Best and Worst Tech Gifts for 2017

The holiday season is upon us, and that means people will be scrambling to find the best presents for their friends, family and loved ones. Geeky gadgets are always popular, but not just for the recipients! The Internet of Things (IoT) has been a major boon for hackers and marketers, as well. So let me help you identify the best and worst tech gifts for this season…

Worst Gift: DNA Analysis Kit

DNA analysis kits have gotten very popular: send away a little swab of your mouth and get back a detailed analysis of your heritage. Some tests even claim to provide you with health information. I’m not here to judge those aspects, however (for that, you can check this article). I’m here to explain why these services could present a privacy nightmare. First of all, there may be relatives out there that you don’t want to know about – or have them know about you. I’ve personally heard a horror story about a paternity secret that was kept for decades – and would have remained a secret had this test not been run. (The analysis kit was given as a gift, by the way).

But beyond that, you also have to realize how much deeply personal information is contained in your DNA – and we’ve seen how even the most secure organizations have failed to keep their secrets safe. It’s well worth nothing that the privacy policies for companies like Ancestry.com and 23andme.com are pretty creepy. We’re just beginning to discover how to read our gene sequences and these services can continue to analyze that data forever. The privacy policies seem to allow them to share your data with others, as well. Even if they claim to share your data anonymously, it’s your DNA… it is you. I wouldn’t count on it remaining anonymous. Maybe some day these companies will manage to offer a truly secure and private service, but right now I would take a pass on this.

Don’t Skimp on IoT Devices

The Internet of Things is the new frontier of techie gadgets – taking something that used to just sit there and happily do its job, and connecting it to the Internet so your smartphone can talk it from anywhere on the planet. Thermostats, light bulbs, refrigerators, outlet switches, web cams, even toasters. Unfortunately, these devices (like most tech devices) need to be as cheap as possible. And one of the easiest places to save some money is on security. Most consumers are clueless, so why bother? My main advice here is to avoid no-name brands or super-cheap products from overseas. Bigger, established companies with reputations to protect are more likely to go the extra mile on security. If they screw up (and every company will at some point), more expensive products from established brands are more likely to fix or replace their products.

Avoid Antivirus Subscription Services

If you’re giving someone a computer, I would not bother to buy them a subscription to an antivirus service. I wrote about it extensively here, but in summary, these products tend to be overly aggressive and can actually do more harm than good. Windows computers come with Defender, which is free and plenty good for most people. For Macs, try the free home versions from Sophos or Avira. But your best protection is just safe surfing habits.

Protecting Your Network

The main gate to your home network castle is your WiFi router. Many Internet Service Providers (ISP’s) now provide you with a combination modem and WiFi router, but I would forego their box and buy your own. Buy a brand name router like DLink, TPLink, Netgear or ASUS. I’m not saying these brands are 100% secure – nothing is 100% secure – but they’re likely to fix their bugs in a timely manner. Be sure to register your device so that you will get emails when critical fixes are available. Here are some quick tips to make sure your WiFi router is secured:

  • Set a password for WiFi access – this means turning on WPA2 encryption. Make sure the password is not easy to guess. Write it down somewhere safe.
  • Enable the guest network. All modern routers should offer this option. It lets you keep your home computers, tablets and smartphones separate from less secure devices. Put your IoT devices on the guest network and have all your visitors use this network, as well (their devices could be infected without their knowledge).
  • Change the router’s admin password! It comes with a default password that is well known.
  • Set your router’s DNS to use Quad9 (see this article for more info).

This article has several other tips for locking down your IoT devices, including your router.

Protect Your Precious Data with Redundancy

Everyone should be backing up their files – certainly anything they can’t replace like family photos, home videos, historical documents, etc. For these special digital files, we should all be following the 3-2-1 rule: three copies of every file – the original plus two backups, one of which should be offsite. So ideally, you would have a cloud backup service and a little USB external hard drive for local backups. I personally like Backblaze for most people – it’s dead simple to use and the cost is very reasonable.

Power in the Darkness

I would recommend that everyone with a desktop computer have it hooked up to a good Uninterruptible Power Supply, or UPS. This is basically a big battery that will keep your computer running for a short time when you lose power. It’s not really about being able to use the computer when the lights are out, it’s about giving your computer time to shut down gracefully. Yanking the power from a running computer is really harsh and it could even corrupt your hard drive. Make sure to also connect your computer to the UPS via the included USB cable. This allows the UPS to tell your computer “hey, power is going away soon, shut down now!”

It’s also very handy to have for your Internet modem and WiFi router – allowing you to use the Internet even when the power is off (using battery-operated devices like smartphones, tablets and laptops). You can find some great recommendations on UPS’s here.

Give the Gift of Privacy

Our level of privacy is quickly eroding, and much of this is done willingly these days by using “free” web services that support themselves by capturing and selling your personal info. Besides choosing the best web browser and plugins, there are two services everyone should strongly considering using: end-to-end encrypted email and a virtual private network.

Truly Private Email

Most of us use one of the prominent free email services. And why not? The service is excellent and it costs nothing… except your privacy. Google is not giving away gmail altruistically. They’re collecting vast amounts of information on you and using that info to target you with advertising. What could I find out about you by scanning all your emails? Probably quite a bit. And even if they say they will never abuse your data, that doesn’t mean hackers won’t just steal it. If you’re ready to put a stop to this rampant data mining, then you’re going to have to pony up and pay for your email. There are several secure email services out there now, including Tutanota, Hushmail, Mailfence, and others – but I personally like ProtonMail. It’s easy to use, reasonable priced and they’re expanding their services all the time. You can try their free tier first to see if you like it.

Blinders for Prying Eyes

Virtual Private Networks allow you to shield your Internet traffic from prying eyes – whether it be everyone else in the coffee shop or airport, or your Internet Service Provider (who now has no restrictions on snarfing up your data for profit). Choosing a VPN service can be tricky, however. I would avoid free services and find a reputable, long-lived company that focuses on privacy. TunnelBear is a great choice for most people, but ProtonMail now includes a VPN service that you can use if you pay for their email already. EncryptMe and VyperVPN are also good.

Give the Gift of Knowledge

Last but certainly not least, I personally like to read books when I want to learn about something. Forewarned is forearmed! Here are some great stocking stuffer ideas:

  • Data and Goliath by Bruce Schneier. Bruce is a world-renowned security expert, but he’s also a very good writer. This book does a very good job at explaining why data privacy is so important and how our corporations and governments are holding way too much power of us. (Full review here.)
  • Little Brother by Cory Doctorow. This book is short and entertaining fiction, but it’s also a treatise on the importance of security and privacy in the digital age. This book is even free, if you want to download the PDF.
  • Firewalls Don’t Stop Dragons by me! The entire purpose of my book is to help people protect themselves. The book covers all the tips above, and over 100 other tips, complete with easy step-by-step instructions and pictures, covering Mac, PC, iOS and Android.  If you’re giving someone a new computer, tablet or smartphone, it’s a great companion gift.

 

Fixing the Apple Root Bug (Permanently)

It’s been a pretty bad week for Apple software, both for their macOS computer software and their iOS smartphone and tablet software. But today I’m going to focus on a truly horrendous software bug that somehow slipped through Apple’s normally stellar quality control process. This one screw up could allow someone to quickly and easily take over your Macintosh computer – potentially even remotely. It’s like leaving the master key to a building on the front doormat. Not under the doormat, mind you – on top of it, with a label saying “master key”. So without further ado, let’s tell you how to fix the Apple root bug, for good.

What is the Apple Root Bug?

Apple’s macOS software – the operating system for its Macintosh computers – is based on the Unix operating system. Unix and its various Linux variants all come with a standard administrator account called “root”. This account can do absolutely anything. It has the highest possible level of permissions and privileges – it’s the “superuser”. This account is extremely powerful and Apple normally disables this by default.

But a recent update to Apple’s latest OS (High Sierra, or 10.13) somehow allowed access to this super user account with no password whatsoever. That’s right. You could successfully log into a Mac with user ID “root” and leave the password field empty. There was basically zero security on the most powerful user account on the system. In most cases, this would require physical access to an unlocked Mac, if you have remote access enabled, then you could log in remotely, as well. That’s about as bad as it gets, folks.

It’s Fixed. No Wait, It’s Broken Again.

To Apple’s credit, they released an emergency fix for this bug within about 24 hours (Security Update 2017-001). If you had your auto-update enabled, this fix was even  installed for you. That’s great. All software companies will have bugs from time to time,  so what really counts is how they respond. Apple responded quickly with a fix. Yay!

This fix was obviously rushed out because in addition to fixing the root bug, it broke Apple’s file sharing feature. While that’s bad, it’s still a good trade off. But it gets worse. A day or two later, Apple released a new full update to macOS (10.13.1) that reintroduced the same root bug! I’ve seen some reports that say if you just reboot your Mac, the root bug will be fixed again… but that’s silly. There’s a real fix that will be permanent…

Fixing the Root Bug Permanently

The underlying issue here is that the root account apparently has no password or somehow a fail-safe mechanism was broken that allowed failed logins to succeed… I’m not sure. But if you just explicitly set the root user’s password, the problem goes away. So how do you do that?

First of all, be sure that a) you generate a strong password for this account and b) you store this password away somewhere. It’s okay to write this on a piece of paper, as long as you put that paper somewhere safe. (Consider using a password manager to both generate and store the password.)

You can set the root password in at least two ways. The official way, according to Apple, is to do the following (using the instructions here):

  1. Enable the root account
  2. Change the root account password
  3. Disable the root account

However, I find that too cumbersome. There’s a simpler way and it feels a lot cooler: use the Terminal application.

  1. Launch the Terminal application from your Applications > Utilities folder. You will get a text-based window with a little “$” prompt.
  2. In the terminal, you will need to switch to “superuser”. Type “sudo su” and hit Return. Then enter the password for your current account (you have one, right?):
    • $ sudo su
    • Password: (your password)
  3. Now you should be logged in under the root account, and you’ll have a new prompt. To change the root password, type “passwd” and enter the new password (twice).
    • # passwd
    • Changing password for root.
    • New password: (enter something you’ll remember)
    • Retype new: (type it again)

This should fix the problem once and for all. Again, make sure you keep that password somewhere safe!