Friday, August 24, 2012

Windows 8 RTM Part I - Initial Impressions

[Article first published as Windows 8 RTM Part I - Initial Impressions on Blogcritics.]


I started playing around with Windows 8 when I got my hands on the Developer Preview a while back.  At the time poking around in there showed me a lot of things that looked very promising.  I saw an OS that was setting itself up to be a decent touch-based platform for mobile devices that retained some (some) of the old school "Start Button" love from previous Windows iterations.  Today I started working on Windows 8 Pro (the actual retail version).  It'll be available to the general public in October, but my tech pro ilk and I are kind of special, and those of us that are TechNet / MSDN users are pulling it down to play with it now.  So I got a chance to see what's up.  Keep in mind that I installed this on a laptop though, so I don't have the ability to review any of the touch features here.

What I noticed wasn't really wholly different from the Consumer Preview that was released a couple of months ago.  It still has the same look and feel, but the user is offered a few additional options for personalizing their start screen and user profile designs.  It's quite a bit more colorful and bright than users of XP of Windows 7 are probably used to.  And sure, it does look nice.  So for those of you that put a premium value on colors and look and feel, there you go. But if you haven't seen anything on Windows 8 yet then you're probably more interested in function.  In the words of King Arthur in Monty Python and the Holy Grail when asking about the holy hand grenade -

"So, uh... how does it work?"

After logging in with your Microsoft ID (or an unlinked local account if you choose), Windows 8 operates in 2 modes - the first is what you start off in, which I'll be calling "8 Mode" for lack of a better term. Call it whatever you want, really, as long as you don't call it "Metro."  They kind of frown upon that one now.  8 Mode made my laptop feel like a huge phone, with apps and live tiles for basic settings and social media.  8 mode is also what triggers when the user clicks the Start button.  Then there's Desktop mode, or what I call 7.5 - it's reminiscent of Windows 7, only minus the traditional start button and minus aero glass.  It's where users can still get to regular things like "My Computer" and document/picture libraries.

"8 Mode"

As you can see from the screenshot at the top of the page, 8 Mode looks like a big cell phone interface.  Imagine swiping left and right on that screen to get to a number of tiled apps, just like you do on your Android or iDevice.  It runs on live tiles and apps as opposed to full applications that users are accustomed to.  Instead of opening and closing programs like we did in XP and 7, the apps stay on and running all of the time (again, like mobile), letting the user switch between them with Alt-Tab or other mouse driven means.  While the apps aren't active, Windows drops their resources down to run in the background so it doesn't hog up system memory.  The design from the Developer Preview and the Consumer Preview has been altered slightly, and the newer scheme really reminds me of the tile system for what currently runs on Windows Phone 7 devices.  The advantage of this interface is really geared for mobile devices - something akin to what we can expect from the ARM Windows RT powered Surface tablets to be released later this year.  There's also an option to show more tiles, covering quick access to common functions like the control panel and other system settings.

I can at least say that there more apps on the Microsoft Store than I remember there being while playing with the Consumer Preview.  8 Mode comes stock with a "Games" app, linking up with a user's Microsoft / Xbox Live ID, as well as built-in "all in one place" social apps.  Another default app is for mail, which handles both Microsoft and third party email accounts.  A number of other apps exist for sports, news and travel, which basically act as RSS feeds that look a lot brighter and more colorful than what you're used to on your basic feed reader.  See? A big phone.  But there's one thing that gives me pause so far, and that's the Microsoft Store. Like its competitors, Microsoft lets users broaden their experience by downloading apps for multiple things, but the problem is that it still needs some development.

If you look Microsoft's future competition in Android and iOS devices, there's a large gap that has yet to be covered.  Those mobile platforms rely very heavily on the Android Market and App Store to provide a vastly expandable and richer mobile experience to users.  This "8 Mode" interface, which in my opinion would in fact work great with a touchscreen and is posed to compete in its own right, is only going to be able to deliver an experience to rival the other heavy hitters in the mobile space if they can expand what's available in the Microsoft Store.  Microsoft's also trying to cash in on the cloud trend with their new SkyDrive initiative for those who love to share and/or overshare on the run, but the whole package is going to need a little more substance.

7.5 (Desktop mode)

From 8 Mode users can click the desktop tile (or Alt-Tab) over to Desktop mode.  Navigation here runs a little bit differently than it did in Windows 7.  Instead of a single start button that's the kickoff point for the programs a user would want to open, it runs on a basic premise of corners.  Moving your cursor to the upper right corner opens up a sidebar and the Windows 8 version of the Start menu, which puts you into Metro mode.  A cursor to the upper left acts as a quick alternative to Alt-Tab to switch between apps that are currently running.  Moving the cursor to the lower left does open a "Start" icon, but it only takes the user back to 8 Mode.  What I did notice about this iteration of the desktop is that things loaded and reacted a little bit quicker then they did on Windows 7 using the same hardware.  Maybe it's because aero's not taking up as much from the resource pool?  That's my theory, but either way in addition to that my battery seemed to drain just a little bit slower.  At least that's what it seemed like.

Basic compatibility so far

I've tested general usability using a limited test run of programs that I routinely run in Windows XP and 7 and haven't experienced any problems. All of my hardware picked up with no incident, but that doesn't mean that it's going to be the same for everyone. Of course there were no problems with Microsoft software like Office programs and basic stuff like antivirus.  Next I tried something a little more important, namely World of Warcraft.  It ran pretty smoothly without any performance drop from Windows 7.  It doesn't look like basic users are going to have any issues.  Power users will be glad to know that virtual desktop does exist like it did in Windows 7 should any compatibility issues come up.

Unfortunately I don't have a stack of laptops and machines laying around to run exhaustive compatibility tests, but I will have more in depth stuff after I do some extended testing for you next week.

Initial Impressions

While I had no issues testing the system on this limited run, my experience was on a laptop.  So while sitting here with a fully functional keyboard and a 1080p screen, I never felt any need for the "8 Mode" layer on this OS in a laptop or desktop scenario.  I don't need "apps" - I have the full internet for pretty much anything I need.  Where this operating system is really going to make sense is on mobile.  The 8 Mode UI would be great for touchscreens with the option to switch over to desktop mode should the need arise.  But personally, I'll be sticking with Windows 7 so far for my desktop and laptop work and play.

I also see potential usability problems with the 8 Mode interface for users that aren't up on their keyboard shortcuts.  There were a number of times where I was forced to back out of an app using the Alt-F4 "kill" keyboard shortcut because I simply didn't see a clean exit outside of using the windows key on my keyboard to switch out to the desktop.  If you're running a shop where users had a hard time adjusting from Windows XP to 7, then I fear for you if you choose to deploy this.

This by no means says that this is a bad operating system, just one that would provide a better experience on a phone or tablet. And like I said, that mobile experience is going to rely on the fate of the Microsoft Store.  We'll see how things go with the scaled-down Windows RT on the Surface tablets in a couple of months, and I'll have more for you soon.

Coming up in Part II: the Enterprise edition's Windows to Go, Windows 8 file history mode, media codecs, and whatever else I can find

Friday, August 10, 2012

Why Your Computer Just Made You the Fool [tf charts]


If you've ever worked anywhere with a computer (actually any tech for that matter) you've probably experienced this.  You have a computer problem, and call the IT department.  They start making their way over, but when you try to replicate the problem for them, it magically corrects itself!

Don't you worry, it happens to everyone, and we have a couple of theories on that.  The first is that the computers in the building technically report to IT, so they don't want to look bad in front of the boss. Maybe they're not so different from us after all.

The second, and really better theory is that a lot of IT bosses are secretly digital green lanterns, and just hide the rings in public.  Just the aura of our digital will possibly creates a pocket universe around us where everything works perfectly fine.  Well, everything that's not ours anyway, because computers love to play tricks on IT too.

so when you "swear it was just doing it!"  We believe you.

Most of the time.

Wednesday, August 8, 2012

The "Epic Hack" of Wired's Mat Honan - Social Engineering at Work


[Article first published as The "Epic Hack" of Wired's Mat Honan - Social Engineering at Work on Blogcritics.]

I spend a lot of time and effort attempting to keep people safe in the digital age.  Whether it's on a professional level at my job or through my writing or social media, to me it's important that everyone is as safe as they can be, knowing that nothing is 100% foolproof.  Part of what I do professionally is keeping computer systems safe, and even I have had to go through the pains of wiping everything from my computer and starting from scratch more than a couple times.  It happens. Even to the nerd elite.

So when someone brings me their machine or reports some sort of issue, I know it's going to be one of a few things - (1) a virus, (2) malware/scareware or (3) phishing scams.  But these are all software methods with the aim of destruction or data theft.  Sometimes, especially with scareware, someone's looking for the user to give up a credit card number, a user name or password, account numbers of any kind, hell, even social security numbers.  The reason is that any combination of these things can be pieced together enough for someone to pass themselves off as you.  And once that happens, your digital life can be reduced to ruins. Accounts or credit cards can be opened in your name, and you can wave bye-bye to your credit, your money, or even your good name.  There are a lot of snippets of code or scripts or SQL injections (and blah blah the list goes on) that can do this to you.  But in my experience, knowing what I know and having had to help people protect against it, I've found that there's one tool that works better than all of the above combined, and that's social engineering. Low tech compared to software hacks, but highly efficient.  I wrote a bit a while ago on the topic concerning RSA if you want some details, but I'll nutshell the concept for you - social engineering means hacking people, not machines.


It's a fancy way of saying "tricking people into giving up information." And attempts have been made on all of you, whether you know it or not.

So why am I going all into this topic today?  Unfortunately the way things work in this world is that something has to happen to someone with some clout for an issue to be addressed. What I just described happened recently to Wired Magazine's Mat Honan.  A bit of social engineering with some security holes at both Amazon and Apple led to what Honan addresses as an "epic hacking."  He outlined his experiences for all to read yesterday, and it is 100% worth the read if you have a couple of minutes to do so.  He details everything to the what and the how all the way to actual talking to the hacker that broke into his life and the conversation they had.  I'll go over a little of it here.

Mr. Honan realized there was a problem on Friday - while he was trying to restore his iPhone, he was getting messages on his MacBook that his saved account information was wrong, asking him for a 4-digit PIN number.  The problem was, he didn't have a 4-digit PIN number.
His timeline that follows should scare the living hell out of you. Especially those of you that entrust all of your accounts to an AppleID.


Upon calling AppleCare for help, it was confirmed that they handed over temporary .me e-mail credentials to someone claiming to be him, and he watched over the next hour as that person reset credentials on his twitter, then his Gmail, then wiped his iPad, and permanently reset his AppleID. But that was only the start - next was outright deletion of his Google account, followed by a remote "Find My" data wipe of his MacBook.  Now not only were all of his accounts effectively locked out to him, but anything on any of his devices that wasn't backed up was gone forever.  Maybe not such a big deal on his iPhone or iPad, but on a MacBook, his primary machine, that's a big deal.  He lost pictures of his kids, all of his email, and other data from the laptop that he'd never see again.  The hacker posted a new status on his now hacked twitter account - " Clan Vv3 and Phobia hacked this twitter."


What the hell happened? On his extensive talk with AppleCare, he realized that all that was needed to get a temporary .me password reset were the last 4 digits of your credit card number and a billing address.  And how did they get that information? Afterwards the hacker (Phobia) contacted Honan.  In Honan's words:

"After coming across my account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.

Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot."

Two-factor authentication being turned on probably would have been the end of this story.

But it went on.  Phobia indicated that any email address associated with an Apple account is pretty easy to get, and Amazon was the next target.  The same kind of trickery was used to fool Amazon into believing that Phobia was a legitimate Amazon user that couldn't access their account - changing the associated email, getting a password reset sent to that email, and logging in.  And what's on file on an Amazon account?  You guessed it, the last 4 digits of the user's stored credit card numbers.

And that's how it all comes together.  Like I said at the top of the post - Low tech, high efficiency.

Mr. Honan asked Phobia why they did this to him. Phobia's response was that they like to publicize security exploits so that all users can see what happens and be able to defend themselves from hackers.  It sounds like the so-called "hacktivism" we've seen over the last two years with stories like Sony's PSN fiasco.  But I'm really not sure how destroying a private user's irrecoverable data was needed to make their point.  If you want to do this thing for the public good, it is well within your power to do it without hurting any of the public involved.

But I digress.  Admittedly Mr. Honan made a lot of mistakes on how he had his personal security set up that led to his digital demise.  I don't mean stuff like strong passwords for people trying to hack their way in through brute force.  I mean other things people can do specifically to reduce their risk of low-tech hacks.  And I'm going to walk you through some of them to help you all stay a little safer at home.
Right off the bat he broke one of the cardinal rules of keeping your stuff safe - routine backups of important information.  Personally about once a month, or when I do something important or official, I back up one or more file sets.  It's the single best way of adding a layer of redundancy to your data in case something should go wrong.  You can use external USB drives, a cloud solution (if you're into that), CD's or DVD's, or a number of other forms of media.  Apple operating systems as well as Microsoft's Windows OS's come with native tools to back up your data.

Secondly, he used a common prefix for all of his accounts. if you have multiple email accounts, try not to use the same prefix for all of them - as in abc@hotmail.com, abc@yahoo.com, abc@me.com, etc.  If someone knows one of your addresses it becomes that much easier to guess what your other accounts could be called.

For Google accounts and increasing in popularity in a lot of things is two-factor authentication.  For those of you that play any Blizzard games, this is the equivalent of your Authenticator.  It means that even if someone has your password, they can't alter your user info without that second piece of information.  Google and others use an "alternate email" or even phone numbers for extra verification.

Next is something that's Mac-specific, and that's the Find My Mac feature.  This is a great feature for the iPhone, because people lose their phones pretty frequently, and need to have some sort of tool to wipe that data.  For a laptop it could be useful, but be real, how apt are you to lose your laptop like you could lose your phone?  And as Honan notes, there's some problems with implementing the service that has been part of their system starting with the Lion OS. Reversing a remote hard drive wipe is easy - but only if you're the one that did it.  If someone remotely wipes your machine, you don't have the PIN number you need to make that happen.  So until they improve it, my suggestion for most of you is to turn Find My Mac off.

In addition to these things that were relevant in what happened in this case, you need to make sure you know who you're giving information to and what you're entering information into. Let me give you an example - if I get a call claiming that there's an issue with my credit card, I don't engage it.  I will call my bank myself using a number that I know is real so I minimize any chances of someone getting my information.  It's little things like this that will help you minimize your risk of becoming a victim of social engineering.  And with all of the forms of social media, email and other types of accounts, there's more information out there to be got than ever before.

Since this event occurred, Apple has suspended over-the-phone AppleID password resets and Amazon has tightened up their security as well. Unfortunately Mr. Honan had to get hacked for them to take a closer look at their practices.

If you have any questions, of course you know by now that I'm here for you America. You can find me at helpdesk@tusharnene.com if you need some pointers.  Of course I can't do the fixes for you (I do have a day job) but I can try and point you in the right direction.