15 Dec

Net Neutrality is Dead, What That Means

Ajit Pai SnokeThe FCC, headed by probable Telco Henchman Ajit Pai, just voted to repeal Net Neutrality rules put in place during the Obama administration. These protections were enacted to protect consumers from having their internet traffic de-prioritized by Internet Service Providers for any reason, whether that be content-based, source-based or otherwise. There has been a lot of alarmist hand-wringing about what this could mean for the free and open Internet as we know it in the United States. Here are some ways in which you may be affected without these protections.

Cell Wars

Mobile phone providers have recently begun allowing freebies on top of their data plans. For example T-Mobile doesn’t count music streaming from a number of streaming services towards your data plan usage. It’s not that much of a stretch to assume that, now that it is legal, mobile providers may start adding on charges for these services rather than including one or more with their data plans. It will allow for them to look at usage patterns and inflate their bandwidth offerings, knowing that users will need to pay more to get the services they actually use on their devices.

Providers in other countries (like in the Philippines, where we have offices) have already partitioned data charges like this, separating access to things like Facebook, streaming services, and messaging to add multiple fees to customers’ bills. The messaging portion is especially interesting to the providers, as they have begun losing SMS dollars to free services like iMessage, Facebook Messenger, and WhatsApp that utilize data services rather than the providers’ SMS networks.

The Cable Companies Strike Back

“Cord Cutting” has been happening at a breakneck pace now that streaming services such as Netflix, Hulu, Amazon Prime, and HBO Now allow consumers to watch original and broadcast network programming on their TVs and any number of devices without being beholden to the cable companies. But some of these consumers are still stuck using those cable companies as ISP’s as well (Spectrum is the only high speed Internet vendor in my neighborhood). You can be sure that as their bottom lines take a hit, they’ll hit back with increased fees specifically targeting traffic from streaming competitors. This can happen by bandwidth throttling or outright charging for a package including streaming, wheras it was previously illegal to do so.

Return of the Monopoly

If you are old enough, you’ll recall when the US government broke up AT&Ts control of the Bell Operating Companies, reducing its stranglehold on telecommunication in the US and Canada. As telcos have gobbled up smaller providers and merged with one-another, the 8 “Baby Bells” that resulted from the original split are now essentially 3 companies: Verizon, AT&T (again), and CenturyLink. These are also now some of the largest providers of ISP services in the country along with the previously mentioned cable companies. However, CenturyLink has been partnering with Comcast in some markets, AT&T is trying to merge with Time Warner, and Spectrum is the new company resulting from the merger of Charter, Bright House, and Time Warner cable providers.

As options for access decrease, the “free and open market” that supposedly prevents these providers from overcharging their consumer-base disappears.

The Phantom Menace (Sorry)

Finally, the picture painted by all of the above mergers is one in which content generators and access companies are no longer separate. This wasn’t a problem as long as phone/data purveyors didn’t care what you did with their lines, but now, we are in a world where ISPs own studios and streaming services, and they all want access to their content to be free and fast, but are disincentivized to offer the same access to their competitive content creators. This means poor quality streaming if the content isn’t also created by the ISP or its parent company.

Epilogue

Sure, there’s no guarantee that any of these worst-case scenarios will definitely occur. But these publicly traded companies are beholden to their shareholders before their customers, so the bottom line will always be king. That used to give the consumer some power, when they could vote with their dollars and leave a vendor that wronged them, but as we see with all of the consolidation in the industry, that competition pressure is becoming less and less relevant. Only time will tell how bad things will get, but be prepared for what may come.

 

 

06 Dec

End Hold Music Forever!

Recently, as one of our partners was calling into the office, he had to endure a brief hold on our VoIP phone system that was accompanied by tinny-sounding and objectively bad instrumental music. It was a painful and effective reminder of one of the “little things” that affects customer experience, and it got us thinking, why do we even have hold music at all?

A brief dive into the history of hold music reinforced our original thought: that hold music is an antiquated relic of a bygone era, and as such should be dispatched.

Taking a romantic view of early telephone service, one might be inclined to look at hold music as an evolution of early telephone broadcasts of public symphony and opera performances. The extended gap between these long-distance music transmissions and the widespread adoption of hold music across phone systems, however, seems to make that connection a bridge too far.

In fact, the “invention” of hold music has been attributed to a mis-wiring incident in a factory in the 1960’s. A loose phone system wire was grounded to the building, turning the entire thing into an AM antenna and sending broadcast music through to callers. Alfred Levy, the factory owner, patented this mistake some years later. Of course this is the foundation upon which millions of smooth-jazz bricks have been laid over the years. At that time, however, there were two factors in telephone communications that are no longer relevant today:

  • Switchboard operated calls meant long wait times at the beginning of every call
  • Analog phones had no way of alerting callers that silence on the line was due to a dropped call and not simply remaining on hold

Without these factors, why do we still need hold music? We don’t! Nor do we need to be notified by a robot every 30 seconds that “someone will be with you as soon as possible.” Today, having hold music is akin to forcing your clients to listen to one song on your Spotify playlist over and over again every time they want to speak to you. Why be an authoritarian DJ? Today we are starting a movement to put an end to this barbaric tradition. We have replaced the hold music on our phone system with recorded silence. It is a testament to how ingrained in the system this music is, and how great a battle we face, that we have to replace bad hold music with manufactured silence rather than simply turn it off. #ENDHOLDMUSIC

01 Feb

One Weird Trick Saved My 90-Year-Old Grandmother Thousands (and can Save You from Whaling)

“Is this Todd? Hi sweetheart, I have the five thousand dollars, I can send it to you immediately…”

“NO! STOP! Redeposit the money immediately and don’t answer any further calls from unknown numbers, that wasn’t me and I’m not ‘in trouble in Europe’ or anywhere else.”

With a simple phone call to me directly to confirm a request, my grandmother avoided being scammed for thousands of dollars. Of course she had already gone to the bank in a rush and taken the money out, but this one safeguard prevented what would have been a huge loss.

We all know not to click-through to login links within emails purporting to “ensure your account is up to date” or “prevent your account from being locked out,” right? Right. But these standard phishing lures have recently given way to more insidious (and possibly far more costly) “whaling” emails.

Whaling refers to a specific and targeted attack that abuses trust through the use of techniques including social engineering, email spoofing, and time-delimited requests. The process usually goes something like this:

  • Attacker learns corporate structure via public org charts or social engineering
  • Attacker may compromise email accounts for one or more executives using traditional phishing methods
  • Emails are sent (or spoofed) from an executive account to operations requesting an immediate, time-sensitive wire transfer

There are variables, such as whether the transfer purports to be to a known vendor, what the immediate need is, or whether previous similar email requests have been compromised to more closely emulate protocol.

Some would say that is the responsibility of IT to lock down servers and prevent these types of emails from getting through, but if an account is compromised through phishing or social engineering, there is not much that can be done to prevent internal emails.

Consensus says that internal training is the best bet for preventing unauthorized transfers. Like my grandma in the above example, ALL users with access or ability to transfer company funds should be trained to ALWAYS confirm via a phone call before committing any transactions requested via any digital medium.

Stay tuned for a list of best practices to harden your business (and employees) against phishing and whaling attacks.

28 Dec

The Age of SMS-based Two-factor Authentication is Over

Recent password hacks at well-known brands like Evernote, Twitter, and LinkedIn have shined a light on the problem of passwords, and how vulnerable we can be as a result of poor password choices.

The National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce creates national-level guidelines and rules for measurements, and among the many it must keep up to date are some relating to secure electronic communications. Electronic communication security comes in many flavors, with two-factor authentication being a popular, emerging method. Two-factor authentication is one of the best ways to prevent unauthorized access to your accounts, even if somebody manages to steal your password.

SMS authentication “still accounts for hundreds of thousands of authentication requests a day showing no significant change after NIST updated its guidance,” Duo’s Mayank Saha wrote.

Two-factor authentication, or 2FA, adds an extra step to your basic password-based login procedure. Without it, all that is required for authentication is your username and password, making your password your single factor for authentication. Two-factor authentication protects your accounts by requiring you to provide an additional piece of information after you give your password in order to get into your account. In the most common application, an online service will send you a text message with a unique string of numbers and/or characters that you’ll need to enter in order to access to your account.

Adding an extra layer of SMS-based verification to your login procedure is certainly better than relying on a password alone. However, arguments can be made suggesting that two-factor authentication using SMS text messages isn’t two-factor at all. True two-factor authentication requires the user to have two out of three types of credentials before being able to access an account. The three are:

  • Something you know, such as a personal identification number (PIN), password or a pattern
  • Something you have, such as an ATM card, phone, or fob
  • Something you are, such as a biometric like a fingerprint or voice print

Over the summer, NIST, in their latest draft version of the Digital Authentication Guideline, pushed U.S. government agencies to move away from SMS authentication, suggesting that the technology’s use is impossible to verify and easy to intercept. But little appears to have changed, according to a new report from Duo Security, a firm focused on secure access.

SMS authentication “still accounts for hundreds of thousands of authentication requests a day showing no significant change after NIST updated its guidance,” Duo’s Mayank Saha wrote. The drawback of SMS lies in its interoperability—we are able to send a message to a ‘phone number’ without caring if it’s an SMS, MMS or iMessage. Messages sent from a mobile phone might seamlessly switch to an Internet message delivered to a Skype or Google Voice phone number, leaving a backdoor open for hackers and social engineers.

If you don’t already have two-step authentication enabled on your all your accounts, you really need to turn it on for anything sensitive. If you are looking to implement two-factor authentication, the right way, here’s how:

Apple

Apple Two-Factor Authentication

Apple two-factor authentication

Apple’s two-step verification adds extra security to your Apple ID, and will help prevent people from making purchases in iTunes as well as unauthorized access to your iCloud account. To turn it on, log into My Apple ID, scroll to the Security section, find Two-Factor Authentication and click Get Started…

In addition to providing a phone number where you’ll receive texts, Apple will also force you write down a recovery key that you’ll need in the even that you forget your password. And write it down, because on the next page, you’ll be forced to prove you wrote it down. These codes, sometimes called backup codes, are important so you can access your account when you’ve lost your phone. [Apple]


Dropbox

Dropbox Two-Factor Authentication

Dropbox two-factor authentication

Login to your account and click Settings in the top right corner. Under the Security tab click Enable next to the line item that says Two-step verification Status. From the Security page you can also see which devices and desktop browsers have access to your account already, and revoke access if necessary. [Dropbox]


Facebook

Facebook two-factor authentication

Facebook two-factor authentication

Login into your account and navigate to the settings page from the drop-down arrow in the top right corner of the page. Under the Security tab click Edit next to the Login Approvals line. As with other Twitter and Microsoft, you can choose to receive SMS verification codes, or use the Facebook mobile app the verify your identity. For a more robust verification application, be sure to enable the recommended Code Generator. [Facebook]


Google

Google two-factor authentication

Google two-factor authentication

Two-step verification on Google will protect you across all of Google’s many services as well as with that use APIs to pull in Google data.

While logged into your Google account, click your avatar in the top right corner of any Google page, and navigate to your Account. At the top of the following page click Security, and then click Enable next to 2-step verification.

Note that because you probably use your Google account with lots of third-party apps like Hangouts, you’ll need to create an app-specific password for each of them. So if you want to log in to a new phone, or enable a new calendar application, you’ll need to head back to the security page, click on App passwords, and let the system generate a key for every app you’d like to link. You only get to see these passwords once, so if you need to enter one again for whatever. This is also where you disable apps that you no longer use or trust.

Also, make sure to setup some backup codes. Don’t get locked out of your email just because you left your phone at home.

Additionally, you can use the Google Authenticator app to generate codes for your account as well. That setup is a little more complicated so follow the preceding link to Google’s detailed instructions. [Google]

Other Sites/Apps

By now you’ve probably recognized that enabling 2FA on your accounts are very similar in procedure. There are plenty of other services that you’ll want to set it up for. Two Factor Auth offers a comprehensive list of websites and whether or not they support two-factor authentication. Go ahead and get to it, before some opportunity-seeking hackers get to your data.

16 Aug

Inaugural Wine+Tech Meetup at CLINIC

Selosse, Clos Ste Hune, Bruno Claire, Fourrier, Leoville Barton, and more

Selosse, Clos Ste Hune, Bruno Claire, Fourrier, Leoville Barton, and more!

You may think that alcohol and technology don’t mix, and in many cases, we would agree. You wouldn’t want to be downing tequila shots before provisioning a new server, or sipping sangria while shipping a new release, that’s for sure. But when your company works with some of the best restaurants in the world, it helps to have a working knowledge of the industry in order to best serve your clients. Thus our predilection for fine wine and spirits here in the CLINIC offices.

We decided to open up our cellars and share the wealth last week with the first of hopefully many Wine+Tech meetups here in the office.

The open invite went out to our food/beverage/hospitality clients and other friends in the industry. We had a great turn-out and drank some great wines (grower champagne from the master, esoteric Burgundy, vaunted riesling from Alsatian riesling royalty, and more bottles that guests brought to share). New bonds were formed, palates were expanded, conversations blossomed, and great snacks were consumed (provided by our friends at Eastern District).

13694443_1238034126230650_2050200385_n

We hope to make this a regular occurrence, so if you’re interested in attending, follow us on Instagram or Twitter and keep an eye out for announcements!

 

 

07 Jul

Musings on the NY Prison Break as It Relates to IT Security

Now that David Sweat is back in prison, I would imagine more details will be revealed about the multitude of security breaches that allowed Matt and him to  escape. Of course, everyone at Clinic+ gathered around the water cooler to discuss the breaches that led to the escape. Our favorite part was the post-it note they left on the pipe they crawled through basically saying ‘you blew it.’ It reminded us of calling cards left by hackers to gain publicity for their exploits.

Since all things lead back to our own business and our pride in our security systems and policies, we couldn’t help but want to put out some thoughts on the parallels and lessons to be learned from this extraordinary feat.

SLEEP

Prison guards may have slept during their evening shifts, allowing the prisoners to work on their escape unsupervised. While we can’t be constantly vigilant to breach attempts at all access points in a network, we can set thresholds and alerts for possible attempts, and we should always keep detailed access logs and audit them regularly for attack patterns. The clues are there if you pay attention.

ACCESS

Prison guards not only allowed the prisoners to do their own “work” on the prison electrical system, but they loaned them tools to do it. In IT it is imperative that all system’s privilege policies are as restrictive as possible while still allowing admins to get their jobs done, and that any administrative tools are only accessible to those that need them.

CONTRABAND

Prisoners were smuggled additional tools through a convoluted system of frozen meat and metal detector bypass. The frozen meat was especially fascinating, we’ll see if it shows up on next season’s Orange is the New Black. Similar to the virtual access restrictions above, if you run any of your infrastructure on premise, physical access to those servers MUST be restricted to the admins who control them. We are talking locked cages, closets, or entire server rooms. A breach is not as simple as plugging in an infected USB key like in the movies (or on House of Cards), but physical access can be a starting point for introducing tools that could lead to a breach.

While the nation was mesmerized by the audacity of the escape, the length and breadth of the search, and the eventual killing and recapture of those involved, we should make sure that we don’t forget the original lapses that allowed for this to occur. Take a look at your IT security plans and recognize that it’s easier to make sure they are solidly in place before someone goes in where they shouldn’t, rather than after.

03 Jul

Why Apple Music Sucks…For Now.

I was excited to ditch Spotify for Apple Music, primarily for the ease of integrating streamed/saved music from the service with my existing collection, and to better integrate with Siri while driving. (Hey Siri, play “Here Comes Bohannon.”) I updated my iTunes and my phone as soon it became available. Here’s why I think it sucks, or at least has a long way to go if it want’s to dethrone Spotify.

THE QUALITY

All music made available offline is downloaded in 256kb AAC format. There are no options for MP3 or higher/lower bitrates. Can I hear the difference between 256kb AAC and 320kb MP3? Probably not. But I’d still like the option. And why not offer a lossless version with a premium monthly subscription to target Tidal as well? Perhaps in the future.

THE PROCESS

I started immediately trying to duplicate my Spotify downloads and playlists on Apple Music on my iPhone. It took a while to navigate the new labyrinthine menus in the Music app, but after a while I figured out a quick way to add everything:

  • Search Apple Music for an album
  • Click the … next to the album and select “Make Available Offline” (which automatically adds it to “My Music”)
  • Click the … again and select “Add to Playlist” to add it to whichever playlist you want

Here are the problems with this. First, when adding to a playlist, you don’t have the ability to create a new playlist, so you have to cancel the search, go back to My Music, select the Playlists submenu, and create a new playlist there. Then you have to perform the search again to add it to the new playlist.

Second and most annoyingly, if you don’t wait for the full album to download before adding it to your playlist, it only adds whatever songs you have downloaded to the playlist, not completing the addition once the download completes. If you want to add the full album, you have to go in and manually remove the individual tracks and then go back into the album and add it again.

INTEGRATION

OK, so the process of finding and adding music on the iPhone is annoying, I’ll just manage it all on my Macbook in iTunes, right? No way. I tried adding a bunch of albums to My Music on iTunes, waited for them to show up on my iPhone, nothing. Synced my iPhone and playlists, nothing. Downloaded all the albums from the cloud into iTunes, synced again, nothing. Finally I called apple support and after being escalated to a senior support specialist, they were able to confirm that “My Music will not sync across any devices.” What? You have this massive ecosystem built around your music products, and you launch this new service, and it doesn’t work across devices? That seems like a massive oversight on someones part, and I assume the first thing they are working on fixing.

It’s disappointing that this was such a bad experience out of the box, but then I look back at the first iPhone, and remember not being able to copy-paste, and I have faith that these things will be corrected, because Apple doesn’t like having bad products, at least not for TOO long. Right?

22 Apr

Meeting Fatigue?

A recent article on attentiv.com took a look at the state of meetings in the American workplace and raised some questions on their efficacy and costs.

We here at CLINIC are firmly entrenched in the world of Agile Development. As such, we are very comfortable with the idea of a “stand-up” meeting: a meeting taken on your feet to avoid settling in and dragging on, hopefully taking less than fifteen minutes.  What makes this easy in a daily project stand-up is that the agenda and flow are 100% known from the start. Read More

26 Mar

A Hitchhikers Guide to Two-factor Authentication

Many companies are aware of basic security measures such as complex passwords and two-factor authentication, but surprisingly few actually utilize them to increase security. Here we’ll take a look at how simple they can be to implement.

Let’s start by demystifying two-factor authentication. As the name implies, this method of authentication typically relies on a password or PIN and one additional factor for authentication, sometimes something physical like a bank card. In this scenario, first you swipe, then you input your PIN. That’s two-factor authentication and it’s something that most of us use on a daily basis.

This can also be applied to your Gmail security. In this scenario, after enabling two-factor authentication for your account, you can either sign up for text message authentication or download the free authenticator app offered by Google from your phone’s app store. Now, when logging into your email you will not only be asked for your usual username and password, but you will also be asked for a special “Token” or PIN acquired from either text message or the app.

While top level data breach prevention should be handled by a company’s IT, users can both empower and safeguard themselves by doing something as simple as signing up for two-factor authentication.

The majority of security breaches aren’t as glamorous as Hollywood would lead you to believe. It is often as easy as a password left on a sticky note or using the same password across all of your services. By taking a few simple steps towards securing your data, you can do your part in protecting your company from a potential breach.

Thanks for tuning in to this first part of a series of posts on data security.