Did Facebook just save me from being Pwned?

An interesting thing happened recently.  I'm a member of a website called Patreon.  If you haven't heard of Patreon, it allows you to support content creators with their projects by donating money to them.  I use Patreon to contribute to the Daily Tech News Show podcast.  Obviously this means Patreon have my details stored in their databases, including some personal details and my payment method.
Patreon recently had a security breach that involved user details being posted online, mine included.  When I got notification* that my details had been posted to the internet, I was somewhat concerned.  The website claimed that their passwords were stored with non-reversible encryption, which was reassuring, but all the same they recommended that everyone change their passwords.  Given that my financial information was safe with Paypal, my main concern was my password, and I didn't want to take any chances with it.  What if I'd used that password somewhere else?  What if someone was able to use it through Patreon to send money to themselves?

The recent security breach at Patreon has lead me to like using my Facebook account for things outside Facebook just a little bit more.

So I got along to the Patreon login page which presented me with two options - Patreon login, or Facebook login.  It was then that I remembered I'd used my Facebook account to login.  What did that mean?  Did it mean I was safe, or that my Facebook account was vulnerable?  So after a quick look around the web I came across this notice from Patreon's CEO, Jack Conte, and in particular the last paragraph which stated:

"If you signed up through Facebook, you do not have a Patreon password and no action is necessary"

That was great for me, I didn't have to do anything, my password was safe because it was with Facebook, not Patreon.  More importantly though it highlighted one thing.  I create passwords at a lot of sites for a lot of things, we all do.  I have no idea how some of them store my password and my personal details, or how much they care about security.  Certainly, some have even been caught storing passwords in clear text (including some that really should've known better)!
What I can be fairly confident of though, is that Facebook, the site storing the passwords of a billion users is going to have better hardened security than <insert random internet startup here> does.  This time, Facebook has kept my password safe from being published to the internet, and I dare say it's likely to do so again, as would logging in with a Google or Microsoft account if that were an option (note to Patreon - that should really be an option).

This has caused a bit of an about-face for me on this federated login thing (logging in with your social accounts).  I used to think it was a play for Facebook and Google etc. to net yet more of your personal data.  Frankly, it probably is, but I'm much happier to let them know I use "Dave's Cheese Shop" website now.  Trading basic and useless personal details like that for better security in an age where website security breaches are a regular occurrence seems like a good way to pay for some peace of mind.

* On a side note, you might be wondering how I got notification of my details being posted to the internet.  No Patreon didn't tell me.  They did tell me about the security breach, but they didn't tell me when the details of that breach turned up online.  That particular honour goes to the aptly named Have I been pwned? website.  Into which you can enter your email address to see if it's been part of a website security breach where the data has been posted to the internet, and sign up for notification of that exact occurrence in the future.  I signed up earlier in the year, and they told me about the Patreon breach almost immediately after it happened.  So with that in mind it might be worth checking your own email addresses using this site, you never know!

Why You Should Get Windows 10

If you've been offered it by the Microsoft "Get Windows" application you should very seriously consider getting signing up and letting Windows do the upgrade to the newly released version 10, and here's why.

Take is from someone who's been testing Win 10 since the public beta program started last October.  What you're being offered is possibly the best Windows release ever, if not that it's certainly the best Windows for the price.  Which is $0.

Think of this upgrade like you do your mobile phone, where you just let upgrades happen as a matter of course.  Microsoft want you to do the same with Windows, and here's 10 reasons why I think you should:

The "Get Windows 10" app, offering you ~$150 worth of software for free.

Reason #1 - It's Free

Never a good reason in itself, being free is certainly compelling, but sometimes you get what you pay for.  But this is one of the rare cases where the thing that's being offered to you at no cost is actually pretty good.  I was very surprised to note that many people didn't understand that Windows 10 is free to anyone running legal copies of Windows 7, 8 or 8.1 for 12 months starting from its release in July 2015.  After that you'll have to pay for it, so it's worth taking note of the other reasons below to help understand why free Windows is a good thing.

Reason #2 - It's Faster

I loved hearing Gable Aul (Corporate Vice President - Engineering Systems at Microsoft) talk about this when he was speaking on the Windows Weekly podcast, where he said that the development teams working on Windows will sit in meetings and argue about how to reduce a 100ms delay somewhere in Windows.  His argument was (to paraphrase) that if they can save even .1 of a second that puts something like a thousand days worth of time back into the world, when you account for the billion or so Windows devices out there.  That attitude is obvious in Windows 10, with faster load times and snappier responses in most areas.  It's particularly noticeable going from Windows 7 to 10, as 7 was quite slow even compared to Windows 8.

Reason #3 - The Upgrade is Easy

Most people are finding the upgrade process goes smoothly for them, and although in some cases it can take a while, it's amazing that Microsoft are able to run an automated upgrade process from 3 different OSes (Windows 7, 8 and 8.1) to Windows 10 on the myriad of different hardware platforms out there, and maintain a largely consistent experience.  Sure, if you're a technical person, or know someone who is, starting fresh with a clean installation is better, but the upgrades I've done have been very straightforward, so why not give it a try?  Just open that little Windows icon in the system tray and get going.  If you're running Windows 8.x you wont want to go back, that much is for sure.

Reason #4 - Virtual Desktops

Do you know anyone who uses Linux?  No?  Well of course you don't, you're normal!  But if you did they'd tell you that Linux has had this for years.  But that's okay, the Commodore Amiga had this in 1985, so they can get off their high-horse anyway.  Virtual desktops are like having multiple screens, but on the one screen, it reduces the clutter on your main screen allowing you to easily flip between these screens, or desktops.  Imagine having Word and Excel open on one desktop, then pressing Windows Key + ► and the whole screen slides to the right to reveal another desktop where you have your web browser and it's various tabs open.  This is a brilliant productivity tool, and the only problem with it is that it's taken so long!

Also, Microsoft have built in a new task switching interface, accessible from the task bar that you can use to easily move applications from one virtual desktop to another.  It's very slick and easy to use, certainly much more friendly than any implementation I've seen on Linux.

Reason #5 - The Start Menu is Back

Oh, calm down, it was never that brilliant anyway!  That said the Start Screen in Windows 8.x was half-baked, and many (including me at times) found it very annoying.  The problem is, that the live tiles on the start screen were an improvement over plain static icons like you'd seen in Windows 7 or MacOS.  So Microsoft have reinvented the Start Menu to be a mix between the Start Menu and the Start Screen.  Rest assured, you still click in the bottom-left and see all your programs like you used to.  The main differences are that the icons are capable of showing extra information, and the start menu can become a start screen if you're using a Windows tablet.

Reason #6 - Edge

You can invoke a visible shudder from people just by saying the words "Internet Explorer" to them.  That mangled and sluggish web browser is easily the worst you could use on Windows, and it's the default!  What's more it's regularly targeted by malware.  A lot of people just use it because it's there, making their web browsing experience horrible, and potentially exposing them to malicious software.  The solution was for Microsoft to get rid of it in Windows 10, replacing it with a new browser called Microsoft Edge.  Edge still bears some parts in common with Internet Explorer, but they ripped out all the problematic code, basically stripping it bare and starting almost from scratch.  It's standards compliant, so that means websites are more likely to display correctly, and it's fast.  Sure, it doesn't support extensions yet, they're coming soon.  But give me Edge over Internet Explorer any day.  Once they've added a bit more polish to Edge, it should be a genuine competitor for Chrome and Firefox, with the former becoming increasingly problematic in recent times.

Reason #7 - Action Center

Notifications, just like on your mobile phone.  All contained in the one place to make them manageable and understandable.
When they originally released this feature to the preview program long before Windows 10 was released, it wasn't my favourite feature.  It was clunky and unpredictable, what's more I didn't care for the interface design.  But sometime before Windows 10 went to the public they redesigned it, and now I do quite like it.  As software makers begin to use it more you should see alerts and notifications end up in the Action Center, rather than bugging you so much with popup Windows while you're trying to work, or filling up the system tray with icons.

Reason #8 - Continuum

Continuum is the name for the feature Windows 8 should've had right from the start.  But of course, Windows 8 would've needed a Start Menu option for desktops and laptops for that to work, and it didn't.

In a nutshell, Continuum manages the way 2-in-1 devices like the Microsoft Surface or the Lenovo Yoga work when you change them from a laptop to a tablet.  It expands the start menu to a full-screen touch-friendly experience when in tablet mode, and back to the traditional start menu when in laptop mode.  It will also do the same for "modern" apps, like the Mail app.  This way, you don't have to try and work in a tablet interface on your laptop, or a desktop interface on your tablet.  Having the best of both worlds pushes us closer to that ideal of having one device that does it all.

On a side note, continuum also exists for Windows Phone, where you should be able to drop your phone into a special dock that turns it into a desktop or laptop computer.  If it works as advertised (and I ask you, when has anything from Microsoft not?), being able to store your life on your phone as most of us do, and have it work as your computer as well is a very compelling thought.  If it works. Which I'm sure it will! ;)

Reason #9 - The Future of Windows is Guided by Us

Part of the problem with Windows 8.x was the top-down approach taken by the team then lead by Steven Sinofsky which implied that they knew what we wanted better than we did. But they didn't, and we let them know. So the new Windows team created the Windows Insider Program and the means to provide feedback during the development of Windows 10, and into the future. Windows 10 is not the product of design-by-committee, or the result of one man's vision that turned out to be an hallucination. It's the result of their ideas, our ideas, and our feedback on those ideas. I'd much prefer this than the old Windows way (which was based on the Apple way). The value of seeking feedback like this is proven by how much better Windows 10 is than Windows 8.

Reason #10 - It's Not Windows 8

Last, but certainly not least, we can move on from Windows 8, the Windows we had to have, but didn't want. It's quite possible that Windows 8 was a necessary step toward a Windows that was relevant in the modern touch-centric world. It was an ugly step in a transition to the much more thoughtful Windows 10 we have today. It's possible that's the case, and it just sucked to have to go through that interim step. Whatever the case, I feel like the free upgrade to Windows 10 is something of an apology to us all for that ugly transitional phase.

Many people have Windows 8 computers out there that aren't up to the job. Without touchscreens and tablet functionality they're a bad experience running Windows 8 or 8.1. So now you can upgrade to Windows 10 and get back the control and features you need to use a traditional computer with a keyboard and mouse. Plus, if you have a tablet or convertible, Continuum gives you that "two sides of the same coin" freedom you didn't have before.

Caveats And Conclusions

There are always exceptions to prove the rule, and one of the biggest is if you own a Mac.  If you have a Mac, sure you could run Windows 10 on it, but the best operating system for you is MacOS.  Driver support for Windows on your Mac is provided by Apple, and they don't do a very good job of it, and I can't blame them, they make their own perfectly good operating system.  So if you run Windows on your Mac, don't expect the best performance, because Apple's drivers aren't up to it, particularly battery performance.
Another point to make here is if you run a computer in a business environment and use software made by a third-party company for your core business functions, be very careful.  Always check with the people who make your software to see if it's compatible with a new Windows version before upgrading.

I'm writing this article from one of my three Windows 10 computers, and I'm very happy with all of them.  There's a reason why Windows 10 has seen the best uptake of any Windows yet, and why it's seen more copies installed in two months than all Macs in existence. It's because it's very good, and one of the exceptional occasions where there is actually such a thing as a free lunch.

Fake Invoice Scams, How do They Work?

A quite common scam in the United States has come to Australia this year, already fleecing some unwitting businesses for over half a million dollars.  The scam, listed here on the government's ScamWatch site involves businesses receiving very realistic looking fake invoices from scammers, usually stating a change of bank details and directing payment to a different bank account.  This highlights the importance of taking due care when paying invoices, and having appropriate verification processes in place.

"Scammers hack into vendor and/or supplier email accounts and obtain information such as customer lists, bank details and previous invoices"

The scam has been reported extensively, particularly in non-tech news media, but it was a little light on the detail for me, so I've done some further digging.  The reports I'd seen had referred to the scammers sending very realistic invoices to their targets by 'hacking' the email accounts of suppliers and vendors, others used words like 'intercepted email', but gave no further detail.  On asking the question of a few colleagues, some told me of first hand experience with a version of the scam, dubbed a BEC (Business Email Compromise) scam.  They'd seen the simplest implementation, which involved creating free email accounts to send the fake invoices, and matching the account name as closely as possible to the actual supplier account.  But that's pretty simple, and most businesses would be quite suspicious if email that was coming from accounts@davescatering.com started coming from accounts_davescatering@yahoo.com.  Admittedly, they might not pick it up if the real business was using a free email account in the first place, but although that happens, it doesn't seem to represent enough businesses for this scam to be so successful.

Then I stumbled across this page from the IC3 (Internet Crime Complaint Center), that sheds some more light on the situation.  It details three methods of attack, the first being very much the method described above.  The other two methods are far more serious and actually do involve email accounts being hacked.  In both these cases, accounts (or the PC's of account holders) are compromised and invoices issued from them.  In the cases where the hacked account is a senior company executive, no invoice is sent, rather a request for a funds transfer is made to other staff within the company (who presumably dutifully processes it because the request comes from their boss).

So that confirms that the media reports about 'hacking' weren't the usual poor reporting (like the iCloud 'hacking' scandal).  I assume the reports of 'intercepted emails' were similarly reliable.  It's certainly plausible enough to assume that by using hacked accounts, compromised PC's or servers, hackers could have emails surreptitiously forwarded to another party, or be 'intercepted' from the server.

I was still curious about the method used to compromise these accounts though.  I had assumed they were the the result of some successful phishing expeditions - and some were - but further reading suggested at least some were genuine system compromises, particularly this from the article linked above - "Businesses and personnel using open source e-mail are most targeted".  What does that mean exactly?  Properly secured OSS email shouldn't be more vulnerable than any other system.  But that's where the trail I was following ended.  The internet doesn't seem to have any more information about this, and in particular what the role of Open Source systems would or could be.  Even the venerable Steve Gibson of GRC and Security Now didn't have any idea why OSS would matter in this case, telling me that he couldn't see why OSS would be implicated.

So that just leaves my theories, and the theories I've seen in forums and in comments around the interwebs, which is that some poorly maintained servers running Open Source mail software were compromised, or simply used as an open relay.  Not exactly conclusive, but better than what I started with, and we certainly know of other cases where hackers have taken control of systems and used them to do their bidding.

One final note is that the lack of actual published information on this is a cause for concern.  I should be able to find out how these attacks have occurred and the mechanisms used.  How can we in the IT community protect ourselves and our users against criminal activity if we don't actually know how it's perpetrated?  If anyone has any more information on this, please post it in the comments, I'd appreciate it.

Google Says Google's Stats Show What Google Want Them to Show.

Last week at a digital advertising conference, Google announced that most searches are now coming from mobile devices.  Or at least they are in 10 regional markets, two of which are the US an Japan, the other 8 Google won't identify.  That rather weak headline was picked up by all the major tech news sites, and a number of non-tech outlets.  But it seems a little weak to me.  Google didn't disclose the figures, sources, methodologies for collection or even the other 8 markets they referred to, which are apparently 'key' markets, but that's very much open to interpretation.

Interestingly, it comes on the back of Google trying to force people to make their websites mobile ready, by changing the relevant search algorithms.

So, what's going on here?  Well, my theory is that in short - Google's abusing it's search monopoly.  Trying to force people to make their sites mobile ready sounds really forward-thinking and just acknowledging the way of the world nowadays, and I don't disagree that more searching is happening on mobile.  But with Google being the only major player here, and them telling us what we have to do with our websites, then telling us they have statistics to back it up, just we can't see them.  Well, we've got no choice but to believe what they say, what are we going to do, ask Bing for a second opinion?  Design our sites for desktop and feel safe in the knowledge they'll still be listed at the top of Duck-Duck-Go searches?  We have no choice.

You're probably still wondering how this is abusing a monopoly?  As far as I'm aware it's illegal in a number of countries to use a monopoly position to influence other markets, and it just so happens that Google have virtually no presence in desktop and laptop PC's.  Chromebooks are a thing, but accounted for 1% of worldwide PC sales last year in Q2 (.95 million).  Meanwhile in the same period Android accounted for 250 million units shipped.
So, it's CLEARLY in Google's interest to ensure they push us toward the thinking that most web activity is on mobile platforms, then we design our websites for mobile, then we put more advertising on mobile, then Google make more money.  Because after all, Google sell advertising, that's what they do, and they need you on the platforms they control to make more money from it.  So in this case, Google are using search as a way to drive us further toward mobile and mobile advertising - two non-search markets.

Can we all say "anti-trust investigation"?  I hope not, that was so very painful last time around.

Time for a Change

Well, this blog has gotten stale hasn't it? In the words of this 90's commercial for an alternative Cola nobody wanted, it's time for a change.  This blog was about technology in the education sector, but I'm broadening it to cover science and technology in the everything sector.  Why not?  It's time for a change and the change is me writing about what I'm interested in, so here goes!

UPDATE: - Come to think of it, how about a site redesign?  It's time for a new look as well.  Just a facelift (maybe some botox and collagen, nothing huge). Stay tuned!