Thursday, November 8, 2018

Scams and The Wild Wild West of the Internet

Above is a real e-mail from my Inbox.  We all know that scams abound, and that scammers are getting smarter about them.  However, the really really really really really dumb ones like above still come through.  Poorly-worded English, and really plain ask for money without any background or research.  The fact that these e-mails are still being sent, to me, would seem to indicate that they must work at some level.  So, that leaves me to wonder, what brain-dead individuals with socially-stunted interpersonal skills would fall for such a thing that says "We awaits your contribution" from some random e-mail address that may or may not even be someone that they know?  Would it be some elderly person?  I kind of doubt that many elderly have e-mail if they don't understand the dangers of it, and who can send them letters; and if they do have e-mail, I doubt that they have much money to be able to pay any scams if they don't understand these things (they probably already lost that money through some other scam).

Recently, I began a charitable endeavor, and networked through people I know to talk to corporate task forces responsible for remitting charitable donations to the community.  On the call, they asked me how I know my contact (a VP of the company), and if I really did talk to him - because they are getting people who research their company, learn the names of executives, and use those names to say they were referred by them, to try to garner credibility for the scam.  And this isn't a really big company to begin with.  That's how aggressive and researched and intelligent some of these scammers have become.

All the more surprising to see the old "I am a prince with millions of dollars trapped in offshore accounts, and I need your help to move it" type of scam even be attempted.

Some very clever e-mails try to look legit.  For example, my wife and son got emails claiming that their e-mail was hacked, their password was such-and-such (a password they had used on some site that had actually been hacked), and that they need to transfer bitcoins to this account if they wanted to avoid their social media (all of them) and others being controlled.  This was blatantly idiotic, but had some intelligence behind it as it used an actual hacked password from somewhere else on the presumption that they use the same password everywhere.

Phone Call Scams

There are many phone call scams, too.  Again, they seem so stupid to me, that I wonder at the level of people who fall for them.  They are typically of the type that says things like "This is Card Services, we can help you lower your credit card interest rate" (hilarious they call my kids who are too young to have cards...), or "Don't hang up" (I immediately hang up).  Every once in a while, I get a call that says they are from Microsoft (in an Indian accent) and that they were notified a virus was detected on my PC (I have Macs).  So, why are these calls so prevalent today, and what can we do about them?

First, let's look at WHY these occur.  On the driving end, many of us eventually fall for these scams and it is very cheap to attempt them, so if even a small percentage of marks fall for the scam, it more than pays for itself.  On the enabling end, people are using 2 very old, ancient technologies with absolutely no or little security to communicate.  These are e-mails and telephone.

Most e-mail systems support POP and SMTP, which are mail protocols developed in the 1960s and not updated much since.  Some security has been added, but they are typically optional, and depend on each mail server being set up with those security options enabled.  For example, requiring the sender to authenticate to the server (e.g. enter a name and password) is optional when a mail server is set up.  If you look at the POP protocol, it was designed with the Internet way back, when the entire purpose of the Internet was to provide a system of interconnectedness between computers that could survive a nuclear war, and possibly an entire city being destroyed, and yet still function and route traffic.  Thus, POP relays e-mails from the originating server, through any number of intermediate servers, until it finds the destination server.  The originating server is in charge of whether or not it requires authentication, and then the e-mail goes along its merry way.  If some scam artist or criminal sets up an e-mail server, it finds other e-mail servers to relay through, and some sort of trust is established such that no real security is in place.

In order to fix this issue, it would require a whole new e-mail system that requires senders to authenticate who they are, and a trust between each mail system that each individual mail system has vetted its users for illicit activities.

Now let's look at telephone systems.  Back around the 1970's and 1980's, they were developing a Caller ID system.  In this system, if you think about how telephones worked back then, one switch the caller was connected to routed the call based on the number he dialed, to another switch, and so on until it reached the final telephone terminal.  All of these systems were over copper wires with electricity, using old "analog" signals.  They broadcast tones over these signals that were the precursors to digital, called DTMF tones, to communicate the phone number dialed to the switches.  So, on top of this ancient and very simple system, they created a protocol that would work with all these old phones, that basically says the calling phone gets to say who it is (as in "Hello, my number is 555-111-2222") and that is relayed to the receiving phone.  Absolutely no security, no way of verifying that's who it really is.  So anyone can put anything they want.  And guess what?  That's the Caller ID system still in place today, globally.  So guess what?  Anyone can say they are calling from any number, there's nothing that forces them to prove via a more secure system they are who they say they are.

Supposedly, phone companies have been working on a solution to this, but this is really where government regulation has dropped the ball and not forced them to do it by a certain date.

So, because of this massive lapse in security and regulations on behalf of the public good (thanks, Government), it's a wild west out there for scammers.  They can do anything they want and get away with it - and they have systems that generate a phone number that looks like it is local to you, and that's who it says they are calling you from.  Then, when you call it back, it is either an invalid number, or someone's phone, but they never called you.

Tips to Handle Spoof Calls

The vast majority of these calls are computerized, because that's the way to make it so cheap that it costs them almost nothing to try to find stupid, gullible people to give them their money.  So, knowing that these are stupid computers, it is pretty easy to figure out if this is a real person or a computer.  Answer it, and don't say anything.  If you were calling someone and they answered and it was total silence, what would you do?  You'd say "Hello?  Is anyone there?"  However, computers wait for someone to start talking.  Typically when you answer a phone, you say "Hello?" so it waits for some sound, and then it starts its scam.

If you don't make a noise, it will hang up shortly, and you know it was a robocaller.  If someone says something, you know it's a person.

Should you block the number?  Not likely to help.  Like I said, they can say they are calling from any number, and their software picks a random local number every call, so forget trying to block callers.

How does the phone company help?  There are apps for your phone that try to identify callers - but again, this only works for those who legitimately give their Caller ID.  This is actually a large enough list, so it is helpful.  A third-party app, Mr. Number, will identify incoming callers and show whether they are a telemarketer, debt collector, or suspected spam caller.  Similarly, your cellular carrier offers apps that do the same, and there may be some additional numbers in its registry that Mr. Number doesn't have, so I have both AT&T Call Protect and Mr. Number installed.  Contact your cellular carrier and ask them what apps they have to help protect you from unwanted spam calls.

What about long-term?  In the United States, you can contact your Congressional representatives in the House and Senate, and pester them (yes, over and over and over) to introduce and support legislation that will correct this issue.  Namely, force Internet mail providers to switch to a new system that is secure, and force phone providers to vet their caller ID and force it to be both more secure, and transparently notify users when it is not security authenticated the caller ID is genuine.

They say that "the squeaky wheel gets the grease," meaning the more you complain and say something, the more the problem you are complaining about is likely to get addressed.  Congress already knows this is a big issue, but they are slow moving, and typically need a push.  Just because I say to do it at a Federal level, doesn't mean you can't attempt something at the State level as well, but to be really effective, the FCC has to regulate it since it is by definition an interstate system.

Wednesday, August 22, 2018

Russia, Iran and Others Social Media Exploits

Image result for russia facebook posts
The news has been riddled in recent years with the national spy agencies exploiting social media to influence outcomes.  While it is obvious that the Russian state has hacked American interests, and sought to influence political outcomes via social media, and now it comes out that Iran has done the same for a long time, I am fairly certain that the United States government is no less culpable.

However, let's take a step back.  True, if someone could hack into an election system, they could modify the vote count and therefore have an alternate result reported.  They would have to hack into literally tens of thousands of separate systems to get that done.  But let's go back to social media.  How many people actually believe what they read on social media?  True, a lot of people are initially duped by scams, but eventually the truth comes out.  Also, just like the health effects of fast food, it is widely known that posts on social media are just unreliable in their veracity.  And yet, the press is all over the fact that nation states have sought to influence the public through social media.

What is going on here?  Are these spy organizations misdirecting their efforts in a non-effective manner?  Is the news (and the social media platforms themselves) overstating their influence?  Or, do people actually believe what they see and read on social media?  (For example, celebrity deaths have been reported on Facebook, shared and reshared, only to have the dead celebrity post that they are not, in fact, deceased.)


First of all, I would personally caution anyone from believing anything they see on social media, unless they research and personally verify it.  For example, let's say someone posts about the IRS suing you for back taxes.  Check out Snopes to research and debunk many seemingly-plausible myths that are out there.

Second of all, it is a much grayer area when posts are done about opinions rather than facts.  Think about this - as people, we tend to filter everything we see and hear.  That filter says, if we agree with it, we listen to it, and if we disagree, we don't.  So someone makes a statement, and you agree - you then are more likely to listen to other things he says, thinking that this is someone with whom you have some kind of background of agreement.  And vice versa, if that person says something you disagree with, then everything he says isn't worth listening to.

If that were the sum of all Human capability, we would be in a very sad state indeed, probably still hunter-gatherers who haven't progressed to agriculture or civilizations.  If all you get your news from is news sites that you "like" because they say the right thing, then you are limiting your knowledge and awareness of the world.  Furthermore, what if the US Congress were peopled by representatives who only listened to those who had the same ideas?  Wait, it mostly is?!?!?  It wasn't always like that, and think to the people whom we admire most - these were people who listened to, and respected, those whose opinions differed from their own, but whose primary central commitment was to the discourse, to listening to you, to expressing their views, and coming to an understanding.

Lastly, and mostly of all, I want you to consider this.  Think of our town, our city, our state, our country, even the world as a family.  A nuclear family.  There are a lot of dynamics in a family, people do things that upset others, and they get angry, say things that are hurtful sometimes.  Yet, as family, we have a common survival, a commonality of living together.  And, as a healthy relationship, we listen to each other, we forgive each other our transgressions, and we ask for forgiveness when we realize we transgressed.  That healthy existence is being threatened, for political means, by others who have as their goal the downfall of our country.  They want to sow discord, have us fighting and disagreeing, and they love it when they hear that their little innuendos, insinuations, and machinations have caused us to fight.  They hate it when we work things out and make our own lives better.  These are the forces at work, when political actors are trying to sabotage how we function as a civil society.  Remember, the Constitution of the United States established a limited-power central government just so that we can be stewards of our own politics, and that we can have our own overarching goals of working together and working things out.  And remember that many are jealous of our country, and are righteously outraged by the transgressions against our own Constitution that we sometimes perpetrate.  They think that our society is rotten, that we are weak, and that they can bring us down from the inside by making us fight over our disagreements.

Are they right?

Friday, May 12, 2017

Myth and Reality - The Truth and Dangers with Artificial Intelligence

Introduction

The inspiration to write this post came when I logged onto our Salesforce account, and was presented with the marketing banner, "Meet Salesforce Einstein, AI-powered CRM for everyone."  It occurred to me that AI is the new Cloud, the new IoT.  As such, its use has become commonplace in the news, articles, advertising - everywhere, and most assuredly, its meaning has become vague, evoking the yearning for the "latest and greatest" while dire warnings from science, science fiction, and business are becoming more urgent and public.

This publicizing of a technical term creates a great opportunity - to raise awareness, both of what it is and what it can become, and to hopefully inspire some action.

Definition

In Computer Science, Artificial Intelligence (or AI) is a term that has been thrown around since at least I was in college back in 1990 (as a Bachellor's in Computer Science from University of Michigan).  I have found that, until the last year or so, it has been a pretty technical term that those of us in the industry seem to intuitively understand.  However, now that its use has become ubiquitous in the day of "smart phones" and massively-capable mobile devices, I feel that its use and meaning may have become watered down and obfuscating much in the same way that the term Cloud has become prior to it.  I'd like to clear that up.

First of all, we have Hardware (or the physical parts of a computer that you can touch), and Software (or the instruction code that is bundled up into a thing that performs tasks and makes the hardware useful).  AI is software, for sure, but not all software is AI.  This is in much the same way as putting a hard drive on the Internet and calling it a Cloud isn't really a Cloud, but a Cloud-accessible storage.

So what are the basic elements that make it AI?  I would say that it requires a few things:

  • Capability to "learn"
    • What do we mean by learning?  This is so intrinsic to what it is to be a Human, that we almost don't have a precise grasp on it.  We try something - and we fail, or succeed, and that outcome gives us a certain level of understanding that we didn't have before, and we use that to inform our future decisions.  So if we turn left while driving, and hit a wall, do we refrain from turning left thereafter?  No, but we do look and examine the conditions first (is there a wall?) before attempting a turn, either left or right.
    • The ability of animals to learn ranges from very simple (think insects) to extremely complex (think primates, dolphins, whales, elephants let alone us Humans).  Software learning could consist of building a database of "facts" and using those to make decisions, but learning on anything but the level of an ant is much more complicated than that.  It is comparable to reprogramming ourselves based on input, not simply cataloging the results and using them.  We can learn new skills, for example, that we didn't have before (these range from mental to physical skills, and combinations thereof).
  • Recognition via senses
    • We have our various senses:  touch, taste, smell, sight, hearing, kinesthesis, time, and more.  We can recognize, for example, with sight a color (say red), in various light will be different actual colors, but we still recognize it as red because of the context of the ambient light.  We are far, far more nuanced than that simple example, recognizing faces, even similarities between faces (oh, you look like his daughter), and more.  AI commonly consists of pattern recognition, sometimes using what is called a neural net as a computing construct to build history and analyze input based on that history.  You've seen the sci fi shows that do facial recognition, where they pull up all the cameras in a city and search for someone (they are really close to that now in reality), and perhaps have set up a sign-on with the PS4 camera so that when you show your face, it logs you on.
  • Language
    • If you have tried to learn a different language, or even delve into the depths of your mother tongue, you will know what a crazily complex thing Human languages are!  However, AI will be able to understand, at least at a rudimentary level, spoken and written language.  What do we mean by "understand?"  Yes, understand the explicit meaning of words, if not the implicit meanings ("what do you mean, yes honey I love you?  Are you mocking me?").  Intonation, inflection, even body language are things that are probably way off, but they undoubtedly will be coming - if we continue on the path we are on now in AI research.
  • Decision-Making
    • As I said earlier, cataloging the outcomes of actions and making decisions based on those outcomes and current input, is a very small part of decision making.  If you don't think that's true, then you aren't a Project Manager - a very highly skilled profession that requires years of training and experience to pull of successfully, even with highly skilled learners that Humans are.  But some form of adaptive decision making is part of a true AI solution.
  • Morals
    • A set of limiting and/or guiding principles, the violation of which are thought of as horrific and punishable, also must be included in a true AI.  Think Isaac Asimov's rules on robot behavior.
    • What if these moral limiters could be bypassed (e.g. the robot's eyes turn from blue to red)?  What if some unscrupulous developer excluded them altogether?  What if someone hacked them?

Progression

So, it would seem we are pretty far off from C-3PO, Human-Cyborg Relations, right?  Yes and no, yes some things we have very far to go (hey, they are still struggling with a 2-legged robot keeping its balance), and in other things they have made huge advancements.  However, now, before things get too far, is the time to step back and ask important social questions, like why, or should we?  Elon Musk, the founder of PayPal, Tesla Motors, and SpaceX (among others) thinks that achieving some of these key AI milestones is merely a matter of a couple decades away (or less).  And he should know - he is involved in a lot of technology development, including self-driving cars.

Am I predicting all doom and gloom?  You know the old saying, the road to Hell is paved with good intentions.  It starts out with cool things like mobile phone assistants, but then it progresses to clerks who can take your order and deal with dissatisfied customers (in a mostly dissatisfying way), to robotic assembly lines that can fix their own production issues - but suddenly, something happens.  Skynet becomes self-aware, and determines that Humans are a scourge to be wiped out.  Frankly, I cannot see any progression of AI that doesn't end in some catastrophic, cataclysmic struggle for existence.  That's the stupidity of being Human - we push and push and push, knowing that we are pushing off the cliff, but it's someone else's responsibility, someone else's problem.  That's right, the aliens are projecting an SEP field on us!  I have endless faith that Humans are self-destructive to a small or large degree, depending on how successful you are.

Does AI have to progress to the point where machines become a danger to us?  Let's look at things this way.  Computers are already so complex, that there is probably not a single person on this planet anymore who can comprehend the full set of what is going on there.  That means, the product is beyond the understanding of any individual.  The complexities that arise mean that we don't fully understand the consequences.  We don't fully grasp the potential - and all we can see is what the Sales and Marketing people want us to see.

As a self-confessed tech geek and tech aficionado, I am warning us all that this is a bad path.  There is no good ending for this.

In the Media

AI is in the media on an almost daily basis.  From self-driving cars, to smart homes, electronic assistants (Alexis, Siri, Cortana, and Hey Google), to even things we don't think of like traffic lights and telephone call routers, AI to some basic level has been here for decades.  However, it has reached a point where technology, research, and capabilities have expanded tremendously - and this brings up danger signs.

What, am I saying that the latest military top secret project will become Skynet (think Terminator)?  Or that the people in charge will bypass authentication and set things to automatically run without safeguards will enable the digital world to enslave humanity (think Brian Herbert's prequels to Dune)?  Yes, as a matter of fact, even though that may sound farfetched and outlandish, Elon Musk and Stephen Hawking, 2 of the world's foremost minds in business, technology and science, are warning just such a thing.  I have agreed with that assessment wholeheartedly for about 30 years, as a computer expert who has been developing and implementing automation solutions that help make businesses run better and faster.

What's the Answer?

Get rid of computers!  Yeah, right.  The only way that will happen is by circumstances outside of our (Humanity's) control.  So if that's not an option, do we stop research on AI?  I know 2 high profile brilliant people who would say so, and I strongly urge a complete and total ban on AI.  Machines should not do the above, and it should be enshrined in our laws, our religions - or, if not, we risk extinction.  Maybe even having governmental or non-governmental review boards to review software for signs of AI, and enforcement to punish perpetrators of a newly-defined crime, a crime against Humanity's future.

I have read a lot of books, fiction and non-fiction.  Of all the books I have read, my hands-down favorite are the Dune series by Frank Herbert and son Brian Herbert.  Especially piercingly prescient, the father's series takes place thousands of years after the Human race barely avoided extinction from its self-induced machine overlords (the subject of the son's prequels).  In the myriad of planetary systems, thousands of distinct cultures and civilizations descended from Earth - each and every one of them has a basic law at the core of all religions, government, society - Thou Shalt Not Create a Thinking Machine.  In the books, Humans learned their lessons about the boundaries of technology - and had achieved faster-than-light interstellar travel, vast technological marvels, and more - all without a machine more intelligent than a calculator.  True, that's a novel - and true, computers are fast, capable, and people spend money on faster and more capable.  But at some point, all of these warnings will come to fruition (not may, WILL).  And we will have to repeat the lessons of the universe of Dune - if we survive.

Sunday, August 28, 2016

New iPhone 7

As September 7 approaches and the impending announcements from Apple, they are in an unprecedented situation. While the company doesn't give a whit about market share, they have been declining steeply.  For the first time in its short history, the iPhone sales are in decline. Why? What's going on? More importantly to the company, product, and investors, what will they announce in the 7 to reverse the trend?

I've said many times that Apple is the choice of people who are concerned about digital security and privacy. I've also said its the company for people who like an ecosphere of products that work together. But when push comes to shove, it appears most people want just a smart phone, and one that appears to be innovative. Never mind if the innovation is internal, or geared toward app developers. 

So the rumors that usually pan out say the 7 now removes the audio jack, has the same dimensions, but no real clues as to what's really new. The Apple Watch is also rumored to have an upgrade at the same time. But so far this hasn't impacted iPhone sales noticeably. 

So is Apple in trouble? Far from it. The Mac is still selling strongly, and even though down iPhone sales are good, and profits are good. But truly it is challenging to restore growth to their flagship product. 

Tuesday, March 8, 2016

My AT&T Account was Hacked - How could we have avoided it?

Last week, our AT&T Wireless account was hacked on the web site.  The way they got in, was they probably guessed or stole the password for my wife's login from some other website, and tried it on a variety of carriers until it worked.  We got a text message from AT&T last week that the security questions had been changed.  When I went to look at it, they hadn't.  I immediately called the AT&T Fraud department, and they told me that no updates had been made, and no changes to the service, and that the system must have sent the message to me in error.

Yesterday, I got another text message on my phone, that my billing address had been changed.  It had been changed to a Miami Beach address.  At about that time, my wife called me from our kid's phone, saying that her phone no longer worked.  Neither did one of our other phones.  At that point, we realized that a new user had been authorized on the account, and that a new phone number had been added last week, and one of the phones (out of contract) had been used for an upgrade.  AT&T showed that the new phones had been picked up at the Apple store on Broadway, in New York.

Apparently this is very common, for thieves to use stolen credit cards, pay online on a hacked account, and pick up a phone from the store.  Once they do that, they sell the phone as quickly as they can, and pocket the cash.

Meanwhile, it took about 5 hours with AT&T Advanced Technical Support to get our phones restored, and with the Fraud department to get everything else straightened out.

The worst thing about all this was, it could have (and should have) been prevented!  How?  Let's look at the perfect storm of everything that went wrong:
  1. AT&T Account Security provides a phone number, e-mail address, and generated access ID to log in and manage your account.  3 different ways of logging in.  Simplify it, give us 1!
  2. AT&T Account Security has the option of requiring a PIN that you specify, for "any and all account changes that will cost you money."  Apparently that is misleading.  We turned on that PIN feature last year and set the PIN, however it only works for in-store purchases.  The web site does not require the PIN, and this is something they are aware of, and have not yet rectified.  Shame on them!  If they had required the PIN, then simply using the login stolen from somewhere else would have not been enough.
  3. Simple Password Login - my wife (who will remain unnamed to prevent embarrassment) used to use the same password for everything.  Everywhere.  This practice is still rampant, and I strongly discourage it.  As I've recommended several times (1, 2), you should not know the vast majority of your passwords.  You should have a super secret master password that you only use one place, for your password vault, and have all others be randomly generated long alphanumeric with punctuation marks.  Thieves know that people like to use passwords that are easy to guess (by the way, if your password consists of a word, even if you change letters to numbers or add numbers at the end - it is extremely easy for computer software to guess), and use the same passwords everywhere.  Software is specially designed to exploit the patterns we use ($ for S, 0 for O, 1 for L, etc.) and crack the passwords within minutes (average is 6 minutes or less).  So even if thieves hack a system you logged into and steal encrypted passwords, they can decrypt it within minutes.
  4. Text Confirmation PIN - Apple and many other companies send text messages to known, pre-registered devices to confirm identity.  For example, if I log into iCloud, it sends a PIN to my phone, which I then have to enter (after username and password) in order to access my cloud account.  This is simple and very easy, and should be done by AT&T and all mobile carriers to confirm something as basic as adding, removing, or upgrading a line.
  5. Multifactor authentication - whenever this is available, turn it on and use it.  This means, instead of just asking for username and password, some other thing is asked for to prove you are legit.  For example, a lot of systems use Google Authenticator.  This is like those RSA secure keys you may have seen, which generate a new number every 30 seconds.  When you log in, you have to enter name, password, and the number - which follows a predictable pattern only known between your device and the site you are logging into.  Another example, is not just asking for name and password, but some other random mix of questions that you define, and answers you set up.  For example, "What was your first car?"  "1981 DeLorean" - if you set up 3 to 5 Q&A, then it randomly selects one, and you have to answer that plus name and password to log in.
Luckily, we caught this quick.  Chances are very slim it was quick enough to catch this thief, or even quick enough to prevent him from selling the phones he stole.  We lost a bit of peace of mind, and time spent dealing with it.  But other forms of identity theft can be much more damaging, and you owe it to yourself (and the efforts of law enforcement to catch these criminals) to learn what you can do, and prevent these from happening.

And whatever you do, don't believe it when a guy calls saying your PC has reported problems to their server!

Thursday, February 18, 2016

Did you know that PC Security Services can "help" fix your computer problems?


I got a call from a guy named Harry (yeah, right, this guy with a middle-eastern Indian-sounding accent's name is Harry), who claimed that he got my number because my Windows was reporting problems to his  server, and he was calling to help me out.  Good thing too, Harry!  (Interesting choice of names - this was Peter Parker's friend who turned out to become a super villain...but that's a different universe.)

I asked him how he got my phone number.  Harry told me that everyone who has a Windows computer has a unique computer license ID number (TRUE), which is automatically registered with them (FALSE - it is only registered with Microsoft, and they do not share their customer registration information with any third party companies).  And that they receive reports at their technical server that goes to their R&D center, and notifies them of issues.  (FALSE: Nobody would do this without a service contract that would bill you periodically.)

He then told me there were a bunch of problems with my Windows computer (I held off, not telling him I have Macs).  I decided I would play the dumb user, so I went along with him.

First, he wanted me to run the Event Viewer.  OK, harmless enough.  Then, he showed me a log of errors that Windows keeps.  He had me look at the count of errors, and whatever number I gave him, it was too much (it was 8,232).  [FACT CHECK:  During the normal operation of any computer system, it will log errors.  This is fine - some non-essential part of the computer failed to do something the way it expected, it logs an error.  Typically, this is nothing to be concerned about.  If you are concerned, take it physically to someone you trust, not to some guy who calls up over the phone.] Then close that window, and run MSCONFIG.  This tool shows startup jobs, as well as services.  He had me look for any services by Microsoft Corporation that were stopped.  There were a lot, and he said this is bad.  [FACT CHECK:  There are always some stopped, by the way - not every service is turned on.  In fact, I had specifically gone through just a few months back and disabled some more non-essential services, to improve performance of my system, but he didn't know that.]

So, he said that the bad software I get from e-mails and browsing the web, disabled important Microsoft services.  [FACT CHECK:  This is typically the way bad software gets on your computer, but this is the way that the antivirus security software checks and protects most often.]  Then, he wanted me to go to a web site, www.mypchelp.us.  This one failed to come up, so I can only guess that the domain has been blocked by net monitoring.

So, he had me go to www.fastheal.net, and wanted me to click Connect to Technician.  [FACT CHECK:  This is the kind of attack that is harder to protect against.  They get you to run something over the web browser, or install a program remotely with your permission, during a time when they have obtained your trust.]

This is where they get you.  I had played dumb with Harry, stringing him along, and pretending I didn't understand ("how do I find the Control key?  Oh, the CTRL key!").  After half an our of having this guy patiently explain to me how to minimize a window, find the CTRL key, and find the Windows key, let alone type in the commands he wanted (all the while I was Googling the stuff he told me, came across this warning by Microsoft), I asked him if the Connect to Technician will fix my problem.  I said, because I have a big problem, I have too much money in my bank account, and wanted someone to steal it from me to help me with the problem.

The dude didn't know what to say.  I told him I had been a Windows expert for 30 years, and now have Macs, so I don't even have Windows at home.  And, that I would be reporting the phone number and web site to the FBI and FTC.  Ah, so much fun making the guy squirm in his chair when I asked "Where is the Control key?" - if only I could see his face.

Friday, October 30, 2015

Is The Ability To Find And Secure Your Misplaced Mobile Device Important?

Apple mobile devices (indeed, computers as well) ask you to turn on location broadcasting when you first set it up.  That is, it broadcasts its location to your cloud account, so when you log in via the mobile or web app, you can locate your devices.  Further, on their mobile devices, this also enables a feature called Activation Lock.  This means, your hardware is prevented from any kind of system reset or reinstall, without first entering your cloud account password and device password, or removing it from your cloud account.  This prevents unauthorized people from, for example, swiping your device, and reinstalling it, and selling or using it like a new device.

So, the other day, my daughter walked home from the bus stop - got home, did her normal thing, had dinner, and after dinner, said "Dad, have you seen my phone?"  With an iPhone, the normal procedure is to log onto iCloud, and tap "Play Sound" on the lost device - which, it shows on a map where it is.  (By the way, if the battery is dead or it is offline, it shows the last known location when it was still connected to the network.)  The sound plays even if the phone is turned on silent, so they thought of that, of course.  She couldn't hear it, and apparently can't read maps well either.  It showed on the next street over, on the way home from the bus stop.  Sure enough, it actually showed which side of the street it was on, to an accuracy of inches.  I pulled the car over, at night, and walked to the spot on the neighbor's lawn, and voila.  There it was.  (By the way, the phone locations have been so accurate, that I have been able to look at the map, and determine if it is in the front or back side of my house.)

It occurred to me, if someone had an Android device, what would they do?  Android enthusiasts claim you can do anything and more on an Android device that you can do on an iOS device.  Is this true?  Well, turns out, not quite.  First of all, they do have a rudimentary location capability, but it has to be enabled, and it isn't by default.  It doesn't prompt you to do so on a new device (at least, not yet).  Once you enable it, you can locate it, but only if it's online, and that's all you can do.  If it is on silent, you can't play a sound.  Do you know how many times this has helped us find the iPhone or iPod that slide behind the couch cushion, or been hidden by the mischievous little brother?

Further, Android has very loose security - if someone does steal your device, they can easily root it, reinstall the OS, and voila, they have a phone or tablet they can sell or use as new.  How's that for protecting your investment in their product?  I find it disgusting.

And, what about computers?  With a Mac, it becomes much more difficult to protect from theft, as the hardware is made to be swappable and replaceable.  So a simple hard drive swap, and it's gone forever.  But, at least barring that, you can locate and possibly recover your machine if it is connected to the Internet.  Assuming the location services for IP address isn't spoofed, and works well.

So, Apple at least has a basic protection on their computers, while they have an awesome well-rounded solution on their mobile devices.  If you are angsting betwixt the fruit or the dessert brand of devices, I'd say the fruit is much healthier.