Tag Archives: macbook

Opinion: After the celebrity hacks, the vulnerability that still exists and what needs to be done

main

There are still many unknowns surrounding the leaked celebrity nudes. While Apple appears to have ruled out a theory that a Find My iPhone vulnerability allowed easy brute-force password attacks, some commentators are suggesting that the wording was sufficiently vague that this may indeed have been one route in. (Apple might be arguing that it’s not a breach if the correct password was required.)

But one thing does now appear clear: rather than a single hacker gaining wide access to iCloud, the photos were instead amassed over time by a number of different individuals likely using several different approaches. Phishing was doubtless one of them – some of the claimed emails from Apple are reasonably convincing to a non-techy person – but another was almost certainly to exploit one of the greatest weaknesses found in just about every online service, including iCloud: security questions …

Security questions were, when first introduced, a fairly obvious solution to a common problem: people forgetting their passwords. The typical 9to5Mac reader probably uses a password manager to have strong, unique passwords for each site, but the average person on the street doesn’t. They either use the same password for almost everything, or they do their best to use different passwords and end up forgetting half of them.

Why security questions are hopeless

The problem, of course, is that if the legitimate owner of an account can use security questions to reveal or reset their password, so too can anyone else. Which wouldn’t be a problem if we could choose our own questions, and set them to things so obscure not even our best friend could guess the answer, but that’s generally not the case.

iCloud is a case in point. iCloud requires you to select three security questions, but each one has to be selected from a choice of just six questions (I’ve pulled all three sets into a single graphic for convenience):

1

Now, I’m not going to get specific here by revealing any personal information, so I’m going to use made-up examples, but I’m betting that most people can’t answer half of these questions. For example, did you have just one favorite singer or band in high school, or did it change numerous times? Can you remember the first film you ever saw in a theater? Do you have the faintest recollection where you flew to the first time you went on a plane?

So in reality, the choice of questions open to us is even smaller than it first appears.

Of the remaining questions, how many of them are known to multiple people? If you have a dream job, chances are you’ve mentioned it to quite a few friends. Your childhood nickname is known by everyone who went to school with you, and maybe to all of your friends today if you’re still known by the same nickname.

Of the ones that aren’t known, how many could be googled by someone who knows you? How many of them, in fact, can be found on your Facebook page?

If you’re a celebrity, the situation is a thousand times worse because you’ve given countless interviews where you’ve likely revealed all kinds of trivia about yourself, like your first pet or the model or your first car or … Well, most of these questions, in fact. Even if you haven’t answered the question yourself, there are numerous fan sites where people post trivia they’ve unearthed.

So security questions are a terrible form of protection for most of us, and an absolutely hopeless one for celebrities.

2fa

Two-factor authentication

Ok, you might argue, but iCloud – like quite a few other online services these days – offers the alternative of two-factor authentication. I use it myself, of course, and the more observant will have spotted that’s how I grabbed the security questions above: by pretending I wanted to switch it off.

For anyone unfamiliar with it, two-factor authentication requires you to enter a one-time code to access a service. This code might be generated by an app (Google Authenticator is a popular one) or sent as a text message, for example. But while iCloud offers two-factor authentication, it doesn’t require it for everything. It doesn’t require it for rather critical things, indeed.

I managed to spill wine on my iPhone a couple of days, effectively killing it. So yesterday I went to an Apple Store and took advantage of the fixed-price repair option to get a replacement (so at least I’ll have a shiny new one to ebay when I get an iPhone 6). In the store, I needed to use iCloud to first remove the old phone from my list of devices, and second to restore the iCloud backup to the new phone. Despite the fact that I accessed my iCloud account on an unknown device (a MacBook in the Apple Store), I didn’t need two-factor authentication for either task.

apple

What should Apple do?

There is always a balancing act to be achieved between security and convenience. We could make iCloud, or any other service, incredibly secure by doing things like requiring a 256-character password with no elements within it found in a dictionary, require us to change that password monthly and add in compulsory two- or even three-factor authentication.

That kind of extreme clearly isn’t realistic, so we have to strike a sensible balance between protection and usability.

Apple is well aware of this. It’s the reason it introduced Touch ID on the iPhone 5s – because too many people either weren’t using a passcode at all or were setting too long a time-out, giving a thief plenty of time to gain access.

Touch ID will appear on the new iPads launched in the item, and it can only be a matter of time before it makes it to Macs too. But I think there are three more things Apple should do.

First, make two-factor authentication the default option for everything, and mandatory for critical things like accessing iCloud on an unknown device and restoring from an iCloud backup. Sure, we might need workarounds for the worst-case scenario – an iPhone is the only Apple device someone owns and they just lost or destroyed that – but where two or more devices are owned, there is certainly no reason not to require confirmation via a second device.

Second, allow people to choose their own security questions rather than select them from a dropdown. Then they can choose things that only they will know, and can make them as obscure as they wish.

Third, there was a really good specific idea posted by the ACLU today (via Gizmodo): build in a Private mode to the standard camera app. If someone wants to take a … sensitive photo, they can flip a toggle and that photo is stored only on their phone and excluded from iCloud backups.

Fouth, fix a vulnerability pointed out by Business Insider: stop confirming to anyone who wants to try that a particular email address is an Apple ID:

appleid

Steps you can take in the meantime

There are a number of things you can do to increase your own security in the meantime.

First, if you don’t already have strong, unique passwords for each online service and website you use, set aside a couple of hours to correct that. If you don’t have the time, make it. Online services get compromised all the time, and the first thing a hacker does with a bunch of login credentials from one service is to try them on a whole bunch of other ones. If you’re using a single login for multiple sites, the question isn’t whether you’ll get hacked, only when.

You can’t possibly remember a mass of strong passwords, but it’s painless enough if you use a password manager, and our own guide to will tell you everything you need to know.

Second, if you own your own domain, you can add even greater security to online logins by having unique email addresses as well as passwords. I have a domain I use for accessing online services, and can have whatever I like before the @ – all the emails arrive in the same place – so I have different emails for different services.

Third, don’t use real data unless you have to. If the passport office or my bank asks for my date of birth, I have to use my real one, but that doesn’t apply to the vast majority of websites out there. I have a fake date of birth I habitually use for websites that have no need to know the real one, which reduces my risk of identity theft. I’m so used to typing the fake date, I have to be careful when accessing those few sites that really need the correct one!

Fourth, just because you’re stuck with a limited range of security questions doesn’t mean you have to give truthful answers. Your answers needn’t even have anything to do with the questions, just so long as you have a technique for memorizing them, known as a mnemonic.

For example, when asked for the name of your first pet, you could have a mnemonic that runs pet = petting = first girlfriend. Or mother’s maiden name = maid = Marian. (No, these aren’t mine, I just made them up.)

You do need to remember that balance between security and convenience, of course. You don’t want your two-factor authentication to fail when your iPhone falls into a river and then realize you can’t remember the answers to any of the security questions. But half an hour spent memorizing some links for common security questions can vastly improve your security until such time as security questions are consigned to where they belong: history.

Finally, if you are taking photos you wouldn’t want other people to see, leave your iPhone and wifi-equipped camera alone and use a good old-fashioned non-connected one!


Filed under: AAPL Company Tagged: Apple, celebrity hack, Facebook, Google Authenticator, icloud, iCloud hack, iCloud security, iPhone, MacBook, Security question, two-factor authentication

For more news on AAPL Company, Apple, and iPhone continue reading at 9to5Mac.

What do you think? Discuss "Opinion: After the celebrity hacks, the vulnerability that still exists and what needs to be done" with our community.

Why Windows 9 could give OS X Yosemite a run for its money

For decades Mac and the PC have been at each other’s throats, competing for that number one spot in computing world. Vitriolic ad campaigns and entire product launches aimed at decimating Windows or OS X has firmly established a war that somehow






Review: Simplicam, the Dropcam HD competitor that adds face-detection

Home security cameras that send you alerts when they detect movement have been around for a while now. We reviewed Dropcam, one of the better-known names in the business, last October.

The problem, though, is that most movement isn’t likely to be of interest – especially if you have pets or are susceptible to changes in nature from sunlight/wind. What we really want to know is when a person arrives, and that’s what Simplicam aims to deliver through face-detection software. You can thus choose to be notified about any one or more of three types of event: movement, sound and face-detection … 

It’s pretty clear that Simplicam is directly targeting the Dropcam HD, matching the 720p resolution, 107-degree field of view and $150 price-tag. There’s again support for multiple cameras. And it also offers the same option of a subscription-based cloud recording plan to allow you to review recorded footage, with broadly comparable pricing. Recordings – and the app used by the camera – are provided by Closeli.

In the box

What arrives in the rather colorful box is the camera itself, a wall mount (complete with screws and rawplugs), a short micro-USB cable, long micro-USB cable, a USB wall-plug and a few cards to help with setup.

The camera itself measures 94x89x41mm, and has a clean, modern appearance. The camera is high-quality plastic, with an aluminum base.

simplicam_white_wall

Setup

Simplicam promises “three-minute setup,” and if anything that’s a conservative figure. The fact that most gadgets these days come with accompanying apps means they can walk you through the setup process, and the Closeli app does this well.

You’re prompted to connect the camera to its powered USB lead and hit the button at the back.

setup1

The app asks you to select your wifi network and enter the password, then generates a QR code on the screen which you simply show to the camera – very neat.

I also like the way that help is integrated into the app, rather than being something you open separately. Once the camera should be showing a green light, for example, there’s a link to tap if it’s not.

setup3

As soon as setup is complete, you can see a live view:

initial

Turning your phone sideways makes it a full-screen view:

initial-wide

I’d say that even a non-techy would find the setup process painless. My only complaint is that it is currently very US-centric, the included USB power plug an American one (not really an issue – I have a drawer full of UK ones from various gadgets), and the fact that it only lets you choose a US time-zone.

times

This meant the times shown on my recordings would be wrong, but I’m used to working across time-zones.

In use

The camera isn’t weatherproofed, so is for indoor use only. However, both motion-sensing and face-detection work perfectly through glass, so I’m using it here to look out into my cul-de-sac, where it proved useful to alerting me to approaching visitors.

By default, the app is set to deliver banner notifications, which are briefly displayed and then disappear (though remain accessible in the notifications pull-down, of course).

notification

I found that I wasn’t noticing these when not actively using the phone, so went into Settings > Notifications and scrolled down to the Simplicam app to change this to alerts:

alerts

These ping you and have to be dismissed, so worked much better.

By default, you are alerted to all events: movement, sounds and faces. You can, however, configure these as desired in the settings.

choose-events

Sound wasn’t relevant in my case, as it was pointed through a window, but I left Motion on during initial testing to maximize the number of events, before later switching it to Face only, so it would only let me know when someone was approaching the house.

You can also choose between instant notification and regular summaries, choosing between reports every 10, 30 or 60 minutes.

Performance

Closeli had a pre-launch server glitch that meant face detection didn’t work for the first day, but once this was fixed, both movement and faces were reliably detected. Even a parked car moving off from a couple of hundred feet down the road was enough to trigger a movement alert, and I got face alerts any time anyone approached the house – no complaints at all here.

The optional Closeli cloud recording service

I had a webcam-based CCTV camera a few years ago. The problem from a security point of view is that it needed to have a PC running 24/7 to record. It also needed to be Windows, so I had to have Parallels running, and it also wasn’t much use when I took my MacBook with me.

The appeal of cloud recording services from a consumer viewpoint is that you don’t need anything but the camera itself and your iPhone, the recording is taken care of for you. The obvious drawback – and the reason companies are so keen to offer it – is that you have to pay an annual fee for the privilege.

The amount you pay depends on how long you want the recordings to remain available for review. With Dropcam, you choose between $99/year for access to the past seven days, or $299/year for the past 30 days. Closeli’s pricing offers three tiers instead of two:

  • 1 day: $49.99/year
  • 11 days: $139.99/year
  • 21 days: $229.99/year

Recordings can be accessed either on the web or on your iPhone. I’m normally not a great fan of dealing with video on my iPhone, preferring a larger screen, but I have to say it did work well. You get to see a timeline of events:

face-events

Each of these is an animated GIF, so you get a good sense of what was recorded, rather than having to figure it out from a still. In the case of the UPS delivery van, for example, I was able to see the van pull up and the driver get out and walk up to the door with my package, just from the animated GIF. This really impressed me, making footage review extremely quick and easy.

Each video clip is tagged with an icon indicating what triggered it. The orange thrown-ball icon shows that those clips were triggered by movement, while the yellow head-and-shoulders show recordings triggered by face-detection.

Again, looking at the UPS van row, we can see that the movement sensor was triggered by the van pulling up outside, then the face-detection was triggered by the driver approaching the door. It really does work very well.

If you want to save a clip for longer than the time allowed by your plan, you can add it to your stored clips. The total time allowed depends on your plan. On the 1-day plan, for example, you can save up to an hour in total.

All recordings are encrypted using strong AES 256-bit encryption, and saved in a special format only readable by the app and the online service.

Two-way sound

For indoor use, the camera offers two-way sound – so if you’re using it to be notified when someone gets home, you can welcome them home. In practice, I found that this only really worked if you were watching live (which you can do for short times, having to hit refresh regularly to restart streaming) – by the time you’d been alerted, they had passed the camera. I would say this is more of a gimmick than a practical feature.

Night view

The camera has built-in lights which are automatically triggered in the dark. These work well indoors, but this was the only problem with my through-the-glass usage: it was useless at night.

night

Conclusions

Night usage aside, I was impressed. Setup was extremely simple, and it worked as advertised. I was a little skeptical about face-detection given that I was using it to look outside, but it reliably detected both visitors and those walking nearby, such as refuse collection workers.

Video quality is decent. 1080p would have been nice, of course, but 720p gets the job done, and I found the 107-degree field of view sufficient, covering both the road and doorstep.

For $150, it’s a decent piece of kit. The problem, of course, is that it isn’t really a $150 purchase. While live viewing with alerts is useful, for most applications – including the most obvious one of home security – you’re going to want to review footage later, and that requires a subscription.

Provided you keep the app running, the 1-day service would be sufficient. Because the recordings are stored on the cloud, you can access them from anywhere, whether on wifi or mobile data, so you can check things out as soon as you get an alert. If you see something of concern, like a crime in progress, being able to save an hour of footage permanently is again likely to be enough. But if you want to use it more passively – only reviewing footage when returning home from a trip to discover you’ve been burgled, for example – you’ll want a longer plan.

So your $150 purchase just became at the very least a $200 one, with ongoing costs of $50/year and up. With multiple cameras, you’re looking at multiple subscriptions, albeit with a 50 percent discount on additional plans. But if you find the all-in cost acceptable, it’s a product I can recommend.

Simplicam is available from today on Amazon for $149.99 on its own, or $199.99 with a year’s 1-day subscription plan.


Filed under: Reviews Tagged: Camera, Closeli, Dropcam, iPhone, MacBook, Personal computer, Simplicam, Universal Serial Bus

Continue reading more about iPhone, Reviews, and MacBook at 9to5Mac.

What do you think? Discuss "Review: Simplicam, the Dropcam HD competitor that adds face-detection" with our community.

How to turn your Mac’s trackpad into the ultimate timesaver

Mac are incredibly complex machines, but thanks to Jony Ive and the rest of the creators, they’re also incredibly simple to use. Mose Mac users know to use keyboard shortcuts to make daily tasks even quicker, but not many know how