Category: In The News

When heartbleed leads to heartache, what’s a person to do?

Image

By now, there’s a good chance you’ve heard about the so-called “Heartbleed” vulnerability recently discovered in the software that is responsible for creating the secure connections between us web users and the sites we interact with.

No? Well here’s a quick re-cap.

Turns out that every time you’ve seen that little yellow lock icon and the "https://" in your address bar over the last two years, your private and confidential info wasn’t as secure as you’ve been led to believe. Around two years ago, the group that is responsible for updating OpenSSL (the free software that tons of sites use to enable encryption), made a small change to the way that software handles secure connections. A small change with huge consequences. That change not only made it possible for a 3rd party– and I mean any 3rd party– to listen in on your secure session, it also made it possible to decode what was being said and from that info they could glean usernames, passwords and potentially credit card and other data too. Yup, it’s as bad as it sounds.

Worse still, OpenSSL isn’t just installed on a few small websites. By all accounts, it’s been implemented on a third of all secure websites, including some monsters like Yahoo and even a few of Google’s too. Revenue Canada was one of them.

Now I know what you’re thinking: Goddamn it. Yet another threat to my personal info. What’s with these companies that they can’t take security more seriously? And you’re right, this is yet another instance of our personal info being exposed thanks to insufficient measures being taken by the companies we trust.

But before we hop on a plane, pitchforks in hand, to show our displeasure to these groups who opened us up to such a deep invasion of our privacy, let’s take a second and consider a few things.

First, even though this flaw has been a part of OpenSSL for nearly two years, it was only in the last week that security researchers were able to identify it and exploit it (that last part being frighteningly easy to accomplish). But as easy as it was to exploit, it was not easy to find. That means that if you’re concerned about your personal info having been stolen during this period, you can probably relax a little. The nature of the exploit is such that only the information that was transmitted during a small window of time prior to someone “listening in,” would be available to an attacker. So unless we’re talking about a very sophisticated group of thieves with the resources to set up 24-hour “surveillance” of vulnerable sites (something that has a few folks screaming “NSA!!”) statistically it’s not all that likely that your info was taken.

But I realize that’s cold comfort. Especially now that the flaw has been exposed and no doubt every hacker worth their salt will be trying it out. But there’s some good news.

Because the flaw is a fairly “real-time” vulnerability, meaning it can only be exploited within a few moments of a secure transaction taking place, if you stay away from vulnerable sites until they’ve had a chance to seal up the hole, you aren’t increasing the risk of your info being taken (assuming it hasn’t been taken already).

So hold tight, and check your favourite sites for news that they’ve taken the necessary steps. How? Here’s a simple tool that lets you input the URL and get the results.

Once you’re fairly convinced that the site has got the fix in place, go and change your password as soon as possible. I know I said the risk wasn’t high, but why take chances? But here’s the part you’re going to hate: Don’t just change all of you passwords to the same, new password. Use a different one for each site. Yes, it’s a total drag but I have two suggestions to ease the pain.

1) Sign up for and use a password service like LastPass. It costs money and it takes a bit of a change of habit to use, but these services create very strong, unique passwords for each site and you only have to remember one (hopefully very strong) password to access everything.

2) If LastPass isn’t your cup of tea (or you simply distrust all of your passwords being kept in one place no matter how much like Fort Knox it may be protected), create your own password template and use it for each site. Here’s an example: Come up with a base for the password, e.g. IronM@nIsCool3rThanTh0r (yes that’s kind of long, but when it comes to passwords, longer is always better). Now, figure out a two or three character way of identifying the site you’re on. For instance Amazon.ca could be “Ama” or “Amz”. You’ll have to figure out which three characters to use, but it’s not that hard. Then throw these characters into your base like so: IronM@nIsCool3rAmaThanTh0r

The idea here is that even if Amazon were to be compromised, the attacker would have to find your username and password and then go about the process of figuring out which of the characters you changed on all of the other sites. This is difficult stuff, best done by humans instead of machines, and most hackers just don’t care enough to try – they’ll be plenty busy trying out passwords that actually work because they’re the same on every site.

Lastly, wherever possible, turn on two-factor authentication. Yes, it’s another painful step in an already painful security environment but this one really does make it tough on the thieves. You can give your mobile phone number to sites and then when you go to log in, they’ll text you a code to your phone. If the thief doesn’t have your phone, they won’t be getting into that site.

Good luck!

 

Apple releases iOS 4.3.3, includes location tracking ‘bug fix’

iOS 4.3.3 isn’t going to give your iPhone any new features. It won’t give you any bragging rights the next time you’re comparing your smartphone to your friend’s Android or BlackBerry handset. But it might just give you some extra peace of mind, and keep Apple out of the courtrooms.

That’s because this update to Apple’s mobile operating system addresses a “bug” with how these devices (including the iPhone 3GS, 4, iPod Touch 3, 4 and iPad 1/2) collect and store information about their locations.

If you’ve been living under a rock, here’s what happened:

A few weeks ago, two researchers announced that Apple’s iOS devices were storing relatively large amounts of location information; that this information was being stored in an unencrypted fashion; and that this data was being copied to people’s computers every time they synced their device via iTunes. Most worrisome was that if you knew what you were doing, you could use this data to create a very accurate map of where the device’s owner had been over a period of time, which was up to 10 months in some cases.

Needless to say Apple was put in the hot seat over this and subsequently apologized for a bug in their software and promised to make the necessary changes.

Today they make good on that promise.

But is it a good thing?

Apple says in their description of the update, that it “reduces the size of the “crowd-sourced” location cache, no longer backs up the cache to iTunes, and deletes the cache entirely when a user turns Location Services off.” What this means, is that if you opt-out of all location-based services on your device, it will no longer keep a record of where you’ve been.

Here, for the record is the portion of the full Terms of Use that relates to location tracking:

Location Data. Apple and its partners and licensees may provide certain services through your iPhone that rely upon location information. To provide and improve these services, where available, Apple and its partners and licensees may transmit, collect, maintain, process and use your location data, including the real-time geographic location of your iPhone, and location search queries. The location data and queries collected by Apple are collected in a form that does not personally identify you and may be used by Apple and its partners and licensees to provide and improve location-based products and services. By using any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ and licensees’ transmission, collection, maintenance, processing and use of your location data and queries to provide and improve such products and services. You may withdraw this consent at any time by going to the Location Services setting on your iPhone and either turning off the global Location Services setting or turning off the individual location settings of each location-aware application on your iPhone. Not using these location features will not impact the non location-based functionality of your iPhone. When using third party applications or services on the iPhone that use or provide location data, you are subject to and should review such third party’s terms and privacy policy on use of location data by such third party applications or services.

Take careful note of this statement: “By using any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ and licensees’ transmission, collection, maintenance, processing and use of your location data and queries to provide and improve such products and services.”

This means that you agree to the collection and transmission of your location data even if you only use one location service-based app. The Maps app for instance, that comes standard with every i-device. I don’t know about you, but even if I turned off location services for every one of the apps I’ve installed since getting my iPhone, I’d still want Maps to show me where I am :-)

I hope that this update doesn’t in any way reduce the speed or the accuracy of the location-based services on the iPhone or other i-devices. I wasn’t upset about the data being kept on my phone and would happily allow it in return for a great user experience.

To update your i-Device with the latest OS, simply launch iTunes, plug in your gadget and follow the prompts.

CRTC to make switching broadcast, telco services as easy as one call

image (c) Getty ImagesWhile I’ve never experienced any hassles when switching providers for any of my services, I know that this has not been the case for many Canadians. And clearly that’s the message the CRTC has been receiving, because today they have announced a new process whereby consumers can place a single call to their new provider and from there the new provider will make all the arrangements for the switch, including service cancellation, with the old provider.

In a press release sent out today, Konrad von Finckenstein, Q.C., Chairman of the CRTC said, “In a competitive marketplace, consumers are always encouraged to explore different options for their broadcasting and telecommunications services. The new rules will make the transfer process a seamless and convenient experience, while enabling Canadians to benefit from receiving retention offers from their current providers.”

Along with the new, simpler switch procedure comes new requirements for how long any switches should take: “The CRTC requires that customer transfers be completed within two business days, except for wireless service where transfers must be completed within 2.5 hours.”

2.5 hours? That’s seems like a tall order… we’ll see if that ends up being the reality or not.

The new rules don’t prevent you from doing a regular cancellation, if that’s what you want. In fact, it may arguably be a better way to go about switching, especially if you’re planning to move for pricing reasons. By calling your existing provider to cancel in-person, you’ll likely be offered any number of incentives to stay, which will not happen if you use the “one-call” technique.

The CRTC is warning Canadians that these new procedures do *not* help get you out of any early-cancellation fees that your current provider might charge you depending on the nature of your contract, so don’t be surprised if you get a bill in the mail following the switch-over process.

Finally, near the end of the release, the CRTC mentions that it “has established safeguards to prevent service providers from sharing confidential customer information with their internal sales and marketing groups during the transfer process,” presumably as a way to prevent the old provider from placing calls to the customer in an attempt to lure them back before they leave. Interestingly, the Commission isn’t completely convinced that this decision is in the best interest of consumers and is seeking comments on the issue.

Do you think these changes are good for consumers, or will you still use the cancel-and-switch-yourself technique the next time you decide to move?

Google launches people-finder for Japan quake

Given the shocking events unfolding in Japan today, it’s understandable that many will be looking to check up on friends and family located in that country.

Telephone lines and cellphone service has been spotty, yet internet access remains relatively stable which makes it one of the best ways to get information in and out of Japan as they deal with the crisis at hand.

Google has once again provided a set of tools that leverages this infrastructure.

The first is a crisis response centre page that acts as a clearing house of information related to the developing sitiation.

http://www.google.com/crisisresponse/japanquake2011.html

The second is a people-finder tool.

http://japan.person-finder.appspot.com/

Something to keep in mind: The tool is only as good as the data people submit – in other words, Google has no direct control over the quantity or quality of the information. They are merely providing the tool for people to use as they see fit. At the time of this post, the tool had registered 7,200 entries.

On a related note, if you own an Apple i-device, there is a free English-language app from NHK, Japan’s national broadcaster, that provides live coverage  of the situation.

And if you are trying to check on Canadians located in Japan, the Canadian Department of Foreign Affairs has two phone numbers you can call: 613-943-1055, or toll-free within Canada at 1-800-387-3124

If you know of any other web based tools or sites that can help during this severe crisis, please post in the comments below.

[Sources: Canoe, GigaOm]

Freakishly real robot might make humans redundant

When you consider the potential of the technology we’re developing to cause serious harm to humanity in the future, it makes sense that there are those hard at work trying to make technology more approachable by making it more human.

The Japanese are leading the charge on this, seemingly spurred by the need to create advanced robotic helpers for their swiftly aging population. Since not everyone is going to like the idea of having R2D2 helping them out of bed in the middle of the night to go to the bathroom, there is clearly a need for more humanoid assistants, if only to try to calm fears that they will one day decide they don’t need us.

But I doubt I’m alone when I say I’m not so sure that the advances in this field are doing much to make me feel more comfortable. I’m kind of freaked out by it.

The robot in these videos is a “Geminoid” – a term coined by Japanese scientist Hiroshi Ishiguro. According to the creators’ website, “A geminoid appears and behaves just like its source person. Also, it is tightly-connected with its original by information paths.” In other words, it’s meant to be a fully automated clone of someone real, down to the facial expressions.

The Geminoid in these videos however, is from Alborg University in Denmark, where their goal is to try to understand the differences in cultural perceptions of the artificial humans. In the first one, the robot even appears to breathe. My first impression was that it had to be faked – that this was just a real guy pretending to be a robot, but judging from the “making of” videos, it’s real alright.

Readers, what’s your take? Freaked out? Excited? Ready to swear your allegiance to our new robotic overlords?

[CrunchGear via Sayomg]

Apple revolutionizes the subscription model (and ticks off publishers)

image courtesy of AppleOne of the many strokes of brilliance that Apple has brought to market in the past few years is the App Store. It’s the central shopping mall for the applications that power the most popular devices on the planet, namely: the iPhone, the iPod Touch and the iPad. They key to its genius is the same thing that makes almost all of Apple’s products immensely popular – its simplicity. Browse, tap, confirm, you’re done.

It’s so simple and easy to use that developers have fallen all over themselves creating new apps for the Store to the tune of over 350,000 apps last time I checked. 60,000 of these are specifically for the iPad – a device that hasn’t been on the market a full year yet.

Today, Apple took what many perceived as the next logical step and rolled out a new subscription platform that runs on the same account system as iTunes/App Store, enabling users for the first time to subscribe to content directly within an app. And just like the App Store itself, the process is simple. According to the press release that Apple issued “customers can easily subscribe with once-click right in the app.”

For i-device users this means that subscription content which once required the download of an app, and then a sometimes long and frustrating sign-up process on a third-part website can now be bought and paid for without ever leaving the app itself. Better yet – at least for customers – the decision to share your personal info with the publisher is entirely yours.

Clearly the vast majority of apps that have pursued an advertising-driven model so far will continue to do so, but many – especially big publications – will want to leverage this new revenue stream. That is if they can stomach Apple’s rules.

See, Apple hasn’t just created a new subscription service, they are obligating their publishers to use it. Here’s how it breaks down:

– If you are a publisher seeking to charge a subscription for any content that you deliver to an i-device via a downloaded app, you must use the Subscription service

– You can charge whatever you like for the content, on whatever basis you like e.g. daily, weekly, monthly etc.

– If your customers signs up inside your app (and let’s face it, why wouldn’t they?), Apple gets 30% of the revenue, whatever amount that happens to be.

– If your customer signs up outside of the app (something Apple allows) you can keep 100% of the revenue

– But, in case you were thinking that you could offer people a discount for signing up outside the app (say $10 in-app, $7 outside the app), Apple saw you coming a mile away. Under the rules, you must ensure that the in-app offer is at least as cheap as any out-of-app offer or cheaper.  You didn’t think Apple was going to give up their cut that easily did you?

These rules push the glass half-empty/half-full analogy to the breaking point. On the one hand, having a subscription service as easy to use as this should prompt many more people to pay for content in the same way that iTunes facilitated the transition from CD sales to legitimate digital downloads of music. When something is easy, people tend to like it and use it. Content creators should be excited by the idea that Apple is not only taking the headache out of managing a subscription billing system, but giving them easy access to millions of potential customers. Customers should be thrilled that they can not only subscribe with a click, er, tap, but manage those subscriptions as easily as they manage any other aspect of their account with Apple.

On the other hand, a company like Netflix, which has built their entire business model around the $8/month subscription fee, will have to give some serious thought to the viability of an app-based delivery model now that $2.40 of that fee will be going to Apple. Come to think of it, Apple ships their popular Apple TV product with Netflix embedded… ah well that’s probably a whole other kettle of fish.

Add to that the fact that customers will effectively be “invisible” to publishers because of the optional submission of personal info in the subscription process and suddenly the decision to get on-board with Apple’s game plan is far from simple.

My guess is that smaller publishers will happily latch on to this system: it’s easy, it’s turn-key for them and it represents a way to get paid for their content in a way that ad-revenue might never be capable of doing. Big publishers however, might decide to abandon the app model altogether in favour of developing robust and mobile-friendly HTML5 sites where they can maintain complete control over the subscription process and keep all of the revenue. If they can make their sign-up process as easy as Apple’s, people might just ante up. The up-side of this strategy is that their content is automatically compatible with Android devices, an increasingly large share of the mobile market.

What is perhaps even more interesting about this announcement is the bigger picture for Apple. You may know that they are likely going to include NFC (near-field communications) in the next iPhone and that this represents the start of a brand new mobile payments system that could make credit and debit cards obsolete. Perhaps this subscription service is merely the opening volley in a long-term and massive payments strategy on Apple’s part. PayPal, Visa and big financial institutions: it’s time to get nervous.

Time for comments. If you’re an i-device user, do you think this new system will make you more likely to pay for content on your device? If you’re a publisher, what do you think of Apple’s my-way-or-the-highway policy?

Update, Feb 16, 12:12 p.m. Google is stepping up with a competing subscription system which may well prove to be the Android to Apple’s iOS in the pay-for-content space. Dubbed “One Pass”, their model is web-based, built on the Google Checkout architecture and promises to be easy for both customer and publisher. I smell a battle-royal brewing!

Update, Feb 16, 4:59 p.m.: Reactions to Apple’s plans are beginning to materialize. The TechCrunch team are so far the most vocal: MG Siegler seems comfortable with it. Jason Kincaid is decidedly uneasy, while Michael Arrington claims Apple is going to put all music streaming apps out of business.

Update, Feb 21, 2:48 p.m.: In what may turn out to be the first of many official reactions to Apple’s announcement from companies that now find themselves in an awkward position, Readability has written an Open Letter to Apple. In the blog post, the company accuses Apple of being greedy – a sentiment echoed by MG Siegler over at TechCrunch. For our part, we’ve been reaching out to Apple for several days now, trying to get some clarification on exactly how this new system will be applied to new and existing apps. So far, no response, but that could be because the company is shifting into high gear for an anticipated product announcement, or they are being guarded in what they say to the press now that U.S. and E.U. regulators have taken an interest in Apple’s plans. We’ll update this post once we hear more.

Dead Drops are subversive, cool and risky

Dead Drops are USB keys embedded in walls or other fixed objects. Courtesy of DeadDrops.com

Dead Drops are USB keys embedded in walls or other fixed objects. Courtesy of DeadDrops.com

Have you ever just been walking down the street only to glance over at the wall beside you and notice the butt of USB key sticking out of the bricks and mortar? Neither have I. And yet, this might become a familiar sight in the not-too-distant future if a new movement known as “Dead Drops” starts to catch on.

The brainchild of Aram Barthold, a Berlin-based art student, Dead Drops was conceived as an “anonymous, offline, peer to peer file-sharing network in public space.” The name comes from the practice used by spies and other folks engaged in clandestine activities to pass information to one another without meeting face-to-face. In this most recent incarnation of the idea, a participant identifies the location of the dead drop, shows up with a laptop or other device equipped with a USB port, and uploads or downloads files to or from the embedded USB storage device.

What kind of data is on one of these digital protrusions? Anything at all. That’s both the promise and peril of Dead Drops.

Clever marketing companies will realize the potential of Dead Drops to reach a highly sophisticated group of consumers who are young, tech-savvy, urban-dwelling and likely influential in their social media circles. Uploading a previously unreleased track from a new album, or digital coupons for products could yield impressive viral results very quickly. Or the files could simply end up being deleted by the next person who jacks in. In the wild west of Dead Drops, there are no police, no back-ups and no guarantees.

One of Canada’s only two registered Dead Drops at the time of writing, is installed in the wall of an enterprising book store in Carelton Place – just outside of Ottawa. Read’s Book Shop invites Dead Droppers to “plug in” to their store and “Check for future book reviews and coupons!” Take that, Chapters. Barthold’s site contains a database of other Dead Drops too.

The dark side that this unfiltered sneaker-net enables is easily imagined: What better place than Dead Drops to try your hand at releasing the next killer Windows virus into the wild?

As with online file-sharing, all the same rules and guidelines apply to Dead Drops, only more so.

Apart from the digital safety issues involved in jacking a strange device into your computer, there are some physical concerns to consider as well.

Jacking into a Dead Drop. Courtesy of agoasi on Flickr.

Jacking into a Dead Drop. Courtesy of agoasi on Flickr.

Usually when you plug a USB key or similar device into your machine, the relationship between the two objects is similar – your computer is the bigger of the two items and typically doesn’t move around much.  USB keys are very light and place almost no stress on the USB ports. That means unless you’re being careless with the USB device, the odds of damaging either gadget is low. That model gets turned upside down (sometimes literally) when you’re dealing with a Dead Drop. In this case, the USB device has no give whatsoever. Depending on the height, angle and orientation of the Dead Drop, you might have to hold your PC to the wall or other host material at an awkward angle while you try to navigate menus and folders with your remaining hand. I hope you buy a netbook before going on a Dead Drop scavenger hunt!

A Dead Drop, seen mid-installation

A Dead Drop, seen mid-installation

Barthold’s site contains tips on how to mount your Dead Drop so as to minimize these difficulties for users, but my advice is to go to your nearest dollar store and buy yourself an extension USB cable of at least 3 feet in length. This less-than-a-cup-of-coffee investment might save you from having to replace a damaged USB port, cracked motherboard or worse. Plus it will eliminate the stress on the Dead Drop too – don’t forget, these things are just off-the-shelf USB key for the most part and they won’t survive abuse. They may not even survive a winter.

Is Dead Drops just the latest flaky internet craze, right up there with Rick-rolling, or are the current handful of USB-encrusted walls just a drop in the bucket of what’s to come?

Maybe the next great idea will arise as a result of these anonymous, disconnected micro-vaults of information. Perhaps an exciting counter-culture will emerge that will thrive in the ad-hoc environment of Dead Drops that can’t be controlled by any one entity.  I’d like to think we’re looking at a new wave of urban geo-caching where the sight of seeing someone huddled against the wall of darkened alley bathed only in the glow of their laptop screen brings a knowing smirk to our lips. But I fear it will simply become another avenue for the distribution of material that we as a society could do without.

Readers, what do you think?