Heartbleed creates a frenzy - what to do?

The aftermath of the recent Heartbleed Internet security vulnerability is curious. It's been described (correctly) as the worst security breach in many years. But for average people, the ones who don't manage secure web or email servers, the experts say there isn't much we can do. Change all your passwords? ... maybe, but wait.

Why is this so complicated? It is becuase the affect parts are beyond our control as normal internet users. But there is some sense to be made of this, and that can be had in this excellent article by Adam Engst and Rich Mogull over at Tidbits titled "The Normal Person’s Guide to the Heartbleed Vulnerability". Go read that, I'll wait.

In the meantime, I'm bracing myself for seeing several things that drive me nuts...

  • There will be a flurry of "Hello, this is ________ that you have an account at, and we say we weren't affected/we-were-affected-but-have-patched-things, and you need to do X..." emails. That's fine, but most people won't read them, and will ignore them
  • There is then be flurry of "Hello, this is ________ that you have an account at, and we say we weren't affected/we-were-affected-but-have-patched-things, and you need to do X..." emails, that are phishing attacks from scammers, capitalizing on the publicity, and trying to trick people into following their poisoned links and giving away their info.
  • People will continue to use crappy passwords without a password manager.

So, in these uncertain internet times, let me hope that you'll follow basic common sense:

  • Never click on a link in an email that you're unsure about who the sender is.
  • If you if you DO think its a legitimate email a service that you use, don't click the links. Log into the service by typing the address into your web browser.
  • Always read important announcements from your services.
  •  Use good passwords, and a password manager.

Good luck!

Daylite 4.3, and tales of software development

Marketcircle just relased (yesterday) a big update to their flagship app, Daylite, version 4.3. It brings a whole slew of new features (read about them here) and bug fixes/improvements (here). I know they've been working on this new release for a long time, and I've seen (but not participated in) the multiple beta testing rounds, the backs and forth feedback they got from their testers, the adjustment and improvements made along the way. It's enough to remind me never to get into the business of writing software. Yet, after all that very thourough, very detailed and rigorous work and testing, there was a show stopping bug with the release. It only affected some users uning a "side" feature of Daylite (suubscribing to iCloud calendars to be displayed in Daylite via CalDAV), but it was a bad bug: both Daylite and iOS devices crashed moments after launch. Not only was this a huge annoyance to users, but it is mud on the face of Marketcircle.

When things like this happen, to any software company, the general internet public (who hasn't seen the work going on behind the scenes) can be pretty brutal on Twitter and forums. You hear some pretty harsh things, acusing the company of being bozos, inept, wondering why they didn't test everything, or anything, etc etc. And for the most part, it just isnt fair.

For Marketcirlce's part, they did what they always do: acted exceptionally. The first tweet about the issue appeared about 2am this morning, and a Daylite partner in Germany woke the owner of Marketcircle up around 4:30am. In a few hours, a beta version that fixed the bug was released and posted. A few hours after that, an email was sent to all Daylite users with a description of the issue, and a link to the fixed new version.

That's what I love about Marketcircle, and why I put my trust in Daylite for my, and my client's, business. Making software is hard, making excellent software is even harder. But being excellent makes the difference.

NOTE: it turns out this was caused by... "an issue introduced by Apple in an update to their iCloud calendar servers early this morning". So, simultaneous to their new release, Apple made a change unbeknownst to Marketcircle, moving the goalposts as it were. But that's how the software development ball bounces.

Passwords!?!?! Enough Already!

It is 2013. We've all been using computers and the internet for years, and even decades, by now. But I still see terrible, guessable, written-on-a-post-it on the monitor passwords. The same password used everywhere. A phone number as a password. The street address as a password. And no matter how gentle or firm, strong or subtle, zealous or casual, I am with my clients, most still have terrible passwords and password policies.

I am sympathetic; I get it that there are new passwords popping up everywhere, and that they're a PITA to manage. I get it. But having lousy passwords and password management is the single biggest tech boo boo that ordinary people make in the businesses and personal lives.

Just like brushing your teeth, changing the oil in your car, and carying your house keys around, it is just another "chore" that we'd be crazy not to do, and that we accept a level on inconveniece, becuase we've decided it outweighs the alternative. So it is with passwords, and password management.

So please, if you are one of the "bad" password people, or even if you think you're really good, read this one awesome ebook... Take Control of Your Passwords . Joe Kissel really makes things clear, readbale, not too long or too wordy, and gets to the heart of the password problem plaguing us today. I agree and advocate 99.9% of everything that's in this book. So do yourself a favor, and give it read. DOn't just take it from me, listen to Joe...

 

Expanding Daylite with Great Plugins

Since being released last year, Daylite 4 has added a ton of great features and enhancements to the venerable Mac & iOS CRM. But there are still many things it can't do. To fill some of those gaps, the developers at iOSXpert in Germany have been making great plugins and add-ons for Daylite. Here are a few of my favorites.

ProductivityTools

Just released today, ProductivityTools adds the ability to duplicate appointments, create new aapointments from an existing task, and send taks and appointments as an email, with user configurable templates. Take a look at the demo video...

MailChimp

The best email blast / email newsletter tool out there is MailChimp. And while Daylite 4 and MailChimp can work together without it, iOSXpert have made a neat little plugin that makes moving contacts to MailChimp a breeze.

 

 

WebConnector

WebConnector is a like a little web browser built into Daylite 4. It lets you do web searches on selected people and companies right from their card. With built in destinations like LinkedIn, Facebook, Google, etc, it makes researching and adding data to a contact very fast and easy.

About Tech News and "Macs are vulnerable" Stories

Just yesterday, there was a widely reported news story about how Macs are vulnerable to a "zero-day exploit" of the new version of Java 7. The story is technically true, but all but the most nerdy tech nerds can completely ignore it.

Why? "Aren't you being cavallier with Mac securty by not reacting to this grave and serious isse?!?!" you may ask. No, I'm not, and I take Mac and Apple security very seriously. But this story, and almost every other one before it, is all smoke and no fire. Let me explain.

In this most recent story, some computer techs have set up a test case in which they've found a way that a Mac could be vulnerable if the parameters were right. But those parameters are so obscure, that 99.999% pf the Mac using public is never going to meet them.

By default, Java isn't installed on Macs running OS X 10.7 (Lion) or OS X 10.8 (Mountain Lion). (Java is a programing language that can run on Macs, Windows and Linux machines. Read about it here). If a user installs an app on the Mac that needs Java to run, they're prompted to download an installer from Apple, which delivers the latest version of Java 6 -- a version not vulnerable to this exploit. For users of OS X 10.6 and older, the last version of Java that is installed by default is also Java 6.

This exploit would only affect those power users who skipped Apple's process for getting Java on a Mac, and replaced it with their own install of Java 7, AND who run their browsers with Java enabled. If you were one of those people who met those criteria, then you'd be vulnerable to this exploit. But you'd also likely be technical enough to follow/understand this sort of thing in the first place.

While technically correct, the real-world impact is almost non-existant. But any news story that has "Macs now affected by virus!" or similar sure gets the authors page views and ad revenue.

So the moral is; don't let sensational headlines worry you. There have been, and will be occasional flaws, bugs, and vulnerabilities, that can affect Macs, and when there are, Apple has been pretty good about addressing those. If something comes around that really is serious, you will hear about it in a big way, not a little "scare" story tlike this most recent one.

Also, if you happen to have Java 7 installed, you can still do something easy to limit the vulnerability; just disable Java in your browser(s). In Safari, go to Preferences --> Security --> and uncheck Java. In Firefox, go to Tools --> Add-ons --> Plugins --> Disable "Java Applet Plug-in Java 7 Update 6". In Chrome, browse to chrome://settings/content and select 'block-all' under Plug-ins.