553 Million Facebook Users Compromised

Hackers managed to grab names, account details, and telephone numbers from 553 million Facebook users, and now they’ve published all that data on the web. Yikes. I'm shocked at the scope but not the source.

If you have a Facebook account, now is the time to be on alert for scammy phone calls from people who will try and social engineer their way into your credit card numbers and bank accounts. There is already a scam where they call and claim to be the IRS and need “immediate payment to avoid criminal prosecution”. I'm sure they'll come up with even more dreadful ways to abuse this treasure trove of data.

Solar Eufy Charger

I continue to dig my Eufy security cameras. However, one issue I have is the camera that looks down at my driveway and the front of my house. It's a battery camera, and I have to get out a ladder to pull it down and charge every so often.

It was getting just tedious enough for me to consider running a dedicated electric line through the garage when I saw that Eufy now makes a solar charger for their cameras. I ordered one, and it has been running for six weeks. The camera is now always fully charged, and my ladder has not moved.

Face Mask Unlock in iOS 14.5

We're getting closer to the release of iOS 14.5, and it's adding a feature that Apple Watch owners are going to dig. Specifically, if you are wearing a face mask and an Apple Watch, you'll still be able to unlock your iPhone without using a passcode.

Once you turn the feature on, the iPhone has some new unlock logic:

  1. Is the user wearing a face mask?
    No – Go to the usual Face ID unlock.
    Yes – Go to step 2.

  2. Does the user have a connected, unlocked Apple Watch very close to the phone?
    Yes – Unlock.
    No – Go to the passcode unlock.

So, if you are wearing a face mask and you have an unlocked Apple Watch in very close proximity (less than 1 meter) to your phone, you get an unlock. In that event, you also get a prompt on your wrist letting you lock the phone back up. Interestingly, that step 1 looks for any person with a face mask. It doesn't try to figure out if it is specifically you wearing a face mask. John Gruber did all the research on the beta build and reports in further detail.

I plan on turning this feature on once the update ships. I am so tired of tapping in my passcode when using my phone while masked.

Mac Malware is Getting Smarter

I still bump into people that think their Macs are somehow immune from Malware. That just isn't the case. Mac users are just as able to download malicious code as Windows users are. Historically, however, we've had some advantages on the Mac:

A Smaller Target
There just are not as many Macs in the world as there are Windows computers. Moreover, often the targets of malware (business and financial institutions) don't run Macs.

Apple's Increasing Emphasis on Security
Apple has been putting the screws down on macOS for years now. They've steered users toward the App Store, where they have more control over the apps you install on your Mac. They've rebuilt the plugin systems for Apple Mail and Safari so they are much more secure. They've implemented a notarization system for apps and they've even created a way to disable binaries from Apple Servers.

These two factors have combined to give Mac users a false sense of security. All that said, if you install an app from an untrusted source (or if one of your trusted sources that was unknowingly compromised, which happens), users are fully capable of installing malware on their systems.

That happened over the past few months with a malicious payload known as Silver Sparrow. (Red Canary did an excellent job documenting it.). It looks like this one was caught before it did any real damage (and Apple has now disabled the binary), but the advantage of catching this unexploded bomb was that it gave security researchers an opportunity to study it in detail. Silver Sparrow was designed to launch additional software that would do who knows what. It was also designed to cover its own tracks. It was very sophisticated software designed to run on both Intel and Apple Silicon Macs. Malware is increasingly targeting the Mac at a time when malware is getting increasingly advanced.

You shouldn't be paranoid, but you also shouldn't assume you are safe just because you are on a Mac. Don't install software from unknown developers. Be careful around unknown download links and email attachments. In short, keep your head screwed on.

Whenever this question comes up, I get asked if I'm running virus software on my Mac. Currently, I am not. In my experience, virus software too often comes with its own set of headaches. However, reading about Silver Sparrow has me considering it again.

Additional Considerations for Home Security Cameras

Over the past few years, home security cameras have got better and cheaper. That’s good. Now anyone can set up a home security camera and keep an eye on the front door or the dog. The problem, however, is that all of these cameras are not created equal. There are two issues you need to consider when purchasing a camera that manufacturers don’t often mention: commerce and security.

Commerce

A lot of the camera racket has turned into a razor and blades style business. You get the cameras but then you end up spending around $100/year to have their cloud storage. That may be worth it to you, assuming the vendor knows what they’re doing and they have a good security model. I have trust issues with all of these vendors. How much of a stake do they really have in protecting your privacy? How much effort are they putting into keeping all that video from your house safe?

Security

It’s called a security camera but is it actually secure? This is particularly a concern if you do use the vendor’s cloud storage. Do you want anyone in the world able to look at your front door or your dog? Vendors are slowly coming around on this. Ring just announced that you can add end-to-end encryption to your video on their servers but it is (currently) off by default.

I continue to be happy with my Eufy cameras. They didn’t break the bank. They’re holding up fine and they work with Apple’s HomeKit Secure Video service that gets me encrypted online storage as part of my iCloud account (that I’m already paying for).

eufy Wireless Cameras and HomeKit

Anker has a home security subsidy, eufy, that has jumped into the home camera business with both feet. I like and trust Anker. I have been buying their stuff for years, so I was interested in their eufy camera offerings from the beginning.

For several years, I have been using the Canary camera system. I was a paying subscriber and generally happy when I first started using Canary products. But over the past few years, my love has waned. The cameras have begun failing me regularly for no explicable reason. When I would check them, they would be offline. If I power-cycled them, they would start back up and sometimes reconnect, but not always. Had the Canary company been willing to embrace HomeKit, I may have looked into upgrading the cameras instead of moving on. But alas, beyond some early broken promises, Canary has shown no interest in HomeKit, and I was ready to move on.

eufy was very much of interest to me. At this point, eufy does not have a subscription service where you pay them to store security video online for you. Instead, they have integrated storage in their hardware so you can keep your security footage locally. Because they are not motivated to sign you up for their subscription service, they have also embraced Apple’s own HomeKit Secure Video service with a growing list of their cameras.

I bought a few of eufy’s battery-powered cameras including the eufyCam 2C and the eufyCam 2 Pro. Both are battery-powered wireless cameras that connect to eufy’s hub, which contains 16GB of internal storage. The cameras stream to the hub, and you can monitor the hub from the eufy app. The internal storage holds the streams until it runs out of memory, and then it starts deleting older footage to make room for new footage. It all works fine, although I wish they made the storage via replaceable SD card.

Moreover, the eufy hub can connect with HomeKit and turn footage from these cameras over to HomeKit. For a reasonable price, you can have wireless cameras feeding straight into your HomeKit, which you can also connect to HomeKit Secure Video.

This whole system is far better than my Canary system, and it has been a great upgrade. Comparing the 2C vs. Pro cameras, there are a few items of distinction:

Recording Fidelity The 2C records at 1080p. The Pro records at 2K. I can’t tell much of a difference between the two.

Battery Life eufy, like most hardware manufacturers, must not be testing these cameras under normal conditions. They claim the 2C battery should last six months. I get about a month out of one, and I get about two weeks out of another. (The second one is near a place of high activity, so it goes off much more often.) They are easy enough to plug in and recharge, but it is a thing, and it has me thinking about bringing in an electrician to hardwire a few spots around my house. The eufyCam2 Pro has been getting better than double that in battery life for me.

Cost There is a significant jump. You can get two 2C cameras plus a base station for $220. The same rig with two eufyCam2 Pro cameras goes for $350.

Either way, this was a significant upgrade in my home security system, and the rest of my family loves that they can now see the cameras in the Home app. I am taking full advantage of HomeKit Secure Video. I have also gone further down the Eufy rabbit hole as I have added some more of their wired cameras, which I will be covering over the coming weeks.

The Very Slow Roll Out of HomeKit Secure Video

Screen Shot 2020-06-02 at 12.04.59 PM.png

A year ago, Apple announced a new HomeKit feature, dubbed Secure Video, where Apple would agree to store your security camera video on its servers for you without an additional fee. I like this idea. Not only do I not want to pay someone to store this data, I also don’t necessarily trust third parties with home camera footage either. Apple’s a big company. They are not going to get acquired and they have a stated interest in protecting user privacy. The whole idea of HomeKit Secure Video makes sense.

I left WWDC last year thinking it wouldn’t be long before I had HomeKit Secure Video working in my home. Well, that was over a year ago, and there has been very little progress. Logitech released a HomeKit update for their nearly $200 Circle 2 camera. I bought one as an experiment and it has never worked satisfactorily. The camera is often unavailable with no explanation of why, and it feels like Logitech dropped the ball on this one. Moreover, the price is prohibitive if you want to put several of them in your home. There are almost no other vendors supporting HomeKit Secure Video.

Things are getting better, though. Eufy, a subsidiary of Anker, recently announced that their home line of Eufy cameras is going to get full HomeKit Secure Video Support (9to5 Mac has all the details). It sounds like they’re going through an approval process right now. I have a few Eufy exterior cameras, and I’m much happier with them than my prior Canary cameras. The Eufy cameras stay connected, have an option for local storage, and seem way more reliable than anything else I’ve ever used. Best of all, their indoor cameras start at $40. There may be hope yet for HomeKit Secure Video, but it sure has taken a long time. 

Instagram Password SNAFU Affects “Millions" of Users

A while back, Facebook disclosed that thousands of Instagram users’ usernames and passwords were stored in plain text on Facebook servers and exposed to thousands of employees. Last week, coincidentally the same day as the release of the Mueller Report, Facebook updated the post and admitted the problem was more significant than they initially thought. (Kudos to TechCrunch for catching the update.) With this latest update, Facebook states the security lapse affected “millions” of users.

I know these posts are starting to sound like a broken record, but I cannot emphasize enough how important it is that you manage your own passwords. You have to be extra vigilant because the people you trust on those websites are not necessarily worthy of that trust.

Get yourself a good password manager. (My favorite continues to be Mac Power Users’ sponsor 1Password.) Change your most important passwords frequently. Be careful out there.

Email Breach


Wired recently published an article about the discovery of a database containing 809 million total records exposed online. The MongoDB (freely available to hackers for some time now) contains 150 gigabytes of plain-text marketing data, including 763 unique email addresses.

These days it seems I get nearly as much phishing email as regular email. Setting aside the discussion of email being unproductive, at what point does the medium fail just because we stop believing any email we receive is legitimate? I'm already getting that way with nearly all of my vendors.

Rubbish Passwords

Every year, Splash Data reveals its list of the year's most commonly used passwords. This year the usual suspects, like "123456" and "password", are, again at the top of the list. I had to grin that "starwars" has made its way to the list this year at #16. Funny. I would have that guessed that #diejarjardie would rate higher.

If you're reading this blog, I'm guessing you already have a good password system and are not using any of these rubish passwords. Your family and friends, however, are most likely using lots of them. If you are spending time with some of the damned over the holidays, send them the Splash Data list and try to get through to them just how dangerous these common passwords are. I've been using 1Password since it launched and that's a good recommendation (use this link for 20% off) but regardless of what system you put them on, put them on something. 

Time for an iCloud Security Tuneup

Depending on who you believe, hackers have either compromised 600 million iCloud accounts or they have just a few and are trying shake Apple down for $150,000. Sometimes, humans are the worst. 

Either way, either today (or this weekend) would be a great time to:

  1. Reset your iCloud password. You can do that at appleid.apple.com.
  2. Turn on Apple’s two-factor authentication. 
  3. Have a cookie. You’ve earned it.

All of this will take you 10 minutes and make you a lot less vulnerable to terrible people.

Wikileaks and CIA iOS Exploits

Yesterday Wikileaks barfed up another pile of alleged confidential data, this time from the CIA. Setting aside the separate conversation about exactly who Wikileaks works for these days, I do believe the CIA, NSA, and intelligence agencies of every other country in the world has an interest in hacking iOS devices. Both hackers and governments have significant motivations to read private data. The question is what our hardware and software vendors are doing to protect us.

Apple released a statement on this point yesterday:

Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.
— Apple on alleged CIA iOS hacks

The battle to retain our privacy will never end. Apple will continue to build walls and governments and hackers will continue to batter them. I do believe Apple is committed to this fight but the continued protection of our private data is by no means a certainty at this point.

Yahoo Hacked Again for Another 1,000,000,000 Accounts

I'm a little late with this story but thought it worth sharing anyway. Yahoo announced last week that they had another security breach (in addition to the 500 million hacked accounts earlier this year). This newly disclosed breach, which happened in 2013, involved 1 Billion Yahoo accounts. As seen in the title, that's a lot of zeros.

It appears Yahoo's user data has been compromised multiple times in recent years. If you've used Yahoo in the past and cancelled your account, please make sure you didn't use the password you had at Yahoo anywhere else. If you have a Yahoo account, why are you still reading this? Go cancel it .... now.

Knocking and Unlocking

In a recent episode of the Mac Power Users I made an offhand remark how I thought it would be clever to use the Apple Watch to unlock my Mac. I received multiple emails from listeners telling me that this functionality effectively exists already with the application called Knock. I’ve been using Knock (iTunes) (website) now for a few weeks and am happy to report that those listeners were correct.

Knock is an iPhone application. It costs four dollars and once you install it, your iPhone becomes aware of when it gets near your Mac, even when it is locked. (You also need to download and install a utility app on your Mac found on their website.) Once you’ve got the system in place, when you get near your Mac, you will see a message on the lock screen that invites you to unlock by knocking twice on your phone. You can do this right in your pocket. For added fun, do this while pointing a toy sonic screwdriver at your Mac. The developer has a clever video that shows off this feature on their website.

After two weeks I’m convinced that this is more than a cute demo. I love unlocking my Mac simply by walking up to it and knocking on my pocket. I still think the Apple Watch could make this even easier but for now, you should check out Knock.

Weekend Project: Heartbleed Recovery Kit

There has been plenty of news about the Heartbleed bug this week. TidBITS did a great job summing it up. It appears something we all took for granted as really secure (Open SSL) really wasn't. As users that means we've potentially been compromised at a lot of websites. I say "potentially" because there is really no way to log incursions due to the nature of this bug. That's a little terrifying. So what should you be doing this weekend?

First take a look at this handy list from Mashable. If any of your vendors and online accounts show up as compromised AND fixed (that second part is important), log in and reset your password. If the site is compromised but not fixed yet, don't log in. In that case, don't touch it until it is fixed.

You all know how I'll be updating my passwords, with 1Password, which was not compromised. As an aside, someone at Macworld/iWorld asked me why I always change my major passwords (banking, iTunes, Amazon, Dropbox, Paypal) twice a year. Things like this are why (although in fairness this bug is so bad that wouldn't have saved me either).

Secure a Network for Some Turkey

If you are going to be on the road this Thanksgiving visiting your muggle relatives, that would be an excellent time to do them a favor and enable OpenDNS. It is ridiculously easy and I’d bet your hosts will be really thankful if you can ban porn from their homes, especially if there are kids. We talked about OpenDNS on the Mac Power Users ages ago but it is all still relevant. Also, my pal Katie Floyd made this handy screencast. 

In this Mac Power Users Screencast, Katie walks you through configuring OpenDNS to filter web traffic on your network, block certain categories of unwanted sites and enable basic security settings. Note from Katie: This is my first attempt at a screencast. I learned a lot during this process and have many tweaks and changes planned for future episodes.

Hacking The Onion

I found this article about the Syrian Electronic Army hacking The Onion fascinating. They pulled it off with phishing. In particular, they embedded malicious links in friendly sounding email. Once they got a few people to bite, they used those compromised email accounts to double down and phish more employees using their friends' emails. This really makes me question the use of embedded links in email. They are so convenient but also so easy to abuse.

There are some tools in Apple mail to expose a link before opening it. Regardless, be careful out there. (Link found via John Gruber).

Screen Shot 2013-05-14 at 11.47.45 AM.png

Going on Offense with OpenDNS

My 8-year-old niece slept over our house over the weekend. As I was watching her sit behind the family iMac, I saw her search for "My Little Pony". Her first hit was an OpenDNS blocked porn site. You see, searching "My Little Pony" does not always return the results you would expect. However, instead of being exposed to something that 8 year olds should never see, she got the OpenDNS block screen and moved on. I have to admit I was shocked (though I probably shouldn't have been). My niece didn't even realize what had happened. In a few minutes, she had found the site she was looking for and was very pleased with Pinky Pie. My takeaway is that now, more than ever, perfectly innocent kids can find all sorts of things they shouldn't see without trying. In short, I believe in OpenDNS now more than ever.

If you're not familiar with it, OpenDNS is a free service that offers to replace your local Internet service provider's domain name server (DNS). (DNS is, essentially, the address book of the Internet connecting words like "macsparky.com" with the ones and zeroes behind the Internet.) A lot of ISP's have pretty crummy DNS services and OpenDNS is usually faster at getting you between where you are and where you want to go.

OpenDNS does more than just DNS service though. It also does tracking and, if you please, filtering. I've got the "moderate" filter turned on preventing any computer, iPad, iPhone or other iThingy in my house from connecting to porn sites or other red-flagged security threats. It is really easy to set this up. My pal Katie Floyd even made a video showing you how (below). They also have video tutorials and walkthoughs for every major brand of router. This isn't rocket science.

The only downside that I've ever heard is that some people report streaming content through iTunes (like movies) is sometimes slower when using OpenDNS than when using your local ISP. One clever friend explained this is because Apple will pick the streaming server based on your location and OpenDNS doesn't give them that. I've not noticed a difference between OpenDNS and my local cable company for streaming iTunes so it is not an issue for me.

Not only do I think anyone that has kids on their network should enable OpenDNS, I also think us alpha nerds should be pushing this out to our family, friends, and loved ones. I've decided I'm going on offense with this and am going to start setting it up for friends and family on their home routers. Kids should be able to search "My Little Pony" without finding something that would give me nightmares.