I am a cynical, grizzled veteran of the technology wars. I implemented my first payment system in 1995, and just a few weeks ago was programming in PHP to handle refunds through the online payment processor Stripe's excellent interface.
Glenn Fleishman | 07 Mar | Read more
In our last episode of Private I, I explained the basics of public-key (PK) cryptography, a way to scramble messages in a way that only someone possessing a particular key can decrypt, without that key ever having to be publicly disclosed or shared. It's an effective system that has no known theoretical exploits, and currently deployed implementations are considered robust.
Glenn Fleishman | 02 Mar | Read more
The gold standard for password vaults on the Mac is 1Password. Now in its fifth major release, 1Password has matured along with its userbase. One of its most stalwart longtime competitors, LastPass, has had an iOS version, but OS X customers have had to work through browser plug-ins or its website, putting it at a disadvantage.
Glenn Fleishman | 27 Feb | Read more
In recent weeks, I've written about protecting data stored locally on a hard drive, against both people with physical access and potential remote attacks. But your data is much more vulnerable in transit, as it passes between end points or via servers.
Glenn Fleishman | 19 Feb | Read more
In last week's column, I explained the use and benefit (and some of the drawbacks) of turning on full-disk encryption (FDE) with Apple's built-in FileVault 2.
Glenn Fleishman | 13 Feb | Read more
Apple's first pass at built-in encryption was, frankly, terrible. The original FileVault, introduced with 10.3 Panther in 2003, only encrypted a user's home directory, and had a number of functional and implementation problems. FileVault 2 appeared in 2011 with 10.7 Lion, and had almost nothing to do with the original except the name.
Glenn Fleishman | 06 Feb | Read more
An update to 1Password brings time-based one-time passwords (TOTP for short) to its iOS app. A one-time password is typically used as a second element in two-factor authentication (2FA), a subject I've written about many times in this column. But, as noted in a sensible and honest post by AgileBits, 1Password's developer, a second factor isn't always a second factor.
Glenn Fleishman | 30 Jan | Read more
In previous columns, I've explained the chain of trust and the weak links in various methods of security. But reader Duane asked a few days ago, regarding my column on using VPNs to protect coffeeshop and other last-mile vulnerable connections, "How do you know the VPN operator isn't stealing your info?"
Glenn Fleishman | 23 Jan | Read more
You've likely read about iDict, a very publicly released cracking tool designed to compromise iCloud accounts using brute-force techniques--techniques that try a series of passwords in quick succession in the hope of finding the correct one. According to reports, the vulnerability was patched by Apple within a few days. (Apple has declined to comment, however.)
Glenn Fleishman | 09 Jan | Read more
Many of us travel during the holidays to visit family, have them visit us, or at least touch base with those we haven't talked to in a while. One of the kindest gifts you can give beyond your own company and a new blender is to help relatives sort out online password and security problems that they may not even know they have.
Glenn Fleishman | 30 Dec | Read more
No Mac is an island, and every iPad is part of the main. But Apple has, for many years, had trouble with letting a group of allied people--let's call them a "family"--make best used of shared devices and shared digital purchases. Family Sharing is the latest attempt by Apple to facilitate families' sharing (if not caring).
Glenn Fleishman | 19 Dec | Read more
Every password you create should be unique: every site, service, or system needs its own. Also, they should be long, not contain any words found in dictionaries, and contain punctuation, a clearly expressed thought, and your grandmother's famous corn-pudding recipe.
Glenn Fleishman | 05 Dec | Read more
I've written a few times about two-factor authentication (2FA), where a password (something you know) is paired with a second item, like a device-generated token or one-time code sent via SMS (something you have). A password can be stolen or sometimes extracted, so a second factor makes it substantially more difficult for someone who lacks physical access to you or your stuff to break into one of your accounts. This restricts attackers from accomplishing wholesale attacks across thousands or millions of accounts, unless 2FA is badly implemented or attackers find an exploit.
Glenn Fleishman | 29 Nov | Read more
If we've learned anything from the last few years, it's that given the opportunity to snoop on or scarf up our data or our metadata, criminals, business, and governments have a lot in common. They may have different ends that drive why they want to look at our email and transactions, listen in to phone calls, track with whom we communicate, and follow our location, but it all involves a lack of consent.
Glenn Fleishman | 21 Nov | Read more
Two recent security incidents, WireLurker and Masque Attack, highlight both the ease and difficulty of slipping malware onto iOS. But they also show the way in which Apple may have infantilized its audience into not knowing the right choice to make when presented with a genuine security flaw.
Glenn Fleishman | 14 Nov | Read more