by Gil Poulsen | Sep 17, 2014 | Mac, Technology
NOT ONLY does that bastardized quote make an appropriate lead-in to this posting, it reminds us of the fact that although we put a man on the moon way back in 1969, we still rely on passwords to protect our identity online and offline. And because it takes a concerted effort–even with the services of a password manager–to update and strengthen all those passwords, we often end up putting that task off for another day.
In the wake of the recent “celebrity photo iCloud hack,” Apple has been urging all of us to employ “two-step verification,” which as the name implies, involves a second step beyond simply entering a password in order to verify your identity when you make an iTunes store purchase or update your Apple ID account info. This isn’t a new concept; Apple and many other online services (including Google, Yahoo!, Facebook and Twitter) have offered various flavors of this security enhancement for years.
WHAT IS NEW is that Apple is now officially urging us to make use of two-step verification, in addition to strengthening our passwords. I’m all in favor of anything that makes our accounts more secure, as long as it doesn’t make our computing experience unnecessarily complicated. For most of us I feel the extra step is worth the additional protection, but read on to make sure that it’s a good option for your particular situation.
The additional “step” in two-step verification involves a unique PIN code that is sent to your cellphone via text message (or iDevice, via a “push” notification) once you’ve entered your password. At that point you’ll see a prompt to enter this code, which changes each time it’s used. So this prevents anyone from accessing your iTunes Store account or your iCloud data, even if they are able to guess your password. It’s a relatively simple process and requires only a one-time setup on Apple’s site.
KEEP IN MIND, however that if you decide to enable and use two-step verification, you must have a cell phone that can accept SMS text messages (most can) in order to set up TSV, and you must have either that cell phone (or any iDevice on which you’ve enabled Find My Phone) with you whenever you want to do any of the following:
- Make a purchase from the iTunes Store, iBooks Store or App Store, whether on your Mac or any of your iDevices
- Make any changes to your Apple ID info (credit card, password, etc.)
- Sign into the iCloud Web site
- Call Apple for help with your Apple ID
One other word of caution: Once you enable TSV, your Apple ID password is encrypted in such a way that even Apple can’t retrieve it for you. That’s why in the setup process you are prompted to create an emergency Recovery Key, which can be used in the event you forget your password. Obviously you will want to keep that in a safe place on your Mac, ideally within your password manager or in a Word document that is password-protected.
SHOULD YOU determine that two-step verification is the way to go for you, start with the setup instructions here:
Frequently asked questions about two-step verification for Apple ID:
http://support.apple.com/kb/HT5570
and then check out this Wall Street Journal article, which details how to enable TSV for many other Web sites:
Safety First! How to Sign Up for Two-Step Verification on 11 Top Online Services:
http://blogs.wsj.com/personal-technology/2014/04/11/safety-first-how-to-sign-up-for-two-step-verification-on-11-top-online-services/
If you’ve determined that you don’t want to go the TSV route, that’s perfectly fine–only if you’ve created very strong passwords for your Apple ID and any other Web properties that contain your personal or financial info.
SO THAT’S two-step verification. Unlike the moon landing, it’s not rocket science. But compared to using only a password–especially a “weak” one–it really is one giant leap for security.
by Gil Poulsen | Sep 11, 2014 | Mac, Technology
That’s exactly what Apple’s been doing. Seemingly lost between Tuesday’s unveiling of yet another pair of new iPhones (the 6 and 6 Plus) and the Apple Watch–which will no doubt sell by the truckload despite its hefty price tag ($349 and up) and the fact that it needs to be accompanied by an iPhone for full functionality–was the revelation that Apple has concocted a “virtual wallet” payment system to accompany its newest smartphone models.
This system works with your existing credit cards, but it’s more secure than any available payment method. It’s dead simple to use, incredibly convenient, and already supported by national chains like Macy’s/Bloomingdales, McDonalds, Subway, Walgreens, Petco, Toys “R” Us, Staples and more.
Apple calls it simply Apple Pay. I call it pretty remarkable because after seeing the demo and the ecosystem they’ve created around it, I think it truly does have the potential to change the way we pay for things. It’s not the first system to take a crack at mobile payments via a virtual wallet (see Google Wallet) but it’s the first one to come out fully locked and loaded, with retailers, banks, and credit card companies already on board.
Apple Pay is based on an already-existing technology called near field communication (NFC). Put simply, it’s a way for two devices to “talk” to each other over very short distances by establishing a temporary wireless connection. By waving your smartphone in front of an NFC enabled device at your friendly neighborhood retailer’s checkout, a credit card payment can be made in mere seconds. No need to launch an app; in fact, you don’t even need to unlock your iPhone–thanks to the Touch ID technology that Apple introduced with the iPhone 5s.
When you compare this experience to fumbling with credit cards, security codes, picture IDs and swipe card readers that never seem to get it right the first time, the advantages in terms of convenience are pretty obvious. What’s probably not as obvious are the advancements in security and privacy that are baked into this new system. Although Apple Pay can make use of any VISA, American Express or MasterCard, it never actually uses (or stores) credit card numbers or security codes on your iPhone.
Instead, a unique secure ID is encrypted and stored on your iDevice for each of your credit cards, and it is this information, along with the transaction info and a one-time security code, that is sent to your credit card company. At that point the unique secure ID is linked to your actual card no. and account, and payment is transmitted to the merchant. This means that your card number is never sent anywhere in the process of making a purchase, and because you don’t actually hand the card to the cashier, no one even sees your card number–much less any other personal info–at the point of sale.
Further, if your new “virtual wallet,” aka iPhone, is lost or stolen, you can remotely suspend all recent payments and wipe the device from any other iDevice or Web browser using Find My Phone. That’s not really new, but consider this: Because the credit card numbers and other info for each card are not stored in the iPhone, and because–in theory, at least–you left your actual wallet at home, you don’t need to call up and cancel all your credit cards. You just import their info into your replacement iDevice, and you’re back up and running. Or buying, as the case may be.
Apple’s demo of Pay at Tuesday’s press event made it seem almost impossibly simple, convenient and secure. And it just might be all that when it comes on line this fall. As you may have already guessed, this revolutionary payment system requires the purchase of the new iPhone 6 or 6 Plus. So now that Apple has made us Pay, Apple is going to make us… pay.
Or, to paraphrase the official motto of the Commonwealth of Virginia: Sic semper Appleus.
—
A brief note on security, or, what else is new?
Regarding the recent “celebrity photo iCloud hack,” which most of you have probably heard of by now, it appears after much investigation and finger pointing that there is no inherent security flaw in the iCloud system, and that these were isolated attacks specifically directed at the iCloud accounts of female celebrities (Kirsten Dunst, Jennifer Garner, Kate Upton etc.) in hopes of discovering compromising images to post online. The attacks were conducted using common “brute force” hacking techniques; in other words, sending password after password at the account in rapid succession until the correct one was discovered.
Nothing new or innovative about that, and since the targets were specifically young, nubile female celebs, it’s probably safe to assume that none of us were affected. In the wake of these attacks, Apple has pledged to improve iCloud security, but also urges users to implement strong passwords as well as to enable two-step verification, which is generally a good idea in terms of making your Apple ID even more secure. Because TSV involves a very specific setup process and requires that you have a cellphone with you whenever you make a purchase on the iTunes Store, we’re going to explore it in a future posting to help you decide if it’s the right move for you, or if it will cause more problems than it solves.
So what’s the moral of this story? It’s two-fold:
- Resist the temptation to post naked selfies to your Photo Stream.
- Use a strong password for your Apple ID/iCloud account. If any or all of the celebs affected by this had employed strong passwords, their accounts would not have been compromised.
Finally, some of you have been asking about the Home Depot hack, which was confirmed this past Monday and potentially affects up to 60 million accounts. It really has nothing to do with your computers or iDevices, and since it had been going on undetected for at least six months, you probably already know if any cards you used there have been compromised. Just to be sure, however, check your recent statements carefully for any suspicious charges and report them to your card issuer ASAP.
by Gil Poulsen | Aug 7, 2014 | Mac, Technology
ANOTHER DAY, another data breach and this one appears to be one of the most significant in recent memory–over a billion usernames and passwords now in the possession of some Russian hackers. Although a very interesting take on this exploit at The Verge calls into question whether said quantity of personal data was actually “hacked” or merely acquired from other criminals, the fact remains that the data is out there, and yeah, there’s probably a reasonable chance that your info is in there somewhere.
What many of us find particularly frustrating about these escapades is that the names of the sites that were compromised are usually not released for days or even weeks after the hacks occur, in the event that a site remains vulnerable after the hack is disclosed. This was the case with the recent Heartbleed bug, where many Web site operators were unconscionably slow to inform their users as to whether their sites needed patching, had or had not been patched, and exactly what information could been compromised.
In the end, we’re all left thinking, “What can I do, or what should I do, to protect myself?” Well, there isn’t much we can do to prevent these kinds of exploits, but there are two things we can do to minimize the potential risk. One is to use “strong” passwords (“un9Ayg3I1oN8” as opposed to “password”) on the Web sites that we frequent, and the other is to use unique (and strong) passwords for each site. Using strong paswords alone wouldn’t have helped much with this specific exploit, but using unique passwords would.
WHY? BECAUSE hackers know that most of us use the same 2-3 passwords for all the sites we visit. So if they capture just one, along with your email address, they may well have a way in to many of your other online accounts–some of which may contain a lot more personal information than just your name and email.
Now there’s a very good reason why–in spite of all the warnings we get each time a Web hack is publicized–most of us use the same 2-3 passwords for everything, and that’s because in order to use them, we must be able to remember them. Even working with only a few passwords can be challenging, and we’ve all had those moments wherein we type in what we think the password is, then what it might also be, then what we think it is but with an initial cap, etc. Were we all to employ strong passwords, even if they were not unique to each site, we would certainly fail at most of our login attempts.
That’s where password managers come in. Some are programs that reside on your computer; some are Web sites that store the passwords for you. Some are bare-bones and some are amazingly full-featured. But the one invaluable service they all perform is they enable you to use strong, unique passwords by remembering them for you and regurgitating them on demand. You have only to remember one “master” password to unlock the rest.
THE KEY WORD here is “enable.” It would be a truly marvelous thing were a password manager to vist all the sites you frequent, change your password on each one to something infinitely more robust like “Nim2ceWg8O9q,” and then repeat that action every three months. In the real world, of course, accomplishing that requires a little more “elbow grease,” if I may borrow an idiom from my parents’ generation.
Even with the assistance of a password manager, you must take the following steps to update your sites with a strong and unique password:
- Log in to the site with your current (presumably weak) password.
- Locate the area of the site where you can update your password.
- Enter your current password in the “Current Password” or “Old Password” field.
- Enter a much stronger one in the “New Password” field (most password managers will generate this for you).
- Apply the password change using the “Save,” “Update, “Apply” or similarly-named button below the password fields.
- Make sure the password manager updates its record for the new password (most do this automatically, or at least semi-automatically).
- Repeat for the remainder of your sites.
DON’T GET ME wrong–I don’t mean to give the impression that password managers aren’t worth the trouble. I use a password manager, and I feel they are extremely useful and truly the only practical way to employ strong and unique passwords across multiple Web properties. But they still require an investment of time and thought to allow them to safely and effectively “manage” your passwords.
So if this latest exploit has you thinking that it might be time to stop using “password123” for the majority of your Web accounts, you would be well-advised to employ some form of password management. Just be prepared to spend a few hours or more working up a little elbow grease in the process.
by Gil Poulsen | Jul 30, 2014 | Mac, Technology
I SUPPOSE I should refrain from slamming a new operating system before it’s even released, but I can’t help but wish that Apple would clean up the rest of the bugs and performance issues in Mavericks 10.9.x before announcing their next arrival. Nonetheless, OS X 10.10, aka “Yosemite,” was announced at the annual WWDC this past June and is due to arrive sometime in the fall of this year. The hardware requirements for Apple’s newest OS are identical to those of OS X 10.9 Mavericks and, like its predecessor, Yosemite will be a free upgrade for all.
There are, of course, a plethora of new features and a further extension of the “minimalist” design that characterizes the current iDevice operating system, iOS 7. Yes, they remain two completely distinct operating systems, but the lines continue to blur. Many of the new features and capabilities of Yosemite center around improving the interaction between iDevices and Macs–what Apple refers to as Yosemite’s Continuity feature set.
Specifically, the “Handoff” components of the new OS will link all your Apple tech in such a way that you could start composing an email on your iMac and finish it on your iPad without missing a beat, or check out a Web site on your iPhone and be brought to the exact same spot on that site when you return to your MacBook Pro.
AND THAT’S JUST for starters. You’ll be able to receive and respond to all text messages on your Mac, not just iMessages (the blue bubbles in the Messages app) but also standard SMS text messages (the green bubbles that heretofore didn’t appear in the Messages app on Macs). You’ll even have the ability to “hand off” phone calls from your iPhone to your Mac, essentially turning it into a giant speakerphone.
Even the new iCloud Drive feature, which brings a long-overdue “DropBox”-style service to Macs, is arguably most useful when you have an iDevice or two in addition to your Mac.
Finally, the AirDrop technology for swapping information wirelessly, which–in spite of the fact that it already exists on Macs and iDevices–has never allowed you to move your stuff between those two platforms, now makes amends for that by baking it right into Yosemite and the forthcoming iOS 8 (more on that in a moment).
Sure, there are other Yosemite features that don’t revolve around iDevices, like the option to scrawl on/annotate images or PDF attachments in Mail. But overall it sure seems like Apple is banking on the notion that most of you own at least one Mac and one iDevice, and that you’ve a hankering for them to work together far more smoothly and efficiently than they have to date.
HOWEVER, Yosemite and iOS 8 are the future, even if said future is mere months away. Mavericks 10.9 is the present, and I am compelled to state here that I still have reservations about upgrading from “Mountain Lion” 10.8 if that’s the OS you’re running and it’s working as advertised for you. In fact, the one thing that stands out to me as far as Mavericks’ new features is a penchant for breaking my clients’ ability to print to PostScript printers that worked just fine in earlier versions of the OS. So if you haven’t made the leap to 10.9 yet, I would have to recommend that you hold off for a few more months and see what Yosemite brings.
Don’t hold off on iOS 8, though, which was also previewed at the WWDC alongside Yosemite. This latest OS for iDevices brings some wonderful new stuff like iCloud Photo Library, which provides vast improvements in photo management/storage by offering a simpler and more useful alternative to the bewildering combination of Photo Stream and iCloud Photo Sharing–neither of which I can satisfactorily explain to my clients (given that I barely understand them myself).
Even more significantly, Apple is finally overhauling the way multiple Apple IDs are managed among individuals and families courtesy of the new Family Sharing options. For most of us, Family Sharing will bring an end to the heartbreak of managing purchases made under multiple Apple IDs, to Mom getting text messages intended for Dad and vice versa, and to the unintentional mingling of Junior’s contacts on his iPad with the address book on Dad’s MacBook Pro.
LET US FIRST exult in the glory of the new manner in which all your devices will handle your photos. Turn on iCloud Photo Library, and all of your fab pix and videos are stored (and backed up) on iCloud, in their original format (even RAW) so they can be accessed from anywhere. That’s it! Ah, but that amount of storage is going to cost me an arm and a leg, you say. Fear not, intrepid shutterbugs, because Apple has completely restructured their pricing for iCloud storage, veritably plummeting from the currently lofty $100/year for a mere 30GB, to an extra 20GB for the paltry sum of $0.99 per month, with 200GB going for just $3.99/mo.
It’s not only the storage that’s more convenient. When you use the Photos app on any of your devices to edit your mages, those changes will be visible everywhere. Even better, your edits are non-destructive–meaning that you can revert back to the original image if necessary. As part of all this, iPhoto on the Mac will be replaced by Photos, which will have a similar look, feel and feature set to the Photos app in iOS 8. That probably means some iPhoto features will be lost in the shuffle, but no one seems to like or even really understand iPhoto all that much, anyway…
On to Family Sharing. While I imagine that implementing this may be a bit tricky for a family of five with multiple existing Apple IDs, the basic concept is quite simple and long overdue. WIth Family Sharing. up to six family members–each with their own Apple ID–can access all purchases made under any of those IDs (assuming they’re made with the same credit card). And since the IDs are unique, each person can maintain their own set of iCloud calendars, contacts, reminders, etc. Thoughtfully, Family Sharing automatically creates a single shared Family calendar (with reminders) and a Family photo collection, assuming that there are some things you do want to share.
SO HOW EXACTLY will all of this work? Well, if Sis downloads the latest from One Direction, Dad, Mom and Junior all have immediate access to that album–regardless of whether or not it fits their particular musical tastes. And lest you fear that Junior is now free to embark on a reckless buying spree of the entire Maroon 5 catalog, rest assured that Apple has baked in what they call “Ask To Buy,” which alerts the credit card holder via text message whenever a purchase is attempted and allows for the immediate acceptance or rejection of same.
Assuming Mom is not subject to that restriction, the moment she purchases the now-classic Game of Life on the App Store, the rest of the family is free to grab it, fill their virtual plastic automobiles with virtual plastic spouse/offspring pegs, and agonize over whether or not to buy fire insurance when the opportunity arises. So whether or or not you’re a fan of this classic board game, Family Sharing represents a drastic improvement over the current “multiple Apple IDs” mess in which many have found themselves enmeshed.
LAST BUT certainly not least, iOS 8 includes two new technologies known as Health Kit and Home Kit. These are not apps but more of a central “hub” which, in the case of Health Kit, enables health information to be collected and shared among third-party apps such as those that detect your blood pressure, heart rate or glucose levels. This info could also be transmitted remotely to healthcare providers–something that could be potentially life-saving should any of those readings fall outside of their normal ranges.
Home Kit works in a similar fashion by allowing home automation apps from disparate developers to work together in such a way that you could, for example, inform Siri that “it’s bedtime,” at which point your downstairs lights would shut off, the thermostat would adjust appropriately, all the doors would lock and the garage door would close in the event it was left open. Apple has confirmed that they are partnering with companies like Cree, Texas Instruments, Kwikset, Philips, Chamberlain, and Schlage, which means that the major players in smartphone-based home automation are already on board with Home Kit.
So that’s iOS 8, coming to an iDevice near you sometime this fall. There are a few other nifty little features I could wax poetic over, but since I’ve been promising this posting for nearly a month now, let me sum it all up in as succinct a manner as possible:
iOS 8? Great.
Yosemite? Wait.
by Gil Poulsen | Apr 9, 2014 | Mac, Technology
The “Heartbleed” bug
Many of you have probably already heard about the security issue known as “Heartbleed,” which affects numerous Web sites and potentially other programs and systems that use specific versions of an encryption technology known as OpenSSL.
SSL (Secure Sockets Layer) is the protocol that scrambles or encrypts sensitive information that moves across the Internet, and this “bug” in OpenSSL means that any data sent between your Mac or iDevice and a Web site affected by the vulnerability could be intercepted and decoded (including passwords and credit card info).
Although no one is sure if the bug has been exploited or if any information has actually been stolen, it has the potential to be serious. I’ll let you read all about it here if you want to get all the gory details, but here’s the bottom line: While your Mac is not affected directly by this, many of the Web sites that you use on a regular basis might be.
It’s estimated that approximately 15-20% of all Web sites are affected by Heartbleed. I wish I could provide you with an updated list of these sites, but as of yet no such list exists. However, someone has put together a handy little online tool that lets you type in the Web address of any site and check to see if it uses the particular flavor of OpenSSL that is affected by Heartbleed.
The owner/operator of any affected site needs to correct the problem on their end; there’s nothing you can do until the site notifies you that they’ve addressed the issue. Changing your password isn’t going to help until they’ve fixed the problem, at which point you should then seriously consider updating your password just in case it was appropriated while the site was vulnerable.
So for your financial sites at least, if nothing else, I would do a little detective work using the tool noted above. For what it’s worth, GMail is not affected by this, nor is iCloud.com. If anyone wants to report back via a comment on which sites are safe, feel free. I’ll update this post if I get any new or useful info on the subject.
Office, ours
After a wait long enough that most of us figured it would never come to pass, Microsoft Office for the iPad and iPhone/iPod is now available for download. The software itself, as well as the pricing and licensing policies, are completely different for iPads vs. iPhones/iPods, and may not seem so favorable by comparison to Apple’s iWork suite of apps, but I’ll let you be the judge.
Here’s how it breaks down:
The app for iiPhone/iPod is known as Microsoft Office Mobile. It’s completely free to download and use as long as you’re willing to create an account with Microsoft with which you can sign in; without first entering a Microsoft account ID and password the app can’t be launched.
Once you’ve gotten past that hurdle, you’ll find you can open, create, edit and save Word and Excel files but, strangely enough, you can’t create PowerPoint files even though you can open existing ones, as well as edit and save them. Further, you can’t store Office files on your iDevice, so you need to use Microsoft’s OneDrive, OneDrive for Business, or SharePoint in order to really make use of this (20GB of OneDrive storage is included).
For your iPad, Word, Excel and PowerPoint are offered as individual apps. If you want only to view existing Office documents, you can use them all for free as long as you’d like. Assuming you might actually want to create or edit documents, however, you must subscribe to Office Home Personal for $6.99/mo. (covers one tablet and one Mac or PC), or Office Home Premium for $9.99/mo. (allows the use up to five mobile devices and up to five Macs/PCs).
If you happen to work for a company that already has an Office subscription for their business, you should inquire about using that. As with Microsoft Office Mobile, you can’t store files on your device so you’ll need to use OneDrive or SharePoint for that, and you get the same 20GB of OneDrive storage provided to iPhone/iPod users.
The actual iPad apps are generally getting rave reviews, although not everyone is as enthusiastic about the Microsoft subscription model. You can try the iPad apps free for 30 days, so I’d suggest at least taking a look if you feel that you really need the Office suite on your device.
Since the iWork apps (Pages, Numbers and Keynote) can open and save Office files, and they require only a one-time purchase with no monthly or annual subscription fees, they might be a better deal. Keep in mind, however, that they’re not as full-featured as Microsoft’s offerings, nor are they as capable of seamlessly opening, editing and saving an Office document while preserving every aspect of the file in question.
Mavericks: Ready. Or Not.
Back in early February, I wrote that I really couldn’t recommend any of you upgrading to Mavericks, and as of this moment my position hasn’t changed on that. There are still some major issues even after the 10.9.2 update, so we’ll see what happens when 10.9.3 is released, probably sometime later this month.
Those of you already using OS X 10.8 “Mountain Lion” really aren’t missing all that much, other that tabbed Finder windows, tags for documents and the aforementioned bugginess. If, however, you’re still running OS X 10.6 “Snow Leopard,” or OS X 10.7 “Lion,” you should think about moving up to 10.8–as long as your Mac supports it.
Those of you still on 10.5 “Leopard” should absolutely move up to 10.6 at a minimum (to eliminate the constant warnings about the Adobe Flash Player, if for no other reason), again assuming your Mac model supports that operating system.
If you’re not sure which model Mac you own, enter your Mac’s serial no. here. And if you don’t happen to have your Mac’s serial number handy, just go to “About This Mac” from the Apple menu, and from the About window, click twice on the line that indicates the system software version.
As always, feel free to drop me a line if you’re unsure which way to go here.
