Top tip: Don’t bother with Facebook’s two-factor SMS auth – unless you love phone spam Pick another 2FA method: Social network is having a What The Zuck moment By Shaun Nichols in San Francisco.
Forget fake news, Russian trolls and the gradual cruel destruction of journalism – now Facebook is taking heat for spamming a netizen’s phone with text messages after he signed up for SMS-based two-factor authentication.
Software engineer Gabriel Lewis said this week that after he activated the security measure with his cellphone number, he began to receive not just one-time login tokens as expected, but texts from Facebook with links to stuff happening on the social network.
A modern business of ANY size is largely the sum of it’s data and documents. Keeping them safe and private is crucial for the survival of your business. Are you safe if you use Google services?
Security in the Post Sony Hack World
The Sony Pictures hack has shone the spotlight on the security issues posed by Internet connected systems, particularly those using Windows desktops. Sony, it will probably be revealed, got hacked via a spearfishing attack. Spearfishing is aiming a carefully crafted attack at an individual using personal information to make the attack seem like an email or document they expect, know, or want. Once they have allowed it into the network, lax security procedures and poor passwords gave them access to everything. However they got in, poor security procedures will ultimately be revealed to be the main culprit.
Passwords were stored in unencrypted files named “passwords”. Thousands of email messages stored in Microsoft Outlook .PST data files were copied. massive numbers of documents were just copied off the Sony servers and out to the web. It is obvious that security was lax, but the reason all this was copied is basically that it was all sitting on Sony servers, and the passwords were weak or available to the hackers.
This was a failure of the classic server-client network on a huge scale.
Security in the Google Cloud World
On the other hand, a business that keeps it’s workers on Chromebooks and stores data in the cloud is going to be in a better position to defend it’s data.
The documents, spreadsheets and mail are all stored on Google’s secure and backed up servers. Access is via individual user passwords. Documents can be private, shared with individuals, shared with domains (everyone in the business) or publicly.
There is one huge security advantage to this. Instead of documents being emailed around the company, they can be shared via email. This means that all that is sent is a link. A document in an email can be forwarded, copied and stolen. The document link will only work for someone logged into Google Drive as the recipient of the document. Anyone else that gets the link will not be able to access the document. This is a huge step up from emailing documents.
An Example of the Dangers of Sending Documents
Some time ago, I worked for a very large organization that used Microsoft Office. Everyone used Outlook for email. People inside the company sent contracts, proposals, memos and other documents as Word documents attached to emails.
In one large department, Instead of saving documents on the corporate servers, they began to go back to Outlook to find the last version of the document and worked on that. Then they sent it or saved it back to Outlook. Corporate data was not being saved on the file servers. Outlook .PST files grew to huge sizes.
Then, one Sunday night, the mail server for that department ran out of disk space. It tried to alert the Sysadmin, but there was no space on the server to process the email. The whole system collapsed at 2:35 AM and no-one knew anything was wrong until they arrived for work on Monday.
The lack of disk space had also prevented backups from running properly. Tape backups had failed weeks before, but no-one had checked the logs. It took two weeks to get the mail system running, and many users had lost hundreds of documents and revisions of documents. Some lost their entire email history, address book and calendar. For weeks, email flew around the organization begging for recent versions of contracts, proposals and other documents to be sent back to the originators. The fallout went on for a year or more.
As the Sysadmin for my department, I began monitoring the size of Outlook data files, and began delivering scathing warnings if they began to grow to large.
It was a lesson I never forgot.
And the Winner Is…
If Sony had been using Google cloud storage, how may this have played out?
E-mail would have been protected by storage in Google’s cloud. Google mail is accessible by web browser. The connection to Gmail is by a secure HTTPS connection. This would have made intercepting e-mail difficult to impossible. Attachments would have been replaced by links, and not accessible to the hackers without the relevant passwords. Email would have remained secure as long as passwords remained secure.
I have mentioned secure passwords a few times. A cloud based solution needs good password security. Sony obviously were using bad passwords and poor password procedures.
For Google Docs (the business version of Drive) User policy is controlled centrally by the Administrator and allows policy like good passwords and two factor authentication to be enforced.
A corporate account with Lastpass would have saved a lot of grief. Lastpass creates and stores secure passwords. Instead of using “Monkey” or “123456” everywhere, Lastpass will generate a real, unique and secure password for every site and then store it for you. Every time you visit that site while logged into lastpass, it will paste the password and username into the browser for you.
And even better, it is really secure, really cheap, and uses two factor authentication.
Singing the Praises of Two Factor Authentication
Two factor authentication simply means you need something other that the password. The password is easily stolen, but a second form of identification means the password is not enough
The second factor or token can be one of those key-ring devices that shows a number every thirty seconds, a fingerprint, a retinal scan, or a usb dongle that has to be plugged into your computer before you can log in.
Every teller at my bank has to swipe a card and type a password before they can use a terminal. That card is their second factor.
The simplest one for most of us is an app for our phone or tablet. I use Google Authenticator. I have registered my Google Mail account, and when I login, I have 30 seconds to type in the six digit number displayed on my phone or tablet. I also have a sheet of six emergency codes. I keep that paper very safe, and have never had to use it. I always have a phone or tablet in range when I sit down at the computer.
The Cloud IS Secure
As we can see from this, using a cloud service like Google Docs is no less secure than storing everything on a local server.
Is it absolute security? No. No-one is even sure such a thing exists. It is all relative.
If the FBI, NSA, ASIO or GCHQ want your data, they will get it. But Google is working hard to make this process more difficult for them, and is making great strides.
This is a low friction, low cost option to provide secure storage and sharing of your data with high reliability, and no cost for a big IT team to keep it working.
REALLY Secure Information in the Cloud
Some things really are secrets, rather that just private. There are ways to put the absolutely most secret things in the cloud to. They just require a little work to get them there.
This seemingly innocent plugin that allows the capture and annotatiuon of screenshots has been caught with it’s hand in the till, according to mig5.net. I caught onto this story courtesy of the Chrome Story Blog.
Basically the Awsome Screenshot plugin spies on all the web sites and pages you visit, sends the data back to servers for storage, and at a later date a web-crawler identifying itself as “niki-bot” begins scanning those pages. The purpose is not clear, but the terms of service for “Awesome Screenshot” states:
When users access the software, certain non-personally and personally identifiable information (the “User Information”) may be collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users.
My advice would be to run, do not walk to your computer and remove the Awsome Screenshot plugin immediately!
Thank you to the sites mentioned above for doing the detective work on this one!
There is endless carping by ill-informed or ignorant pundits talking about Chromebooks being “bricks without WiFi”. It is time to look at that with fresh eyes.
I am shocked to discover I have not written about the offline capabilities of the Chromebook. I have written a lot in comments on other Blogs, and lost track of the fact that I have not discussed it here.
The 31 Day Chromebook Challenge – Day 30
My 31 Day Chromebook Challenge is drawing to a close. And it is time to speak out about the Chrome OS. Most of this article was written in the passenger seat of my car, definitely offline. And with no problems at all.
I am writing this on the Samsung chromebook. I am offline, typing in Write Space using a fairly large font. I like the ability to set up Write Space with colours, fonts and page width. I am writing is less than perfect viewing conditions, and It is perfectly readable and comfortable.
I am listening to music saved to the downloads folder through my headphones, writing until a 25 minute countdown timer to tells me to take a break, and I have access to lots of notes in Google Keep and saved from Feedly into Pocket.
So, here is the executive summary for you impatient types:
Offline, with the default Chromebook installation I can:
Manage Files – Move, copy, delete and more with The file manager
Read and edit e-mail, and send when connected with Gmail offline
Edit all types of documents with Google Docs
Create, read and search notes in Keep.
Set reminders and alarms in Keep
View my Calendar in Google Calendar
Use Calculator – A simple calculator, but it works offline
Audio & Video player – Part of the Files app. Most music and video files just play. Even from External drives and devices
Display a presentation in Full Screen mode and use the HDMI port to send it to a projector
The Chromebook challenge began badly. On the second day I had to provide some technical support for a friend in another state. Unfortunately she is barely coherent, technically, despite having a degree in another field. As a result I soon had to fall back on accessing her machine remotely to make some configuration changes to her wireless router.
I know remote management of another computer is possible on a Chromebook using Chrome Remote Desktop.
This requires the installation of Chrome and the Remote Desktop plugin, on the client or host machine, and this was more than I thought we could manage, so I booted a Windows laptop up for this situation.
There is another solution, the new Google Hangouts Remote Desktop. This is an addon, easily accessed in Hangouts, even while a hangout is in progress. Unfortunately either the Samsung Chromebook, or my bandwidth was not adequate, and the remote connection was painfully slow, and audio was reduced to a Cylon snarl. I gave up fairly quickly.
The Chrome Remote Desktop option, however is improving, and works very well. There is now an option to install the Remote Desktop software on a PC in Permanent Access Mode so that you can connect to it even before it is logged in. (Chrome Support shows how here: https://support.google.com/chrome/answer/1649523?hl=en )
I installed this service on a Windows 7 Netbook and logged in easily as soon as it booted up.
If you are required to do remote support, I strongly recommend installing this service and appying a STRONG PIN to protect the host computer. Once done, you can log in at any point from any computer with a Chrome browser. That obviously includes a Chromebook.
Well, here I am on day two of the 31 day Chromebook challenge. It has not been without problems, one of them causing me to use a Windows PC to do a remote support call. I now know how to do that from ChromeOS and will write about it when I can do some more research.
The first question I asked when I started using a Chromebook a couple of months ago was what will I use as a text editor? The obvious choice would seem to be Google Docs or a Google Drive Document. Drive (For now, I will call them Google Docs) has formatting, spell-check and word-count, all things important to a writer. And despite the the “without WiFi it is a brick” whining of the Microsoft Scroogled campaign’s lapdogs, it works perfectly offline, accessing and editing all your documents, as long as you have allowed them to sync with Google before going offline.
But I have one problem with Google Docs as a general purpose text editor. A Google document can be quite hard to view in field conditions. I spend a lot of my day on buses and in the sun, with my Samsung Chromebook Series 3 on my lap. A big, clear screen is vital.
I am currently using Write Space, a full-screen text editor. Write Space is basic. A handful of basic key-strokes, a status bar at the bottom of the screen with Words, Lines and Characters typed.
There is no menu, and no save option. Everything I type is saved locally. It has no file save option. Text just gets saved to the local Chrome storage, and is kept. To use it elsewhere, it must be cut and pasted to a Doc file, Keep, or a text file.
I using Write Space because of the simplicity of the screen and the ability to re-configure it. If you go to the Chrome > plugins > settings menu you can change the page width, font size and colour. Save the settings, and Write Space instantly updates its look an feel.
I am writing in a large, pale blue font on a dark blue background on a page that is 800 pixels wide. It is large, easy on the eyes and very responsive. It is visible in low light. I can read the large font easily when using the computer on my lap. It is a little reminiscent of the Wordperfect screen of the eighties, and easy on the eyes.
There is a spell-checker that works well, even when offline. The usual short cuts work, including the undo function.
When I hit the full-screen key (the equivalent of F11 in a Windows Chrome browser) I have a full, uncluttered and simple screen that allows me to work without distraction.
It is hard to get any simpler, and hard to think of more that a few hundred words to say about an editor that just works. I have never lost a word, and occasionally I copy everything into Keep so it will sync across every device I use.
All in all, I recommend Write Space as a simple and reliable text editor.
User Account Control (UAC) settings in Windows Vista and Windows 7 seem like an annoyance rather than a benefit to Windows users. There are many web sites telling users how to turn UAC off. However the UAC warning:
Is a vital tool in maintaining the security of your computer. It ensures that you know when a program is attempting to make changes. If you are trying to install a program, you expect the warning. But if you see a message like this when you are visiting a web site, or reading e-mail it is a warning that something is being done without you requesting it.
Simply cancelling the request will keep your computer safe.
To maximise your safety, increase the level of notification from UAC to the maximum.
How to Raise UAC to the highest setting
1) Click on the Start button or hit the Windows key.
2) type UAC in the “search programs and files” box
3) Click on the “Change User Account Control Settings” option (it should be the first choice)
4) Push the Slider up to the highest setting
5) Click OK, and you are done.
This will ensure nothing makes changes to your computer without notifying you. and remember, ALWAYS read those notifications before clicking on them. A malicious program, once installed can be an expensive mistake.
Social Media Marketing – DON’T Send Your Customers to Mark Zuckerberg
More and More, I see marketing campaigns sending customers to Social Media web sites.
Don’t do that! Really. Stop it now! The visitor is interested enough in you or your product to read a web page, blog post, tweet and look for more information. Instead of sending them to your web page, you are directing them to a site you do not and cannot control.
Bloggers are doing the same with Follow us on Twitter and Find us on Facebook buttons. A visitor has come to your site, hopefully to read your content and perhaps buy your products, and you then send them to Facebook. Mark Zuckerberg thanks you. Your customer has now become his. In the Internet age we all have the attention span of goldfish. Once your prospect hits Facebook they may follow you, but they may never actually engage you. It may be days or months before they return to your web site.
Don’t Send People to a Place You Do Not Control
“Ahh”, you say, “but we have build a GREAT site on Facebook and are getting thousands of Likes”. Perhaps you are, but what real engagement are you getting, and how much control do you have?
Many businesses have used a standard Facebook account and use it a business page. A Group has some advantages, but today Facebook is pushing everyone towards Fan Pages. Many businesses have fallen foul of Facebook’s ever changing rules and had there site taken down. See the account by Ars Technica. Some have had the page taken over by hackers or ex-employees who have changed passwords and locked the business out of it’s own site. And many people will use comments on a popular Fan Page as a platform for their own purposes.
Facebook Changes Again
At the end of March 2012 Facebook is changing the rules about pages again. Fan pages, or Facebook pages are now being brought into line with the normal user page. The look is changing. Here is the facebook page of one business before:
Some businesses have spent $50,000 (and perhaps more) getting pages like this designed. Now much of that work will be thrown away.
McDonalds Australia. A Big Marketing Campaign pointing to Facebook
McDonalds Australia have been running an advertising campaign featuring their Facebook page. Their web site ( it doesn’t work for me most of the time, I have Flash disabled) also has a link to this page. I tried clicking on the link to Facebook and got a rather disturbing pop-up.
Eventually I accepted the caution and when to the McDonalds Facebook page. The advertising campaign seems to have worked. They Have 285,580 persons who like their page. There was a reward for doing liking the site. Of those 277,965 have actually visited the site, but only 13,933 are Talking About the page.
This page will, of course change within the next week or so…
Be prepared for Damage Control
A quick browse through the comments on various posts indicate that many of the comments are less than flattering.
I wonder if I commented on the violent bout of food poisoning that almost put me in hospital after eating a McDonalds, would it be deleted? Would it help their marketing?
Keep your traffic at Home, Mark Zuckerberg has enough. Remember, Facebook is not there to help your marketing effort. Their goal is to get your customers engaged, gather information and target someone else’s advertising at them
A far better use for the precious seconds of their time someone has given you would be to direct them to you own web site. Preferably a custom landing page that has been designed to call them to action. Sign up for a news letter, subscribe to a feed or make a purchase.
Use Facebook and Twitter for Inbound Marketing
Facebook and Twitter have a very real place in marketing, but it is in the other direction. Don’t send people there. Use Tweets or posts to encourage people who find you on those sites to follow you because you point them to interesting content. If that content is on your web site, so much the better. The main thing is to give them something worth reading, commenting on or re-tweeting. Then they will bring their friends to you.
So when that Social Marketing Guru comes knocking, say “No, thank you, I would like to send my potential clients where I can control the message.”