Show of 06-08-2019

Tech Talk

June 8, 2019

Email and Forum Questions

  • Email from John in Houston: Dear Tech Talk. I’ve been thinking lately about creating Linux installation media (DVDs and USB flash drives) on my home computer and selling them on EBay. My question is can I legally do that without getting into any kind of legal trouble? I see other sellers doing it but I don’t want to get caught up in some kind of sting. John in Houston
  • Tech Talk Responds: To answer your question, as I explained in this post it’s completely legal to sell free software that’s distributed under a GNU Public License (GPL for short), and that indeed includes Linux distros. Companies such as Red Hat have built profitable businesses by doing just that. All the popular Linux distros can be downloaded from the web for free by anyone with a computer. That might make selling them pretty tough, but you just might be able to pull it off if you can come up with some way to add some kind of extra value for the consumer to the deal. For example, if you could come up with some type of valued-added product or service that you can sell along with the installation media that would greatly enhance your chance of succeeding. You could use the Red Hat company as a guide.
  • Email from Susan in Alexandria: Hello again, Dr. Shurtz. I always thought you had to make an Ethernet connection to your router to change the Wi-Fi password. Is that no longer the case? That is why I asked how to connect a tablet to the router with an Ethernet cable, not so I could surf the web that way!  I appreciate the advice on what is required. Thanks for Tech Talk, it’s always interesting! Susan in Alexandria
  • Tech Talk Responds: You can configure everything without connecting to your router with Ethernet. You can change the Wi-Fi password, the login password, or anything else. After you make these changes, simply reboot the router. If you change the Wi-Fi password, you will have to connect again to Wi-Fi and provide the new password. When you set the password, do not use WEP. Use WP2 because of the enhance security.
  • Email from Wendy in Fairfax: Dear Tech Talk. My daughter helped me get on Facebook so I can talk to her and my grandchildren and share pictures back and forth with them (they live out of state). She sent me some pictures last night that I would really like to print but I cannot figure out how to do it. Can you tell me how to print photos from Facebook? My computer has Windows 10. Wendy in Fairfax
  • Tech Talk Responds: As you’ve already discovered, you can’t simply right-click on a Facebook photo and click “Print” as that option doesn’t exist. Fortunately, there is an easy way to print your Facebook pictures without using any third-party software.
    • Scroll through your Facebook photos until you find the photo you want to print, then click on that photo to open it on its own page.
    • Right-click on the photo and click Save as.
    • Save the photo to your computer’s Desktop.
    • Right-click on the saved photo and select Print from the drop-down menu.
    • Select the print settings that you want and insert a sheet of photo paper into your printer.
    • Click the Print button.
  • Your photos should print just fine, and you now have a copy on your computer as well as the originals that are still in your Facebook account.
  • Email from Lilly in Fairfax: Dear Doc and Jim. Why am I getting a delay notification on an email I sent? I am trying to send an e-mail to a co-worker and I keep getting the following message:
    • Delivery Status Notification (Delay). This is an automatically generated Delivery Status Notification. THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE.
  • The strange thing is that it is only happening with that specific e-mail address. What does it mean, and why it is happening? Enjoy the show. Lilly in Fairfax
  • Tech Talk Responds: Email uses a transfer method called store and forward. When you send an email, it is received by a mail server, stored for some period of time, and then forwarded to the next server in the path on its way to your recipient. Eventually it is received by the recipient’s mail server, where it’s stored until the recipient downloads it, or reads it online. The time that a server holds your message before forwarding it is typically very short, which is why email often appears to be nearly instant. There could be any number of delays along the email’s path to your recipient. The most likely delay is that recipient’s mail server is temporarily offline. Rather than fail to deliver the email, your mail server keeps trying to pass the message along and send you a delayed delivery message. It keeps trying for around five days, then is stops and sends you a Failed Delivery message. If you message is urgent, you might try calling them.
  • Email from Tung in Ohio: Dear Doc and Jim. I am trying to call my friends in Vietnam. I would like use a cheap Internet connection. What are my options? Love the show. Tung in Ohio
  • Tech Talk Responds: There are a number of voice-over-IP options. If your friends also have Internet access with data, the ca is completely free. If they don’t have a data connection, you will have to call either their landline or their mobile phone connection. You can use Skype either on a laptop or on your cell phone. Skype client to skype client is a free call. If you use Skype to call a phone number in Vietnam is around 10 cents a minutes. This is called Skype Out and you will have to put money into your prepaid account. I like to use Viber on my iPhone. If your friends have Viber and they have data access, it will automatically ring and the call will be free. You can also Viber Out to a phone number for the same price as Skype. WhatsApp is another popular VoIP application. It is used extensively in Asia. I my case I have Ooma which is a VoIP phone system for the house. I have place about $30 in a prepaid account. If I call overseas, the Ooma rates are automatically at the low VoIP rate and I don’t have to do anything special. When I travel I used Viber whenever I have Wi-Fi access. Internal calling through the Telco’s is dying fast.
  • Email form Jim in Michigan: Dear Tech Talk. I keep seeing this option to eject my USB drive before removing it. Is that really necessary or can I just pull it out. Enjoy the show. Jim in Michigan.
  • Tech Talk Responds: Computers use something called write caching to improve performance: if you copy something to your drive, it’ll tell you it’s completed the task, but it’s actually waiting until it has a few other tasks to perform so it can do them all at once. When you press eject, your PC finishes anything in the queue to make sure you don’t incur any data loss. Windows does a better job of avoiding problems than OS X and Linux, but we recommend ejecting all your drives anyway. It is worth keeping your data safe.
  • Email from Lee in North Carolina: Dear Doc and Jim. I am having trouble connecting my new Bluetooth speaker to my laptop. Sometimes it works. Other times, it just wont link. What can I do go get a reliable connection? Love the show Lee in North Carolina. Lee in North Carolina
  • Tech Talk Responds: Bluetooth depends on both hardware and software to work properly. What you can do about pairing failures
  • Make sure Bluetooth is turned on.
  • Determine which pairing process your device employs. The process for pairing devices can vary. Sometimes, for example, it involves tapping a code into your phone. Other times, you can just physically touch your phone to the device you want to pair it with. Or in the case of the Bose SoundLink, you only have to hold down a button on the speaker to pair it with a phone.
  • Turn on discoverable mode.
  • Once it finds your phone, the car may ask for a numeric code you need to confirm or input on your phone.
  • Make sure the two devices are in close enough proximity to one another.
  • Power the devices off and back on.
  • Power down likely interferers. You may be connecting to your spouse’s device by mistake.
  • Delete a device from a phone and rediscover it.
  • Get away from the Wi-Fi router.
  • Make sure the devices you want to pair are designed to connect with each other.
  • Download a driver. If you’re having problems pairing something with your PC, you might be lacking the correct driver.

Profiles in IT: Mark Jonathan Pincus

  • Mark Jonathan Pincus is an entrepreneur best known as the founder of Zynga, a mobile social gaming company. Zynga’s most popular game was Farmville.
  • Pincus was born February 13, 1966 in Chicago.
  • In 1984, he graduated from Francis W. Parker School.
  • In 1988, he received a BS in Economics from the Wharton School of the University of Pennsylvania.
  • After graduating, Pincus spent two years working as an analyst in the New Media Group at Lazard Freres & Co. He then moved to Hong Kong, where he served as a Vice President for Asian Capital Partners for two years.
  • He returned to the US and earned an MBA from the Harvard in 1993.
  • After graduating, he took a job as a manager of corporate development at Tele-Communications, Inc., which is now AT&T Cable.
  • In 1994, he joined Columbia Capital as VP, where he led investments in new media and software startups in DC.
  • In 1995, Pincus founded his first startup, Freeloader, Inc. The company was acquired seven months after its launch by Individual, Inc., for $38 million.
  • He then started his second company, Support.com, in August 1997. As Chairman and CEO, Pincus built the company into a leading provider of help desk automation software. The company went public in July 2000 at a $1.5 billion valuation.
  • In 2002, the company changed its name from Support.com to SupportSoft, Inc.
  • In 2003, at age 37, Pincus founded his third startup, Tribe.net, an early social network. In 2007, Cisco Systems acquired the core technology of Tribe.net to develop a social networking platform for its digital media services group.
  • Pincus was a founding investor in Napster, Facebook, Friendster, Snapchat, Xiaomi and Twitter.
  • In July 2007 Pincus founded his fourth company, Zynga Inc. Zynga developed games on top of social networks such as Facebook, Myspace, and Bebo.
  • More than one billion people have played Zynga’s games across Web and mobile, including FarmVille, Zynga Poker, Words With Friends, Hit it Rich! Slots and CSR.
  • In 2011, Pincus took the company public with a $1 billion IPO. Pincus served as CEO of the company from 2007 to 2013.Pincus remained actively involved in the company as Chairman of the Board and Chief Product Officer.
  • Pincus returned to the role of CEO of Zynga in April 2015 until March 7, 2016.
  • In 2014 Pincus started Superlabs, an incubator to fund startups. Zynga acquired Superlabs in 2015.
  • In 2017, Pincus, alongside Reid Hoffman and Adam Werbach, launched Win the Future, a movement within the Democratic Party.
  • Pincus is a member of the board of the Presidio Trust, a federal agency that operates and maintains the Presidio as part of the Golden Gate Recreation Area

A Cryptocurrency Wallet Developer Hacked Itself

  • Komodo is a developer startup known for its work in cryptocurrency and creating the Agama cryptocurrency wallet.
  • That wallet is dependent on a JavaScript library maintained in npm (node package manager), and a malicious actor tried to take advantage of the open source nature of the code.
  • A few months ago, an anonymous contributor made a “useful update” to the library, creating a new dependency. They waited until that update incorporated into the Agama app, then made a change to the new dependency to create a backdoor into the app.
  • The staff at npm noticed the changes, realized what was going on, and contacted Komodo. Unfortunately, by this point, the backdoor was already in place. Merely updating the app to remove it might not be enough; anyone who did not get the update before the hacker broke in would lose their cryptocurrency.
  • So Komodo hacked itself. It used the very backdoor the malicious actor planted to sweep up 13 million dollars’ worth of cryptocurrency and move it to a place the hacker couldn’t reach.
  • Komodo published a blog to inform its users of what it did, why it did it, and how they can reclaim their money and transfer it back to new, hopefully, more secure, wallets.
  • All of this is, of course, a lesson in the dangers and strengths developers encounter when using third-party libraries and open software that allow anyone to contribute.
  • Bad actors can manipulate open software in ways that are not possible with proprietary software.

Wave of SIM swapping attacks hit US cryptocurrency users

  • SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim’s phone number to their own SIM card.
  • The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts.
  • These types of attacks have been going on for half a decade now, but they have exploded in 2017 and 2018 when attackers started focusing on attacking members of the cryptocurrency community, so they could gain access to online accounts used for managing large sums of Bitcoin, Ethereum, and other cryptocurrencies.
  • But while these attacks were very popular last year, this year, the number of SIM swapping attacks appeared to have gone down, especially after law enforcement started cracking down and arresting some of the hackers involved in these schemes
  • An increase in SIM swapping attacks have been reported in the second half of May 2019. Beware if you own cryptocurrency.

Apple’s Worldwide Developers Conference 2019 Update

  • Apple announced dozens of new features, changes, hardware, policies, and more.
  • One of the big takeaways from the keynote is Apple’s continued and expanding focus on privacy. With iOS 13, Apple will let you grant location permissions just once, and iOS will notify you when apps continue to track your location. Additionally, the company will prevent apps from tracking your location through Bluetooth and Wi-Fi.
  • Apple introduced a new “sign in with Apple” feature for apps, services, and even the web. It is similar to the “Sign in with Google or Facebook” options, but instead of letting a company track you, the idea here is to prevent that behavior. Apple says it will require all iOS apps that provide a third-party sign option to implement sign in with Apple.
  • The company also detailed out how watchOS, MacOS, and even map and voice control features are fine-tuned to protect your privacy.
  • The iPad is leaving iOS for iPadOS: Apple is separating the iPad’s OS from the iPhone. They still share a common ancestry, but the two systems are growing apart enough to need more significant degrees of separation.
  • Apple is spitting apart iTunes into three separate apps unless you’re on Windows: The company acknowledged the program grew too big and so will split it into three different Music, TV, and Podcasts apps. For now, nothing changes on Windows.
  • The new Mac Pro is as powerful as it is expensive: Apple unveiled the new Mac Pro yesterday, and the trashcan look is out. Now you get a cheese grater. It includes a Xeon processor, and a max configuration of 28 cores for the processor and 1.5 TB of ram. Starting at $6000, it is expensive. Apple offers a $5,000 monitor to complete the package.
  • iOS 13 will save your iPhone’s battery life: Lithium-ion batteries retain max-capacity for longer if you keep them charged between 40% and 80% as much as possible. Of course, you want 100% to make it through the day. Starting in iOS 13, iPhones will have an option to provide you with the best of both worlds. It’ll keep your phone at 80% most of the night, then charge to 100% shortly before you wake up. [How-To Geek]

iPadOS Will Almost Make Your iPad a Real Computer

  • If you’ve used an iPad, you know that they’re missing a lot of critical features people use on computers. Support for mice and external storage devices, a proper desktop browser, and better multitasking.
  • These are all arriving with Apple’s new iPadOS.
  • Apple announced the iPadOS operating system at WWDC 2019. Like tvOS, iPadOS is still based on iOS.
  • iPadOS is based on the upcoming iOS 13 operating system. However, it has a new name and more iOS-only features that aren’t available on the iPhone.
  • The iPad (and maybe iPhone) are getting mouse support! Connect a USB (or presumably Bluetooth) mouse to your iPad, and you get a sort of mouse cursor you can use to navigate the interface.
  • iPads already support external keyboards with keyboard shortcuts, so this should make the interface much more powerful and PC-like.

A Virtual Private Network is Essential for Public Wi-Fi

  • Public Wi-Fi connections are dangerous because your Internet traffic can be intercepted by someone on the same network.
  • Each year in the United States more than 16 million identities are stolen, with the majority being stolen through untraceable sources.
  • Your best protection is to use a VPN. A VPN, short for virtual private network.
  • Your data is encrypted by the VPN server, allowing you to securely browse the web.
  • Your online activity is hidden, and any of the data you send and receive, including files and emails, is protected using end-to-end encryption.
  • Even if someone hacks your internet connection successfully, they would not be able to read your activity or see your data if you are using a VPN.
  • My go to VPN is ExpressVPN. I have it on my laptop and smartphone. It costs about $100 per year.

Russia Says It Will Soon Begin Blocking Major VPNs

  • Russian telecoms will start blocking major VPNs including NordVPN, ExpressVPN, IPVanish and HideMyAss, following through with its threat back in March.
  • At the time, ten major VPN providers were ordered to begin blocking sites present in the country’s national blacklist — but almost all of them didn’t comply.
  • Within a month, the non-compliant providers will themselves be placed on the country’s blacklist (known locally as FGIS), meaning that local ISPs will have to prevent their users from accessing them.
  • TorGuard has already pulled its servers out of Russia and ExpressVPN currently lists no servers in the country. The same is true for OpenVPN although VyprVPN still lists servers in Moscow, as does HideMyAss.

Worldwide Worm Attacks are on the Rise

  • For the past three weeks, security professionals have warned with increasing urgency that a recently patched Windows vulnerability has the potential to trigger attacks not seen since the WannaCry worm that paralyzed much of the world in 2017.
  • Members of the Microsoft Security Response Team practically begged organizations that hadn’t patched vulnerable machines to do so without delay.
  • It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks.
  • It means all it takes is one unpatched system to lead to an infection of patched systems.
  • NotPetya, which is regarded as the most expensive malware attack in history, used the Eternal Blue exploit developed by and later stolen from the NSA to exploit one or more vulnerable machines

Advanced Backdoor Preinstalled on Android Devices

  • Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers.
  • Triada first came to light in 2016 in articles published by Kaspersky in an article which said the malware was “one of the most advanced mobile Trojans” the security firm’s analysts had ever encountered.
  • Once installed, Triada’s chief purpose was to install apps that could be used to send spam and display ads.
  • It employed a set of tools, including rooting exploits that bypassed security protections built into Android and the means to modify the Android OS’ Zygote process. That meant the malware could directly tamper with every installed app.
  • Triada also connected to no fewer than 17 command and control servers.
  • In July 2017, security firm Dr. Web reported that its researchers had found Triada built into the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
  • Because the backdoor was embedded into one of the OS libraries and located in the system section, it couldn’t be deleted using standard methods, the report said.
  • Google said the supply chain attack was pulled off by one or more partners the manufacturers used in preparing the final firmware image used in the affected devices.
  • An OEM might collaborate with a third party to develop additional features and send the whole system image to that vendor for development.
  • Based on analysis, Google believes that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada.
  • The backdoor allows it to use the Google Play app to download and install apps of the attackers’ choice.
  • The apps were downloaded from the C&C server, and the communication with the C&C was encrypted using the same custom encryption routine.
  • Triada developers resorted to the supply-chain attack after Google implemented measures that successfully beat back the backdoor.

The Surveillance Threat Is Not What Orwell Imagined

  • Observations by Shoshana Zuboff, author of The Age of Surveillance Capitalism.
  • George Orwell published the book 1984 seventy years ago.
  • Orwell sought to awaken British and U.S. societies to the totalitarian dangers that threatened democracy even after the Nazi defeat.
  • Since 1984’s publication, we have assumed with Orwell that the dangers of mass surveillance and social control could only originate in the state.
  • We were wrong. This error has left us unprotected from an equally pernicious but profoundly different threat to freedom and democracy.
  • For 19 years, private companies practicing an unprecedented economic logic that Zuboff calls surveillance capitalism have hijacked the Internet and its digital technologies.
  • Invented at Google beginning in 2000, this new economics covertly claims private human experience as free raw material for translation into behavioral data.
  • Some data are used to improve services, but the rest are turned into computational products that predict your behavior.
  • These predictions are traded in a new futures market, where surveillance capitalists sell certainty to businesses determined to know what we will do next.
  • This logic was first applied to finding which ads online will attract our interest, but similar practices now reside in nearly every sector (insurance, retail, health, education, finance and more) where personal experience is secretly captured and computed for behavioral predictions.
  • By now it is no exaggeration to say that the Internet is owned and operated by private surveillance capital.
  • In the competition for certainty, surveillance capitalists learned that the most predictive data come not just from monitoring but also from modifying and directing behavior.
  • For example, by 2013, Facebook had learned how to engineer subliminal cues on its pages to shape users’ real-world actions and feelings.
  • Later, these methods were combined with real-time emotional analyses, allowing marketers to cue behavior at the moment of maximum vulnerability.
  • These inventions were celebrated for being both effective and undetectable. Cambridge Analytica later demonstrated that the same methods could be employed to shape political rather than commercial behavior.
  • Augmented reality game Pokémon Go, developed at Google and released in 2016 by a Google spinoff, took the challenge of mass behavioral modification to a new level.
  • Business customers from McDonalds to Starbucks paid for “footfall” to their establishments on a “cost per visit” basis, just as online advertisers pay for “cost per click.” The game engineers learned how to herd people through their towns and cities to destinations that contribute profits, all of it without game players’ knowledge.
  • Democracy slept while surveillance capitalism flourished. As a result, surveillance capitalists now wield a uniquely 21st century quality of power, as unprecedented as totalitarianism was nearly a century ago.