Thursday, May 29, 2014

How do you find a $%!@ phone number?

Or, Telephony in the Internet Age



For much of my life, if we wanted to find a phone number we would grab a Yellow Pages and flip through to find it.  In college, computers were fast becoming mainstream, and my roommate had the brilliant idea to distribute phone directories for pay on disks (tip to you, Neil!).  5.25" floppy disks.  This of course allowed people to search a phone number and find the name associated with it.

Fast forward to 2014.  For many years now (at least 8), I have not even opened a phone book.  If I want a number for a person or business, it's easy to find online or in my contacts.  And more up-to-date than a printed book.  And doesn't waste paper, and all that fuel trucking the heavy paper to my house, let alone cutting down the trees and processing the paper and publishing the books.

Spam

But, let's say someone calls you from a phone number - how do you find out who it is?  Whether what caller ID says is correct is quite the question (data entry mistakes are made, and spoofers fool the system).  So I get tons of calls from telemarketers, surveyors, and scammers alike.  It's one thing when they call my home, really annoying when they call my cell, but when they call my kids' cell phones it is downright disturbing.

What recourse do we have?  Sure, we can block the number from future calls, but typically people call from multiple numbers, or spoof the number.  Yes, the phone systems are so stupid and open to hacking, that anyone can call from apparently any number with any name using the right equipment (that doesn't cost much).  And nowadays a phone and phone number can be anywhere in the world, throwing out the whole hope of enforcement, jurisdiction, and punishment.

Indeed, the Area Code and Exchange for a phone number used to give you its location.  Not so any more - as numbers can be obtained and operated from anywhere for anywhere, let alone call forwarding.

Truly, I see this as the next big area of concern.  Can we push our federal representatives to legislate security in our telephone system?  Certainly they did have the will to pass laws on telemarketers, so why not to force telecom providers to tighten up security and prevent unauthenticated broadcasting of Caller ID?

Finding a Number Now

Let's say you are looking for a phone number for an individual, not a business.  How would you go about looking it up?  Do you call Information at 411?  You could do that, but typically there is a charge associated with it, especially on your cell phone service.  Really, who does use an actual phone book any more?

Do you search the Internet?  Well, there is a huge can of worms.  You get a bunch of irrelevant results, and there are a TON of people and phone finder web sites that say they are free - but by heck are not!  They dupe you into a page where to continue and get the actual number, you have to pay.

Whitepages.com does work fairly well, and is truly free - apparently paid for by advertising and cross-reference link referrals.

Alternatives

Here's what I like as far as screening incoming calls:  Google Voice.  If you haven't used it, it is a phone number that you get - for free - but it could very well be the last phone number you need.  When people call it, it rings through to numbers of your choosing.  So, you give out your GV number for people to call - and if your home phone, cell phone, or work phone change - you log into the web site and update it.  Voila, your calls are forwarded.

But further, if you want to group callers into friends, family, coworkers, customers, etc. and set up ring-through rules for each group you can.  So friends and family don't ring through to work, and coworkers and customers don't ring through to home.

You can also block callers.  If you get a call from someone annoying, you block them on the web site.  This prevents them from calling you from that number - and further it gives them the telecom code for a disconnected number, so if it is a telemarketer robot, it will automatically remove your number from the list!

Texting?  Yes, it supports SMS, so you can send and receive text messages using this number - and have the SMS messages either forwarded to your "real" phone, or as e-mails.

Voice-mails are transcribed automatically (and with some hilarious results) into text that can be viewed in an e-mail or in the voice-mail inbox.

And the cost for this service is steep - $0 per month.  If you multiply that out - that's $0 per year.  Or if you want to pay in Euros, that is 0 €.  Per Month.

Send me feedback in the comments - when was the last time you used a phone book?  Do you still need it?  What did you use it for - to find a number, or to hold down something that might blow away?

Tuesday, May 20, 2014

Security 103: Biometrics for Mobile

Article 3 of 3

In this multipart series, I will examine the various aspects of what we call "security" in the Digital Age, and how we can protect ourselves from the exploits of others.

The Promise of Biometric Security

Biometrics (in relation to digital security) is the ability to recognize unique physical features of your body, for purposes of authenticating identity.  For example, you have unique fingerprints, a unique pattern of blood vessels in your retina, a unique heat signature on your body, a unique face, etc.  The reason Biometrics is an area of research and interest - as pointed out in previous Security 100 series articles - is that the old methods of user name and password have a very low security level (and by "old" I mean they still account for more than 90% of the authentication methods but they shouldn't be used anymore!).

Augmenting or replacing the password with biometric identification increases security to the point where only professionals have the knowhow, equipment, and funding to break (or hack) your security.  Further, it can even make it easier for the right person to unlock what they need access to.  Instead of having a simple password that is easily remembered and guessed, you can have a very complex one - and use your body to unlock it.  If it gets into the hands of someone else, if you give them the password they can unlock it - if not, good luck guessing.

When it comes to digital security, advances have been made in recent years in some of these forms of identification.
Apple's Touch ID sensor built into the home button
  • Fingerprint scanners have been widely available on laptops and PC keyboards for many years - however you have to swipe your finger along a bar.  Apple's new TouchID provides the ability to recognize upon touch at any orientation, a major advance.
  • Retina scans have made only small progress toward practical applications - with the dream of Star Trek's "Identify for retina scan... Kirk, Admiral James T." still years away.
  • Facial recognition is offered by some devices.
  • Precious little else has emerged as practical technology.
So, what is available in a mobile device?

Fingerprint Scanners

An external bar-type fingerprint scanner, also the
 same type as those built into some notebook models
The typical fingerprint scanner deployed in computing (PC's and some smart phones) is a flat bar that you run your finger by.  If your finger is dirty, or you run it unevenly, or at the wrong orientation, or something out of the ordinary - it tends to not work.  Some scanners allow you to place the entire fingertip on a screen and scan at once, but these are bulky and do not lend themselves to small, especially mobile applications.

One exception, though, is Apple's TouchID introduced in the iPhone 5S.  With this product, it is ultra-slim, and extremely fast.  You place your fingertip on it in any orientation, and it performs a scan using electrical signals that detect not just the surface of your skin in contact with the sensor, but via electrical conductance a bit deeper scan.  And, it does it almost instantly.  This is the type of experience that users find seamless and desirable.

Soon after the availability of the iPhone 5S, hackers announced they had spoofed TouchID - but the cost, equipment, and technical expertise required meant that it would not be a common occurrence. 

Facial Recognition

While visiting a customer recently, he showed me how his Android phone unlocked the screen when his face is held up to the camera.  However, it took me all of 5 seconds to spoof it, by taking a picture of him with my phone, and holding my phone's screen up to his phone's camera.  I very strongly do not recommend using this feature with any expectation of security.  It is only a convenience to avoid entering your password - so if you only have that expectation, you will be fine.  Also, if you plan on using it while driving, you would have to look at the camera to get the same expression that is recorded, or the accuracy rate drops significantly.  TouchID, on the other hand, can be done by feel, eyes free, so appeals to me as a safer technology for use while doing other things.

In addition, facial recognition is very faulty when it comes to image quality, lighting, and other visual issues.  Sometimes it had to be retried - and if you can imagine this as a solution to unlock your device easily while driving, this is not the way to go.  Then, if you can imagine that it is easy to reproduce images, use makeup and costumes to mimic faces - I don't see this as practical.

Forget Facial Recognition as a viable solution to biometric security.

What Else?

In lieu of any other technology that works well enough to be inexpensive and mass producible, let alone small enough to put on a phone (although now you have phablets...ugh I hate that word and the thought of a communication device too big to fit in your pocket), there really is nothing else in the form of biometric security today.

Wednesday, May 14, 2014

Page Not Found Error? Don't despair!

Have you ever been searching for something on the Internet, and think you found exactly what you are looking for - only to be hit with HTTP Error 404 - Page Not Found (or some similar error) when you click the link?

Did you know that there are free services that archive the web constantly, and allow you to go back and look at URL's through time?  One example I use a lot is Internet Archive WayBack Machine.  If this happens to you - the first thing to do is DON'T PANIC (yes, intentional reference to Hitchhiker's Guide).

Second, hit your browser's Back button (or go back to the page that has the link you want).  Right-click, and depending on your browser pick Copy Link (or Copy Link Location).

Next, open a new tab and enter "archive.org/web".  Finally, paste the URL that is gone into their search bar, and you will see a calendar graph of updates to that URL throughout time.

The black bars show when the site changed, and you can click the month, and the date in the calendar below to see the page at that date.

That's all there is to it!  Hopefully this saves your hair from being pulled out.  Poor hair!

Monday, May 5, 2014

Security 102 - How Secure Is Your Digital Life?

Article 2 of 3

In this multipart series, I will examine the various aspects of what we call "security" in the Digital Age, and how we can protect ourselves from the exploits of others.

The Problem

As noted in the first post in the Security 100 series:
The more you follow patterns, and the simpler those patterns are, the easier it is for someone to hack you.  More specifically, if you use say 5 different passwords for all the hundreds of web sites and software you use, and those passwords are always 8 characters, have an upper-case first letter, and a number at the end, and replace certain letters with certain numbers - voila, that's a simple pattern.  If you use the same password for Google ID, Apple ID, Hertz, Avis, Marriott, Delta, Southwest, American Express, and your bank - well, you get the picture.  Once someone has one password, they have all your passwords!
So, let's dive into passwords and authentication.  Back in the old days, the ancient civilizations had an authentication problem.  Think the Greeks, with thousands in their armies, and they needed to know friend or foe, and trust the carrier of a message.  The first form of authentication is facial recognition - know each other.  But there's only so much you can remember, or what happens if you just haven't met them yet?  So, many different devices have been used - from carved stamps in wax that are hard to reproduce, to some personal token (a ring, an amulet), to passwords.

In the Digital Age, this has become the now ubiquitous "enter your user name and password."  And, what are probably 99% of user names?  E-mail addresses, which of course are public knowledge.  So half of your authentication is public knowledge.  What do we use for passwords?  Something we can remember, something meaningful - so that anyone who knows us probably can guess, and anyone who gets to know us can figure out.

Since we have been inundated with thousands of different systems that don't talk to each other, each one has to have its own authentication - and as users of various systems, we can only keep track of so many in our heads.  This has been helped somewhat with common logons like OpenID, Google, Facebook, and more where systems use those common logons to authenticate - but the problem is, if you have one ID hacked, the hacker is into all those systems.  Have you ever tried to log into your bank site, only to realize you forgot the password?  And, you can't remember the damn security questions you set up to re-establish your password?

What do we do?  If you are like almost everyone, you do the following:
  • Use some word that is meaningful to you.
  • Change it up a bit - but only a bit, so you can remember the changes!  For example, if your word is puppy, make it "pUppy1" or "p0Ppy" or some such replacement.
  • Use the same password on many sites
If you are guilty of any one of the above (that was me, until now!), then your security is at major risk of hacking and identity theft.  Think of the implications - what if your password for your e-mail account is the same as your Apple ID password?  And, if you use "Find My iPhone" iCloud service - then a persistent hacker can find your password, guess that you have Apple devices, and disable your device.  Or, they can call Apple, and with a little persuasion, convince them to change the password on you (I have read blog posts on this happening).  They can download all your synched data.  What if your password is also what you use on Dropbox, Google Drive, Microsoft Skydrive, and more?  Yes, they can access all your data.

General Security Procedures

Some things you can do in general to make your digital life more secure:
  1. Use random, complex passwords.  Yes, you won't be able to remember them.
  2. They should be 12 characters or longer, be unintelligible, and be different for each system or site you log into.
  3. Use a password management system to store your passwords - so you unlock it from a trusted device, with some super-secret master password that you only use for that one purpose.
  4. Do some research and find out if the system you log into offers multifactor authentication.  Specifically, there are many forms of this - from a question and answer that you select or make up, to some second password algorithm that is "unguessable" - for example, Google Authenticator generates a number every 30 seconds, and you can enter your name, password, and GA number for a specific logon (say Dropbox or LastPass or Hootsuite).  That way, even if a hacker does gain your password for the 1 system, they don't have your GA code, and thus can not possibly enter the number it generates.
  5. Do not write your passwords down anywhere.
  6. For a long time I stored my passwords in a Google Drive spreadsheet - but if anyone does hack my Google Drive account, they would then have access to all my passwords.  Plus, I had to manually update the list every time I added a new web site, or the web site changed because the company merged, or updated the password.  A pain!
  • Multifactor authentication means more than just a password to authenticate you.  The various forms so far are:
    • You can make up or pick a question, and enter an answer.  ("What is your favorite color?"  "Blue")
    • A number generator, like RSA SecureID, Google Authenticator, and others to generate a constantly changing number that you use as a password.
    • Physical token security like Yubikey, Transakt, Toopher, Duo Security - these make you have a physical key (think the signet ring in the opening paragraph), that you insert into the PC in order to log into a system.
    • Biometrics - this refers to reading the unique "signatures" in your body.  Your eye retina pattern, your fingerprints, etc.
  • Find out if the system you use offers Multifactor Authentication.  If they do, then use it.  I like Google Authenticator because it is free, and reasonably secure.  It provides you a mobile app (which on iPhone is backed up with system backup) that reads a QR code that the system gives you.  It then uses that QR code to add a number generator for that app, so you can now use your name, password, and the GA code to log in.  Each Google Authenticator number sequence is specific to the system or app you are authenticating to - so my Dropbox Google Authenticator code only works for Dropbox logons - and I need to enter my logon name, password, and GA Dropbox code on a non-trusted device.

The Solution

So what am I saying, to have a different password for every system you log into?  YES.
But, that's impossible, you say.  How can you remember it?  Write it all down?  IN A WAY.

I have been using a system called LastPass for almost a year now.  There are others out there, but LastPass is:
  1. A complete solution, covering computers and mobile devices.  The system integrates with all of the most popular browsers, on the top 3 desktop operating systems (Mac, Windows, Linux), and all of the mobile OS's.
  2. Secure - they were not affected by Heartbleed because they did not use Open SSL.
  3. Inexpensive - it's free unless you want mobile device access - then it is $1 per month.
  4. Sharable - for that $1/month Premium upgrade, you can share passwords with your friends/family.  They don't need to have a paid account.  That bank account you share with your wife?  Share the password in LastPass with her LastPass account.  If you or she changes it, it automatically updates in the LastPass vault, and next time you go to log in, it is filled in automatically from your web browser.
  5. Helpful - Tools help you identify duplicated passwords, and it has a password generator to generate a random password that is hard to guess by the most advanced hacking techniques.
So, how does it work?  On computers, it has a plug-in that installs in the browsers.  This plug-in handles all different forms of web login - from web pages, to flash apps, to pop-up authentication dialogs.  You give it a master password. You can identify devices (your laptop, your phone, etc.) as Trusted so you don't have to give the master password every time.

On the iPhone, since Apple has secured the rest of the device, they have a web browser in the LastPass Premium app, so that you can go to any web site and your stored authentication will be filled in automatically from your password vault.  Android and Windows devices, of course do not have sandboxed apps and allow LastPass to integrate to their web browsers.  (Side note: This is to me, an inherent security weakness in non-Apple or jailbroken devices.)

What if you use a work computer and can't install any software?  No problem, you can put your LastPass on a USB stick, and run it from there without any installation or administrative rights needed.

Now what happens if someone hacks LastPass?  Good question!  One I don't have a good answer to - because if they do somehow get your master password, then you are ^$#*ed.

Thursday, May 1, 2014

Security 101 - How Important Is It to Update Your Devices?

Article 1 of 3

In this multipart series, I will examine the various aspects of what we call "security" in the Digital Age, and how we can protect ourselves from the exploits of others.

The Lessons

MacRumors recently reported that the adoption of iOS 7 has reached 87%.  That is 87% of all Apple devices connected to iTunes - not just the eligible devices new enough to be compatible with 7.  If we are talking just devices that have iOS 7 on them, it approaches close to 100%.  That is a monumental accomplishment if you stop for more than 2 seconds to consider.  Android, as Apple, Inc. is proud to point out, is a smattering of device models and manufacturers, all running various versions of the operating system, with around 10% of the market updating to the latest OS major release - let alone security patches.  This is a monumental flop, as I will point out below.  I am opening this post with a discussion of mobile devices, but let's back up a bit.  What lessons have "we" mobile device junkies learned from computers?

I think it fair to state that we as a society have learned the following lessons.  As individuals, how you understand and apply these lessons are of great importance to you.  It's up to you - learn from someone else's mistakes, or learn from your own.  The latter is more costly.
  1. If people can find a way of exploiting a computer, they will; whether for monetary gain, political ambitions, or merely just for the fun of disrupting other people's lives.
  2. Every computer depends on Humans to develop the Operating System that gives it its security, and on the Humans who use it to implement that security.  If someone "makes a mistake" or fails to identify and close a loophole, it will be there to exploit.
  3. Now that computers are connected to the Internet, the ability to and ease of downloading malicious software (a.k.a. malware) has increased exponentially.  Add to that, the fact that computing has reached every corner of the world, and billions of people have computers at their disposal - people with all kinds of morals, agendas, and abilities.  Multiply the sum of the above by the fact that instructional information (of all types - both helpful and harmful) is available on the Internet on any topic, including hacking and vulnerabilities.
  4. Now, let's define what a "computer" is.  This is an electronic device, with processing, memory (typically operating RAM and storage flash/disk memory), that has input and output, and runs a set of software called an Operating System that allows people to interact with it, and run application software.  With this basic definition, that broad brush includes:  Laptop/Notebook computers, Desktop computers, Rack servers, Any mobile phone ever produced, Any tablet, Any Television produced within the last - at least 10 years, your cable set-top box, any other set-top box (Chromecast, Roku, Apple TV, etc.), most alarm clocks (think iHome), any automotive vehicle produced in, say, the past 20 years...the list goes on.  Today, it is almost anything that requires electricity.  My Blendtec blender has a digital readout and buttons - and may be one of the few devices that is on the borderline because it has only physical I/O (buttons and display), and no Internet connectivity - yet!
  5. The more you follow patterns, and the simpler those patterns are, the easier it is for someone to hack you.  More specifically, if you use say 5 different passwords for all the hundreds of web sites and software you use, and those passwords are always 8 characters, have an upper-case first letter, and a number at the end, and replace certain letters with certain numbers - voila, that's a simple pattern.  If you use the same password for Google ID, Apple ID, Hertz, Avis, Marriott, Delta, Southwest, American Express, and your bank - well, you get the picture.  Once someone has one password, they have all your passwords!
  6. A simple name/password system is the easiest to hack.  Once you add more factors, it becomes very difficult for people to hack.

So, what are the implications of these lessons?  If you have a computer, someone either has or will develop a virus (or malware to be more general) for it, or be able to hack into it.  Why?  Because the systems are developed by Humans and therefore inherently hackable.   These hackers will try to make money off it, they will try to attack you for political gain (think Syrian Electronic Army, think NSA), or just because they can and they have the time and the need to feel excited at seeing the mayhem they created in other peoples' lives.

What are the takeaways from these lessons?  With PC's, we have gotten accustomed to the following security measures:
  • Regular security updates from the OS manufacturer (Microsoft, Apple, Ubuntu, Google, etc.)
  • Antivirus software that identifies and prevents attacks
  • Firewalls to prevent active attacks from the Internet
  • Spyware and Adware protection that does the same as Antivirus software against malware that tries to do some not-so-nice but not necessarily catastrophic things to us
In the Post-PC world of today, where the vast majority of devices on the Internet are NOT PC's, have these lessons transferred?  No!  We are all vulnerable, but not helpless.

And, more importantly, what can you do to protect yourself from this?

From Desktop to Mobile

From the definition of computers you can extrapolate the applicability to your mobile devices (note: not just "my" definition, but "the" because bottom line, that is what a computer is - and all devices under that huge genre are susceptible to the faults pointed out here).  Why the emphasis on mobile?
  1. The growth rate of mobile market has far outstripped the growth of the PC market.
  2. Mobile devices are inherently "personal" across cultures.  As such, we interact with them as if they are our own, personal spheres of computing - much more so than a PC.  However, these "personal" computers are definitely interconnected via many technologies, and always (or most always) "online." Also, it seems we are more willing to install apps and put data on/through them that either we may not on a PC, or is more convenient to deal with than a PC.
  3. Other than, to a limited degree Apple, the PC lessons have NOT translated to mobile devices.  What antivirus software are you running on your mobile device?  Yeah, I thought so.
    1. I say Apple to a limited degree, because if you go through iTunes to install software, they at least vet the apps.  If you have not jailbroken your device, the OS at least sandboxes each app to limit its ability to conduct malicious activities.  Windows, Android - forget it.  Blackberry?  Too small to even consider.

To Update...Or Not To Update

So, on PC's what dos Update do?  When OS manufacturers identify these security flaws, they let you update your system with their fixes through the Update mechanism.  If you don't use it, then your device remains vulnerable to those ways of causing you harm.  If you don't educate yourself on how to update your device - well, then that's on you.  When you get a car, you have to learn about getting fluid changes (not just oil), tire pressure, battery replacement, and so on.  If not, guess what?  Same thing with your computing world.  Except in this case, it isn't just the parts grinding on each other and wearing them out - it is someone out there intentionally trying to mess you up, and going after you via the Internet, Bluetooth, etc.

If you have a way to turn automatic updates on, do so.  If not, make sure you check - on a weekly or monthly basis at the very least.  Should you update?  AS SOON AS IT COMES OUT.

Why Apple?

While many people love to hate Apple, again you have to think about what it is they have accomplished.  When they put out a product, they don't just put it out there - they offer a complete, "soup to nuts" solution. When an update is available on iOS mobile devices, each device will receive a notification.  Critical updates will actually interrupt the user using the device, and prompt them to install the update.

When I use the cliche "soup to nuts," I do mean that Apple has considered and handles each and every aspect of a device - from the developer network it needs to develop third-party apps to make it successful - to the end consumer and all aspects of delivery, support, training, and service - to all points in between in the supply chain.  They are not fragmented - they are organized, move forward with a plan and determination, and operate with integrity.

Updates do not occur in the same way on Android.  Indeed, since Android is an open OS (meaning Google gave it out to the public for free), many manufacturers have modified it to their own purposes to put their own competitive "flavor" on it.  This makes updates from Google even more iffy, because they could cause unforeseen issues on certain manufacturers or models if applied.

I don't know for sure, but I would guess that Windows Mobile updates the same as Windows.  My whole problem with Windows, though, is that Microsoft developed it.  Microsoft is the king of marketing and making money from products, but not the king of reliability and delivering what consumers really want.  Historically they have convinced everyone that they are the only game in town, but that is crumbling around them because they totally missed the large growth Mobile market and are scrambling to catch up.  Meanwhile, the plethora of security exploits on Windows are well-known, ubiquitous, and persistent.  The recent fiasco discovered in Internet Explorer affects releases 6 through 11 - practically every version of Internet Explorer in use today (see Microsoft bulletin MS14-021).  And Internet Explorer is core to Windows, so if you just install some other browser, you are still not replacing core functionality with the new browser - embedded IE built into Windows and other Microsoft products propagate the inherent security flaws that make the system unstable and insecure.

If anyone has experience with Ubuntu on mobile devices, I would love to know how that fares.  I assume updates are delivered via the Software Centre, but are they pushed automatically (or push notifications so you can pull them)?