save me time each use. The march of Menu Items and GUI Enhancements I use all take a complex array of data, navigation, and bother of doing complex things and make some of them a click or less away. While this might be ugly to some, it is not distracting and works well. This is my current balance point, but with each stripping down towards “simplicity,” this ease becomes more difficult. Thankfully the developers of iStat Menus, Fantastical, Bartender, Audio Switcher, Moom, TotalFinder, Default Folder X, Alfred and PopCar (among others) see the problem that streamlined interfaces bring. But rather than strip away information, they strive to arrange information in a way that is not overwhelming and give user configurable interfaces to really harness the power of a GUI. These companies (while not all perfect — some have fallen into this hole at least slightly) have UI designers, not artists making flat colorful mystery icons with unpredictable UIs that confuse people calling themselves UX designers.

(I think of myself more as a User/Communication Efficiency type of person, so while the “UX Designer” title sounds fancy, I’d rather be a “User Interface Communication Efficiency Designer” to put the emphasis not of the “experience” of using a product, but on the efficient use of communications media available. Plus, UICED sounds like a term that could be played with. But titles are kind of limiting in a way… so I’ll just be myself. When people ask me my title, I just sum it up to say “IT Consultant” since whenever I actually start to talk tech I notice most people’s eyes glaze over.)

I try to focus on what matters to get work done, so I can get work done with less effort and faster. Anything that gets hinders more than helps my efforts falls out of use. BTW, if you are not familiar with these products, many are mentioned and linked on my Recommended Apps page. You can also check out MacUpdate.com and see the trove of software — most at least decent — that they list. They are good guys, so if you see errors, write them and be nice please. They will get back to you if needed with a personally written reply, which is always worth a star in my book. “When I was a kid several days of Mac SW updates could fit on one page… now several pages might span one day.”

Thanks for reading.

Bistro turns the tables on Yelp, offers discounts to customers for 1-star reviews

M Noivad:

I have heard several small business owners complain about Yelp’s “sleazy” and “crooked” (their words) tactics. I think that while ruled legal, Yelp advertising itself as a fair and honest ratings is deceptive. It is clearly a conflict of interest that they control the order of listings, and take money for advertising and placing advertisers higher in the results. When they tell businesses they can increase their star-rating by buying ad-space, or decrease it by not, that is hardly fair, nor honest. People have been led to believe Yelp star rating are accurate—they keep advertising it as such. But when Yelp is free to manipulate the listings, it is clear that “hard bargaining” is corporate speak for “manipulative coercion.” Despite its legal standing, Yelp’s practices are far from ethical—especially since it advertises ratings it publishes for businesses as genuine.

Originally posted on Naked Security:

It’s official! Botto Bistro is the worst restaurant on Yelp!

Yelp screenshot of Botto Bistro

At least, that’s what it’s claiming: that it’s now “officially the worst restaurant on Yelp!”, and it even has a Yelp-ish badge – “People hate us on Yelp” – to prove it.

Yelp is not pleased and sent a letter last week saying it heard these one-star reviews were given in exchange for incentives – a 25% discount, to be precise – in direct violation of its Terms of Service.

The Botto User Support Team’s response, which is pretty much a point-for-point mimicry of the legalese in Yelp’s letter: Oh, yeah? Well, we’ve received complaints from the community that Yelp may be removing reviews in exchange of “vague explanations to loyal customers.”

That violates Botto Bistro’s Terms of Service. So too does removing reviews in an effort to strong-arm businesses into buying ads, according to the Botto Bistro User Support…

View original 685 more words

Is it *really* such a bad idea to use a password twice?

M Noivad:

Yup. Password reuse is essentially saying either “I’m too lazy to protect this data,” and/or  “the information on this account is not important enough to take the time to use a good single-use password.” Laziness and convenience is what people who will exploit you and your data rely on to make their job easier and worthwhile.

Also, do not be so naïve to think that your data will not be used against you in some way either directly or indirectly to access other parts of your life (be it digital or physical) if someone gets their hands on it. Anything that can be exploited, will be.

Originally posted on Naked Security:

We regularly warn you against using the same password for multiple accounts.

But if you choose one really long and complex password, and carefully commit it to memory, isn’t that enough?

Even if a chain is only as strong as its weakest link, surely you’ll be fine as long as that weakest link is strong enough?

How strong is strong enough?

The problem is that “strong enough” isn’t, sadly, determined only by the password that you choose.

At some point? at the very least when you create an online account? you need to share your password with the service you’re connecting to.

Even if the password goes straight from your keyboard into memory on your computer, and is then encrypted and only ever unscrambled in memory at the other end, there’s still a chance for cybercrooks to get hold of it.

If you have re-used that password, no matter how…

View original 704 more words

Another Apple Router Bites the Dust…kinda

Last year my Airport Express (v1) was made obsolete by apple deciding to drop support for configuring it from 10.9. This year an Apple Extreme (802.11n Dual-band) that was in service for about 4–5 years finally started failing thanks to either age or heat problems. The heat issue is often important to some tech people because the amount of equipment in use easily spikes the temperature in our rooms 5°–10° or in the closets we have to stick them in. Not everyone thinks a mess of wires (properly tied or not) is a thing of beauty, so often we have to put them in closets and in spaces with little ventilation. This leads to heat building up and soon DSL modems and their UPSes and WiFi routers are dying. WiFi routers can last a long time if treated well, but if they are used constantly and under heavy loads with bad cooling, don’t expect them to last more than 5 years. As for the Airport Extreme, I am taking it to a less demanding/harsh environment. Hopefully, the lighter load will mean at least a few more years of service out of it.

As an aside: I once made the case for proper cooling in a new building when asked by the CFO if we needed Air conditioning. I said we don’t need it, but some of our equipment would burn out/malfunction 1–2 years faster costing at least a few K per year in increased maintenance and secondary costs (downtime, multiple backups, etc.)— maybe more.

I mentioned it to a friend and he said he was concerned with the iPhone 6 series’ ambient temperature ceiling (95° F). Another friend pointed out that that’s because Li-Ion batteries have this restriction, which neither of us was aware of. Checking our 5s specs, the temperature limits is also 95°F, which is interesting because the 5ses didn’t seem to have any problems in Nevada last month. So, maybe the phones Li-Ion batteries will die faster. No problem: I have replaced a few iPhone batteries and parts.

Interestingly enough, I looked and fewer and fewer manufacturers are putting this info in their specs sheets, leading me to believe some of support costs could be avoided by placing this info in the specs and making sure customers are aware of it. I know plenty of people that leave electronics with Li-Ion batteries in their cars (hidden of course). Luckily, non-operating ambient temperature ceiling are above 110°F.

Anyway, heat plays an important role in the lifespan of many electronics, and it occurred to me that few people even mention it. So, I am mentioning: If you are on a 3-year replacement cycle, paying attention to this fact isn’t too important. But if you are in the miserly camp of stretching your dollar by upgrading devices less than 3 times a decade, you might want to be aware of heat and operating temperature limits as a consideration.

Almost Everything I learned about Teamwork and Leadership, I Learned in Clan Lord

I’ve been threatening to write this post for about a year. I had this sitting on the back-burner for a month and asked for comments from another player also in the IT Admin field. So, without further ado…

Despite the Graphics, CL has real team-building potential

Despite the Graphics, CL has real team-building potential

For the unwashed, Clan Lord is an archaic, sorely out-of-date Multi-player Online Role-playing Game  (MORPG) that has been running since the late 90s. The single world (server) and small population make it feel like a small town, thus all of the current players have the same goal (job). Thus, like any small group with common goals, it is a bit like a company: You have your people in it who are on the ball because they work well in teams and independently, those that only work in teams because they need direction, those that lead group of people in a direction, those that specialize in a subset of knowledge about the terrain (market or technology) all of whom trade their time and risk profit (experience) to advance, and finally those that just show up to have fun. These flyby ‘fun’ people are equivalent to the people who just show up for a paycheck. In the game, one seemingly minor mistake can lead to the death of the entire group.  This necessitates departing (experience and time loss) which is a bit like working on a project  and having it fail miserable because Joe Paycheck didn’t know or care that you shouldn’t have done X.

Considering the parallels I noticed about the in game group and the group of people you work with  day-to-day, I have found several commonalities that I have taken from work to game and from game to work that have helped me navigate real life teamwork, leadership and relationships.

Continue reading