Browsed by
Category: General

Evernote’s password hack, and the security of your stuff in the cloud

Evernote’s password hack, and the security of your stuff in the cloud

Like all Evernote users, today I received an email (and blog post) advising that there has been an attempted security attack to their system, and that they have force-changed all user passwords:

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset.

I am a heavy Evernote user, and put a lot of stuff up there – from basic research to business records. I love that I can easily find my key information so easily. They have solid apps for OSX and iOS (although they have been increasinly buggy lately), and a good browser based system to get at my information from anywhere. I love having my stuff in the cloud so I can get at it whereever I am.

For the past couple of weeks I was teaching a PADI Instructor Development Course in Fiji and on several occasions I was able to quickly get to records that I needed but didn’t have with me through my iPad or MacBook Air. Too easy.

Lately I’ve been wondering about the wisdom of having all my eggs in one basket. I trust the Evernote team, and as a Premium User I have a paid account. But my concerns are two-fold:

  1. If Evernote ever goes away (unlikely, but still a risk), what will happen to my data.
  2. Evernote has to be ever-vigilant for hacking attempts, and they have to win 100% – hackers only have to win once in a blue moon.
  3. As Evernote’s servers are not in Australia, my data may be legally accessed by a foreign government without warrant!

So it was good to see the following paragraph:

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The next paragraph, while honest and direct, certainly gave me pause to continue to consider the future of my information storage:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

Just yesterday (before the email went out), I downloaded a copy of DEVONthink, an OSX app that does many of the same things – allowing you to store snippets and documents, easily find them, OCR them, etc. Using DropBox you can sync data between multiple Macs, and there is an iOS app. The latter feels a bit clunky, and looks like you need to sync via Wifi. I hope Dropbox sync is coming soon to that, because my iPad is rapidly becoming my main on-the-go device.

There has been a lot of debate about Evernote vs. DEVONthink, and there are very passionate people on both sides, with some very persuasive reasons for their approach. Evernote’s cloud based storage is both it’s greatest feature and it’s biggest drawback, depending on your perspective. I had planned to use DEVONthink side-by-side with Evernote for a couple of weeks to get a feel for which (if either) is the better approach for me. I still will, but I think I’ll move more sensitive info straight away.

Back to the security issues. I have waiting for a while for Evernote to introduce 2-factor authentication. Google has had this for some time, and Dropbox also introduced 2-factor security in 2012, following similar hacking attempts.

Evernote needs to implement 2-factor security as a matter of urgency.

While I am at it, Apple also needs to implement 2-factor security for their iCloud services as a matter of urgency, particularly if they want Documents in the Cloud to be taken seriously.

Going forward, my personal rule is that 2-factor authentication is a threshhold feature for any cloud based service that I use to store any thing I would consider proprietary or sensitive, let along confidential. I recommend you consider the same approach.

Evernote’s team made some additional excellent suggestions for security:

  • Avoid using simple passwords based on dictionary words

  • Never use the same password on multiple sites or services

  • Never click on ‘reset password’ requests in emails – instead go directly to the service

The first 2 should be an absolute given, but it’s clearly not the case. The third one has tricked most people at least once, making the first two even more important.

Most people I know have a password management strategy that consists of three passwords:

  • a simple “throwaway” password they reuse on most websites
  • a more secure one for some selected sites
  • a most secure one for banking, finance, health, etc

In all three cases, most people re-use the same passwords, perhaps with minor variations.

The hackers know this and have setup ways of “sniffing” passwords. One way is to setup a rogue site, and when users try to sign on, they take the username and password and throw that at other sites, knowing that they will often get a hit. Even if they only get 1% success, they have a starting point. Mat Honan of Wired magazine’s own case teaches us that once a hacker gets “in” at a low level, they can use that information to gradually get full access to your life.

So you need to ensure you don’t re-use passwords, and that those passwords must not be simple. When it comes to hacking and security, most hackers are way better at hacking than users are at securing.

This is where my next rule of web security kicks in – I use 1Password to generate a separate password for each and every site I visit. Of course there are a lot of sites I visited before using 1Password, so once those sites are in 1Password, I can from time-to-time go through and manually change those passwords, starting with the passwords that are least secure.

Whilst on 1Password, I’d recommend that if users want cloud access, they store the 1Password file in a Dropbox account, not iCloud, because of the fact that Dropbox has implemented 2-factor security.

I also have a category of sites that require the highest security, so I have those sorted together into a group in the 1Password app, and I change those passwords twice a year when the clocks change with Daylight Savings (an idea I got from MacSparky).

Clearly this issue has made me re-consider aspects of my own approach to information security, and has reinforced others. I recommend that everyone do the same, and take at least the following actions:

  1. Use only reputable services that provide 2-factor authentication for cloud storage of personal, sensitive or confidential data;
  2. Have a personal password management policy that includes never re-using passwords, and never using dictionary passwords. Use of an app like 1Password, LastPass or similar may help.

The “be alert, not alarmed” approach is the right one. We users need to recognise that information security is a moving target, and that balancing convenience, ubiquity and security is a constantly changing challenge. We need to reevaluate our balance regularly!

\

App.Net goes free. Hopefully not into free-fall.

App.Net goes free. Hopefully not into free-fall.

The Twitter-alternative social network known as App.Net (ADN) has gone free, in a way, as of today.

Launched initially as a paid service, ADN has had a special feel about it as the signal-to-noise ratio is excellent, with spamming non-existent, and actual conversations between what seem to largely be real people. The value proposition was that being a paid service, we users were the customers, not the product.

In the press release today, ADN founder Dalton Caldwell (@dalton) was almost apologetic in his justification for introducing free accounts. More importantly, however, he overviewed the ways in which the free accounts will be limited. Apart from having to be invited by a (paid) member of ADN, there will be other restrictions…

Free tier accounts are similar to paid tier accounts, but with a few limitations. These limitations are as follows:

  • Free tier accounts can follow a maximum of 40 users
  • Free tier accounts have 500 MB of available file storage
  • Free tier accounts can upload a file with a maximum size of 10 MB

Over the last few months, ADN has dropped it’s subscription price, and then added storage space for use with apps. It looks like they’re trying to get app developers to use ADN as a backend with a social network attached, rather than a Twitter alternative social network with a back end attached.

Marco Arment (@marco) sums up a key issue with ADN’s confused value proposition:

Worse yet, if I build an app that requires App.net, it still effectively requires a paid App.net account for my customers to use it, because the chances that they’ll already have been given a free-account invitation from another member are nearly zero.

A major problem with Twitter is that as a freemium service, we users are the product which Twitter sells to its advertisers. The signal-to-noise ratio is out of control, with a lot of spamming, and predominately broadcast based messages from various celebrities.

ADN offered us an alternative world, but it looks clear to me that this world has failed to get sufficient momentum. High profile users like Stephen Fry have dropped their accounts, and powerhouse users like John Gruber, John Siracusa and others have reduced their participation.

I suspect that ADN is confused about what their product actually is.

  • Is ADN a social media network? If so, where are the users?
  • Is ADN a storage platform? If so, what is the compelling proposition against Dropbox, Amazon S3 or CloudApp? And why would we pay for it in addition to the cost of the app?

I want ADN to survive and thrive. But as a founding user, I am not at clear anymore as to its value proposition. I hope that by going free, ADN isn’t starting down a path to a free-fall.

I am @desparoz on ADN. Come and say g’day.

On the Go and Around the Web

On the Go and Around the Web

I’ve been giving a bit of thought to my writing, my photography, the structure of this blog and what I want to focus on going forward.

As I see it, this blog has three aspects to it:

  1. Articles on things that interest me, such as technology, productivity, the customer experience, scuba, photography, etc (which I call Des Paroz On The Go)
  2. A venue to share some of my selected images (Photos of the Day)
  3. A link blog (Around the Web) which is where I share a selection of links to sites, posts or images that I think you’ll find interesting

I’ve already shared some thoughts on my link blog, for which I’ve decided that I am going to narrow down to a maximum of 3-5 links per day, each with some commentary from me.

In order to increase “focus” on the main page, I’ve gone one step further, and have decided to move the link blog to a separate site (on the Scriptogr.am platform) which I setup recently. This linkblog is called Around the Web with Des Paroz, and can be found at around.desparoz.com.

The most recent three posts on Around the Web will be shown in a sidebar here on Des Paroz On The Go, so they can be easily seen, but where they’re out of the way of the main posts. There are no comments on the linkblog – the idea is to visit the target site and for you to interact at that source, if you want to.

Des Paroz On The Go will remain here on a WordPress blog, and will have the main posts by me. I am going to focus my posts on 3 topics – personal productivity, presentations and photography. Of course, the enabling technologies of these will feature significantly. The URL will remain desparoz.com.

Of course each site will have its own web feed (RSS), but there will be one aggregated feed, which will continue to be feeds.feedburner.com/desparoz/. If you’re already subscribed to that feed, you’ll receive all posts from both blogs.

I’m going to keep other topics on their own sites – diving related material will be at DivingIDC, and general martials arts writing will be at Applied Karate.

So, I look forward to greater focus on productivty, presentations and photography on this site, with the other sites supporting that focus.

Let me know how you think this will work in the comments.

App.net Fast Becoming a Powerful, Open Social Platform

App.net Fast Becoming a Powerful, Open Social Platform

Netbot ScreenShotDalton Caldwell announcing the App.net File API :

The promise of “unbundling”

Imagine a world in which your social data (e.g. messages, photos, videos) was easier to work with. For instance, imagine you could try out a new photo sharing service without having to move all of your photos and social graph.

In this world, your photos are held in a data store controlled by you. If you want to try out a new service, you can seamlessly login and choose to give permission to that service, and the photos that you have granted access to would be immediately available.

This is one benefit of an “unbundled” social service. Unbundling gives the user power to pick the software that best suits their needs, rather than being forced to use the software made by the company that manages their data.

I’ve been an App.net (also known as ADN for “App Dot Net”) user since early on – when they took the the concept to the people and offered something different – a model where the users are the customers, not the product. Unlike Twitter, Facebook and others, ADN does not rely on advertising revenue, and instead is a subscription service.

The addition of a wide range of apps was the first step in ADN getting traction. But an interesting thing started to happen – each developer started to add innovative features, as a result of direct communications with users. Although I primarily use Netbot for iOS and Wedge for OSX, I actually use other apps for specific features.

The ADN team recognises the power of having an underlying layer for data storage and exchange, and a platform that allows developers to provide innovative front end features. They also recognise that the power for them, in their business model, is to let different users choose the apps that provide them the features they want.

I think that ADN should be firmly on the radar of serious users of social media, and of course SMEGs.

I am @desparoz on ADN.

Publishing a Post on Scriptogr.am

Publishing a Post on Scriptogr.am

Earlier I discussed my experiences in setting up a Scriptogr.am blog site, so this post is going to be about posting. In fact, its the posting process that drew me to Scriptogr.am in the first place, as it allows you to write in Markdown, my preference for doing websites. I dislike writing in HTML, and am not a fan of most WYSIWYG editors, as they tend to distract you from the core task of writing.
With the exception of short quick posts on my Des Paroz On The Go WordPress blog (for which I might use the WYSIWIG editor), most of my posts are written in Byword, directly in Markdown. Sometimes I write the text first, and add the Markdown tags later, though often I just do them as I go. Squarespace handles Markdown natively (along with HTML and WYSIWIG).

Byword and Marked

As you might be able to see from the screen shot, the Markdown tags get out of the way in Byword, allowing you to focus on the writing. You’ll also note that I have a second app open – Brett Terpstra’s excellent Marked app that allows me to get real time previews of how my posts will look, without any of the Markdown. It’s really a lovely way of writing. Of course, this only applies on the Mac OSX version of Byword – its not available (or needed really) when I run Byword on an iOS device.

The beauty of this process is that I can basicaly write once then publish to both my WordPress blog and my Scriptogr.am one. For the WordPress blog, I will start by using the File > Export > HTML to Clipboard option in Byword, then paste that content into either MarsEdit or directly into the WordPress console. I then tidy up any images, add tags and categories, and publish. For my Squarespace sites, I just cut and paste the Markdown code directly into the editor.

For Scriptogr.am posts, I stay in Byword, and add some header text to the file, so that Scriptogr.am knows a post name, publish date and time, tags, etc. I have a standard TextExpander snippet setup to generate the following:

Date: 2013-01-25 06:07 
Title:
Tags:

As you can see the date is autogenerated in the correct format by TextExpander.

Once all this is done, I move the file (File > Move To…) to the designated sync folder for Scriptogr.am. One more step is to go over to the Scriptogr.am Dashboard, and Synchronize my site. The file should now be published.

So publishing in Scriptogr.am is very easy, and really leverages the power of Markdown.

There are only a couple of downsides that I can see.

  1. Firstly, there are no categories, as far as I can see in Scriptogr.am. Perhaps they have a worldview of sticking to tags, and I guess that I am ok with that.
  2. The extra step of having to over to the Scriptogr.am dashboard and synchronise means that you lose some of the standalone nature of things. Maybe some sort of push capability with a widget or menu bar item.

There are some other limitations I am finding with the overall Scriptogr.am platform, but as they are not directly about posting, I’ll leave those to another post.

I should quickly mention that there are a couple of other options for writing blog posts. One is to use a simple editor built into the Scriptogr.am site. Seems to work fine, but you still have to synchronise

All in all, I find the process of creating blog posts on Scriptogr.am to be straightforward, functional and seamless. For a writer interested in writing and not coding a website, it offers a low-cost (free at this time) platform that leverages the power of Markdown and Dropbox. Using it doesn’t require a lot of technical know how (Markdown is easy to pick up), and the results are great.

Setting Up a Scriptogr.am Blog

Setting Up a Scriptogr.am Blog

Scriptogr.amYesterday I setup a test blog on scriptogr.am. I am quite experienced with blogging and content management systems, and have used a range including WordPress.com (hosted at WordPress), WordPress.org (self-hosted), Moveable Type, Blogger, Joomla, MODx and others. Currently I have 2 sites on WordPress (self hosted), 2 on Squarespace and 1 on MODx.
I am not really looking for another CMS (I am happy with WordPress and Squarespace), but listening to Mac Power Users Episode 121 (The Website Show), I was a bit intrigued by the concept of Scriptogr.am – a new (and evolving) CMS that uses Markdown as the format to write the blog, with files simply saved into a Dropbox folder. Push a sync button on a management page, and presto, your post is live.

So I decided to set up a site to play around with, and will of course blog my thoughts both here at Des Paroz On The Go, and also on the Des Paroz Scriptogr.am site.

My initial experience was good – visiting the home page you are provided with clean information, and are presented with a very simple signup process. The steps are basically to link your Dropbox account, enter basic details and you’re up and running.

Once you’re setup, a blog is created at scritogr.am/username (where username is the username you created) with an initial post providing an overview of how to use Scriptogr.am. All very easy.

I will talk about creating a blog post or page in a separate post, and for now will stick to my setup experiences.

Settings

Clicking on the “Settings” tab on the Dashboard brings up a settings page where you can manage details like

  • Username, Real name, E-mail & Blog description
  • Profile & Cover image
  • Accent colour
  • Mobile layout (on/off)
  • Time zone
  • Custom domain

You can also see your Scriptogr.am ID, which will be used with third party apps to log you in.

The first few items are self explanatory, but the next couple bear some thought before using them. As the screen shots, I uploaded a “Profile image” and a “Cover image”. Unfortunately you can upload, but I can find no way to delete an image once uploaded, so if you don’t like the result, your only option is to upload another file[1].

Personally I don’t like how the Cover image is handled, and now I am stuck with a pretty crappy shot[2] . Why they convert a cover image to 960×960 confuses me, as this is a banner, not square. Should be something like 960×250, which is coincidentally the size used on the Des Paroz On The Go blog.

I see no reason not to use the Mobile Theme option (it is off by default), and its good to set time zone.

I’ve tried setting up a custom domain (blog.desparoz.com), but as of this writing it doesn’t seem to work[3].

You may note that the top of my Scriptogr.am blog has some links to my other sites. These were easy to setup. Each link is simply setup as a post with the type of “page”, and a header link attribute pointing to the target page.

I’ve also changed the theme. Clicking on the “Tools” link in the sidebar brings up an option for “Themes archive” where there are several themes available for easy adoption.

Another early gripe relates to the way images are handled in the Dashboard. When you click on upload (e.g. for Cover image or Profile image), nothing seems to happen, until there is a sudden change. The same applies when you click on a different theme for preview. There needs to be some feedback that lets you know that something is happening!

Setting up a Scriptogr.am site is very straightforward, but with what seems to be a couple of bugs at that time. This could be that I am missing something obvious, or it could simply be a bug (or perhaps as yet undeveloped functionality). What I do like is that the effort results in a clean and functional blog.


  1. I have discovered one way of making the cover image go away – I changed to another theme that doesn’t seem to use it!  ↩
  2. IMHO, the image is good. Its the way it was cut to a 960×960 square then rendered at some crazy dimensions that makes it pretty crappy.  ↩
  3. This might be an issue of this subdomain having previously worked to WordPress.com, so I’ll give it another day or so before making a final judgement.  ↩
Free Wifi in Wollongong CBD

Free Wifi in Wollongong CBD

Wollongong Lighthouse. Image by Des Paroz
I spend quite a lot of time in Wollongong, working with Untethered and teaching PADI Instructor Courses and other dive courses at United Divers. Its a beautiful city, close to Sydney on the NSW south coast, with wonderful scenery and great infrastructure, without all of the hustle and bustle of the capital city.

Wollonong City has been quite progressive in making itself technologically significant, and I was interested to read in Lifehacker that Wollongong CBD now has free Wi-Fi , provided by the Wollonogong City Council.

According to the Council’s press release, from 21 January 2013:

Wollongong City Wi-Fi is available in outdoor areas on Crown Street between Keira and Corrimal Streets, as well as in Globe Lane, and the Arts Precinct (formerly Civic Plaza) on Burelli Street. The free Wi-Fi service will also be extended west along Crown Street to Gladstone Avenue in coming weeks.

Its great to see free wifi role out in various towns and cities around Australia. Next time I go down to “the Gong” I will give the free wifi a try, and see how the speed and connectivity is.

Turning a Blind Eye to Violence Against Women

Turning a Blind Eye to Violence Against Women

wrIn the Canberra Times, Jenna Price asks why too many men still turn a blind eye or just do nothing when they witness violence against women. She talked to a woman who witnessed such a situation in Canberra recently.

There were quite a few men who were pulling up and just watching,’’ she said yesterday. ’’A couple of guys started laughing…”

It troubling to me that any “man” would still think that violence against women is acceptable or appropriate. Or funny.

The White Ribbon Campaign lists three steps towards the prevention of violence against women, importantly including:

challenging sexist and violent behaviour by speaking up about it, urging the perpetrator to seek professional help or contacting the police on 131 444 or, in an emergency, 000.

Of course getting directly, physically involved has risk, and stepping in will often lead to a physical encounter. This needs to be carefully considered.

But at the very least, we should take action. Call for help, be a witness, intervene if able or perhaps create a distration.

Guys, take the pledge to never commit, excuse or remain silent about violence against women.

A Cold War with China? ⟶

A Cold War with China? ⟶

In today’s Australian Financial Review: China rebuffs Australia-US ‘Cold War style’ co-operation (paywall).

…China’s ambassador to Australia, Chen Yu­ming, told The Australian Financial Review there was too much emphasis on the strengthening of military alliances in the Asia-Pacific region and not enough on the pressing economic difficulties which meant countries like the US, China, Europe and Japan had to work closely together.

Has the European Union finally become a country?

China’s relationships with other countries is clearly a touchy subject. Disputes with Japan over ownership of the Senkaku Islands (known as the Daioyu Islands by the Chinese), and other disputes over maritime boundaries in the South China Sea are at least part of the United States’ Pivot to Asia.

But I think it is realistic that the pivot is more about trade, economics and diplomatic relations.

A scientific approach to shark bite prevention

A scientific approach to shark bite prevention


As always, an excellent piece from The Conversation discussing the reality of shark bite prevention

The risks will continue when people go in the ocean, no matter what the government catches or does not catch.

The may be our playground, but it is the home for sharks. Shark attacks are rare, but traumatic and dramatic. They always attract a lot of emotion, but as with all aspects of public policy, action should be taken based on fact not emotion.