Laptop bans in class seem to be topic of the week:
Why I’m Not a Fan of Laptop Bans | Confessions of a Community College Dean — Naturally, I’m not a fan either. Neither can I concede the point about not shining a light on accessibility users. I can’t see a way in which a ban that included an exception for only a few users with different abilities wouldn’t be a floodlight that says ‘this person is not the same’. Here’s an idea, make your class interesting enough for students to pay attention and you won’t have as many on Facebook. Sure, that’s not easy, but banning technology won’t make your material worth absorbing.
Lecture, Attention, Recall … It’s Complicated | Just Visiting – I’ve been thinking a lot about attention lately, and very little about teaching. Then again, I have plenty of thoughts on teaching to turn to. One recurring thought is triggered when I hear this nonsense about banning devices I lectures. I know I’m repeating myself. But, when I come across such a proposal, it recalls the overwhelming sense one gets that universities, and their most institutionalised educators are so often of the mind that there is something wrong with the student. The student must be fixed. Indeed they must be saved from attention grabbing technology. I call bullshit, which is why I was so pleased to read this paragraph:
If we’re going to lecture, aren’t we better striving for triggering a mind-blowing experience and not worry so much about recall. Let the mind-blowing experience that sends the student into a vortex of thought and reflection so deep they can’t pay attention to whatever else is happening be our goal.
By now you have probably heard this happened. This is a shocking leak, and exactly the kind of thing that proves the point I was making about facial recognition data. There were objections to the headline of the Washington post article about ‘Apple sharing face data with apps’. Objections along the lines that it’s actually you who shares the data. As ever, the truth is in the middle. Decisions are made at the source to make such things possible, but yes, you can opt to not use third-party apps that need private data to operate. There are indeed warnings on the box, as there was in this case.
It made me think of Smile software’s borderline flippant help article about the scary keyboard warning for allowing full access to keyboards. Ultimately, that article explains the need for the warning, although I’m not sure they do themselves any favours with the headline. This keyboard app is case study that makes the point with an exclamation mark. It is a fuck-up of the highest order,
the app’s database server was left online without any form of authentication. This meant anyone could access the company’s treasure-trove of personal information, which totals more than 577 gigabytes of data, without needing a password.
Yes, you read that right. It gets worse,
Some information is worryingly personal. It contains the precise location of the user, their phone number and cell provider, and according to Whittaker, the user’s IP address and ISP, if they use the keyboard while connected to Wi-Fi.
For reasons unclear, it also uploaded a list of each app installed on the phone, allowing the makers to, in theory, determine what banking and dating apps were being used.
Ai.type effectively enumerated the device it was being used on. It also uploaded hundreds of millions of phone numbers and e-mail addresses, suggesting that the keyboard was accessing the users’ contact information.
Apparently this affected mostly free users, which should 1 serve as a good illustration of the adage that if you’re not paying for a product, you are the product.
Here is some more detail. Please — for the love of god — read those permission messages and think about the access an app has to what, and why. Stay safe.
New security update fixes macOS root bug | Ars Technica – If you came across this in the past 24 hours, or earlier even, you will be relieved to learn it has been patched. It is hard to recall a more shockingly simple bug which such brutal implications. If you ever wondered about so-called ‘zero-day’ vulnerabilities, here is a case in point.
Get on to that update…
Yesterday we learned that Apple had made a serious security error in macOS—a bug that, under certain conditions, allowed anyone to log in as a system administrator on a Mac running High Sierra by simply typing in “root” as the username and leaving the password field blank. Apple says that vulnerability has now been fixed with a security update that became available for download this morning on the Mac App Store. Further, the update will automatically be applied to Macs running High Sierra 10.13.1 later today.
Something is wrong on the internet | James Bridle – Medium — You don’t need to be a parent to find this deeply disturbing. Being a parent makes it doubly so. Buzzfeed reported this week that ‘YouTube Is Addressing Its Massive Child Exploitation Problem’, but this smacks of PR to me. Experience tells us they will do the minimum amount necessary to hush the growing noise.
Last Thoughts on Modifier Keys | All This – The doctor continues his philosophical dive on shortcuts and modifier Keys. Like I said, the detail is delightfully nerdy. However, there is something a little obvious I want to point out. I suspect The modifiers are represented as an analogue of their physical location. The Command key is closest to the letter keys, and so on. Not that I care to enter a holy war on programmatic symbolism, it’s more that something’s don’t actually have any real deep meaning. They simply are as they appear to be.
Two Major Cydia Hosts Shut Down as Jailbreaking Fades in Popularity – Mac Rumors – I can understand why interest is waning in jail breaking. The restrictions in iOS are no longer as severe as they once were, and with tools like Workflow it is becoming less and less worth trading off your security for unrestricted access to the file system. Improvements to Android probably have something to do with this too. Android has the ugly but ridiculously powerful Tasker system for automation for those who really want to go nuts
This is a decent digital, security hygiene guide. If you’re listening to geek gift guides, and trying to convince your rightfully sceptical significant others that the idea of hooking your house into the matrix is what keeps you going, maybe start here.
The Holidays, it’s the most wonderful time of the year. Unless you buy a gift that spies on your kid or gets your friend hacked. Wish lists this year will have more connected devices than ever. How do you know if that gift comes with privacy included? We did the research to help you decide. Because Santa should be the only one watching you this holiday season.
While we are on this particular train. Agile Bits have done a lot for user security, with the release of their new browser based app, the are doing more. The 1Password X browser will also allow Linux and Chrome OS users to get in on the act. It’s not something that I need personally, but I can see how this will be useful. They write:
Wouldn’t it be cool if 1Password could do X?” is a question we often ask ourselves. The values for X are always changing, but some ideas come up again and again. Wouldn’t it be cool if…
• When you log in to a site, 1Password is right there on the page ready to fill?
• You could use 1Password without downloading the app?
• Linux users and Chrome OS users could join in on the fun?
Now 1Password can do all these and more. We call it 1Password X, and it’s our brand new, full-featured experience that runs entirely in your browser. It’s super easy to set up, deploy, and use. It works everywhere Chrome works, including Linux and Chrome OS. And it’s a re-imagination of how 1Password works on the web.
I have been slowly adding more security and privacy content to this site recently. I believe you can do a lot to protect yourself with a little bit of knowledge. Security guides like this from Motherboard are a good place to start. As they put it:
There are lots of things you can do to make it much more difficult for hackers or would-be surveillers to access your devices and accounts, and the aim of this guide is to give you clear, easy-to-follow steps to improve your digital security. There are, broadly speaking, two types of hacks: Those that are unpreventable by users, and those you can generally prevent. We want to help you mitigate the damage of the first and prevent the second from happening.
If you are looking into these things, the best place to start to my mind is with a password manager. My favourite is 1Password. If you want to go further, start looking at a VPN. I have also posted recently on data security and cloud storage.
More than 15% of Internet users have reported experiencing the takeover of an email or social networking account. However, despite its familiarity, there is a dearth of research about the root causes of hijacking.
How to Draft a Dissertation in a Year | GradHacker — I don’t necessarily agree with the methods, and others are just plain obvious. What works for some, will not for others. Nonetheless, I have no doubt there are people breezing through here looking for shortcuts. If nothing else p, take from this the idea you need a plan
What Else Floats on Water
Command-E | All This — A knowledge base document has been doing the rounds, highlighting the depth of keyboard shortcuts available on the Mac. Dr Drang offers a way into it with one shortcut in particular. There is something oddly delightful about this site, these unique meditations on detail will not be for everyone, but I couldn’t tell you how much I pick up from them. If you just want the support document for the full list of shortcuts, look here
K Machine on the App Store — I can’t help stumbling across interesting music apps. I decided I will add a music app of the week to this collection of links. This is a mixed media app. A sampler, sequencer, and beat maker. If you have problems with inertia, or you were traumatised in the nineties by psychedelic screen savers, this app isn’t for you. If you had the opposite experience, check it out.
How Facebook Figures Out Everyone You’ve Ever Met – The lengths to which Facebook go have become so creepy that people are convinced they are listening to everything we say. Recently the hosts of Reply All spent an entire episode trying to convince people they aren’t literally listening. The point is they don’t need to, with so much self surveillance happening Facebook has all the context it needs to know what you are talking about.
Idle At Work
Fuck Twitter | Macdrifter – I like decisiveness. There a has been a lot written about Twitter lately, this piece is unique. I am unequivocally awful at Twitter, I have never made an effort. In fact, I didn’t have an account of my own until this year. And, I don’t give any compelling reason to follow me. It used to be because I thought there was a clue in the name. Now people are telling me it’s worse.
Social networks, though, have since colonized the web for television’s values. From Facebook to Instagram, the medium refocuses our attention on videos and images, rewarding emotional appeals—‘like’ buttons—over rational ones. Instead of a quest for knowledge, it engages us in an endless zest for instant approval from an audience, for which we are constantly but unconsciouly performing. (It’s telling that, while Google began life as a PhD thesis, Facebook started as a tool to judge classmates’ appearances.) It reduces our curiosity by showing us exactly what we already want and think, based on our profiles and preferences. Enlightenment’s motto of ‘Dare to know’ has become ‘Dare not to care to know.’
Using iPhone X TrueDepth Camera to Find Your Ideal Specs | Mac Rumors – This illustrates, excuse the pun, the divergence of use cases for this tech. One fork includes usefulness, the other concern. Where they will ultimately come together is through manipulation. Our economic and political system, not to mention our social milieu mean that it is inevitable that this technology will be used to track people for one reason or another. On the other hand, your new glasses will look better on your face.
Apple’s ten years of iPhone mocked by Samsung – In case you missed it. An antidote is in order when you can’t seem to get away from the noise. The iPhone fetish is in overdrive at the moment. Some of the stuff I have read has been ridiculous. I’m not going to call them out here, but I read one article that suggested the iPhone 7 was ‘garbage’ now that the iPhone X is out. If that is not losing perspective, I don’t know what is.
Take a look around this site and it won’t take long to recognise my preoccupation with security and privacy . I’m no expert, but I will advocate where I can. 1 I have a stake in these ideas for my own reasons, but I believe they should be a concern for everyone. When privacy and security are not conflated, we are told that there is a need to trade one for the other. I don’t agree. I’m not the only one. You also hear that usability and security are a trade-off. That is only true by quirks of history and convenience, it doesn’t have to be that way. One of the most ubiquitous trade-offs people make today involves cloud storage. With this in mind, something I get asked about often is how secure is Dropbox? My answer often leads to the question, what are the best dropbox alternatives?
This post is really about personal data security. I might slip on occasion and use the word privacy. Although not interchangeable, in this context they are inherently related. One leads to the other. Without security, privacy is inevitably compromised. 2
The Need for Encryption
Spurious claims about encryption are nothing new, but they are popular political currency at the moment. They come from the same trade-off argument. It doesn’t take a genius to work out the vested interests at play. But if you’re looking for a legitimate use case, look no further than academic users. Academic researchers have good reasons for needing encryption. Whether for protecting one’s own ideas, or keeping serious promises. For one thing, data security is critical in human participant research, for ethical and legal reasons. Many academics also have to deal with non-disclosure agreements, and data management is becoming a default aspect of funding applications. Never mind shameless threats to academic freedom, or protecting legitimate research of contentious issues. Or even guarding oneself against the so-called academic dark arts. I could go on.
This is not only a concern for tenured professors. Student’s working at all levels operate within the same networks, under the same conditions. Graduate students should be particularly vigilant. Trusting your data to university servers is something students ought to be wary of. Colleges arealways big targets for data hackers. Data is constantly under threat. It pays to not only understand this, but to set good habits for how you protect yourself, and your work. Call this an amateur case study, as most of it applies much further afield
The Problem with Dropbox
Most questions I get in this area relate almost exclusively to Dropbox. Now, I still use Dropbox. It would be taking it too far to say I have no choice in the matter. As a heavy iOS user, I have apps and workflows that still rely on the service. Despite the relative advances of iCloud in the past couple of years, apps like Scrivener, will only sync with Dropbox. 3 These apps are becoming more few and fair between, though. I could choose not to use the remaining few that use Dropbox for syncing. At this point I have whittled it down to the remains of my free storage allocation. 4
These apps give me pause, though. If I could sync them any other way, I would. Their reliance on dropbox makes me consider carefully what work I am willing to store with them. But, there is an obvious caveat here. While syncing exclusively with iCloud certainly provides more convenience, In a sense I would just be moving security issues from one place to another. I will come back to iCloud.
Unfortunately, every now and then something happens with Dropbox that reminds me of the sketchy feelings they give me. From questionable characters joining the board, to the fact that the service has been seriously hacked. Yet, its the mechanics that bother me most. Just last year, Dropbox was outed for considering itself above the permission protocols of ordinary macOS software. They might have addressed these concerns, but the fact remains they went out of their way to ignore them in the first place. It’s not first time an issue had been raised. Dropbox addressed this after being chased down by users remember, the information was not volunteered. Worse, the company thereafter admitted in their own support articlethat disabling the permissions would only work until the machine was rebooted. After which the accessibility hack would be back in place.
Cue the line about balancing security with usability. The key here is getting the balance right. In other words, usability is not an excuse for taking shortcuts or engaging in unscrupulous practice. It seems to me that rather than a trade-off, there seems to be more of a divergence. I wouldn’t call it radical, but there has been some movementtowards more secure practice. Dropbox, however, seems to be betting the future on the opposite gamble. There was a lot of noise last year around the Dropbox Infinite project for requiringkernel access. May as well give them the keys to your house. Alarmist? Maybe. But, when you consider the vague language used to address these concerns, it doesn’t fill you confidence.
After careful design and consideration, we concluded that this kernel extension is the smallest and therefore most secure surface through which we can deliver Project Infinite. By focusing exclusively on Dropbox file actions in the kernel, we can ensure the best combination of privacy and usability.
We understand the concerns around this type of implementation, and our solution takes into consideration the security and stability of our users’ experience, while providing what we believe will be a really useful feature.
Ultimately that project was rebranded as Smart Sync and launched to business users this year. What was smart about it was getting the furore out of the way. The noise has died down. The kernel access remains. It’s business as usual. Much smarter people than me suggest the kernel is the computational sweet spot for hackers. The real crux is that Dropbox don’t open source their code, they want access to users systems, but users can’t audit theirs. Again, I’m no expert. But neither do I feel soothed. While this only affects business users at present, it offers a pretty good indication of how Dropbox operates.
It is true that a lot of people still want this feature. It is also true they are happy to trust Dropbox with their data, and have no problem with the so-called trade-off. I’m not one of those people.
How to Secure Dropbox yourself
A Novel Solution
As I said, I still use Dropbox. For the moment. I simply don’t store anything there I would mind dropping on the ground. 5 More than that, I try to only use it with apps that include their own strong end-to-end encryption. DEVONthink, for instance, has first class encryption. Neither do I object to syncing 1Password with Dropbox, the way we all used to. For everyday files, steps can be taken if further security is needed for Dropbox itself.
I mentioned DEVONthink. If you are already a user on macOS, addingDEVONthink to Go to your workflow is straightforward. 6 The database itself is encrypted, and the app supports pretty much any file type you can throw at it. Devon Technologies are one of the oldest Apple software developers around. So it is no surprise to see them embracing the new Files App. This means DEVONthink to go can be used as a file provider. So you can store your files safely, and edit them in place using third-party apps. In my opinion, this is a pretty sound option. In many cases, it could be enough. If it is, managing files through DEVONthink will avoid the need for a dropbox alternative.
Yet Another Layer
If you want to go further, you could use something like Boxcryptor. Boxcryptor is a zero-knowledge platform that adds a layer of encryption on a file-by-file basis. This is a pretty useful tool. In fact, support for the new features in iOS 11means Boxcryptor can even extend functionality to cloud services that don’t have that new compatibility. Although, the way the service works means it cannot solve the problem of apps that sync data insecurely. Not yet, anyway. There are other limitations, and depending on your use case it can add a further recurring cost.
There are similar solutions available. Such as Cryptmator, which is a little more rough around the edges, but has a pay what you what system. OrSookasa, which is more enterprise focused, but doesn’t have any free tier. Given the ubiquity of Dropbox, I can understand where the demand comes from for these service. 7 As I see it, the main problem with doing this this way is this. While these services are not difficult to setup, they ultimately an additional complexity. If you need them, they are available. But, unless you have absolutely no choice but to use services that make them necessary, I feel there are better ways to address this problem.
Rolling your own
This is probably a little outside the scope of this article, but I will mention these briefly with the best intention of returning to them. Most people will find the prospect of rolling their own more trouble than it is worth. It is also worth noting that setting up a self-hosted solution might allow you to gain some control over the situation, but it doesn’t necessarily solve the data security problem in and of itself. If you go this route you will need to choose wisely, and/or add a further layer of encryption. This is by no means an exhaustive list.
OwnCloud — Possibly the best known of these solutions. Once setup, the end product is relatively comprehensive. Setting it up, and maintaining can be a nuisance. You can use something like Bitnami to mitigate the first part. I wouldn’t recommend it these days.
NextCloud — is a fork of OwnCloud. It is made by a bunch of developers who ditched OwnCloud, including the ‘inventor’ of both solutions. By all accounts, NextCloud is a superior solution to OwnCloud in every conceivable way. More user friendly, and now I can happily report is much more secure. The developers did the right thing on behalf of their community of users, and that is always a good start.
Cozy — This one is unique. I was a beta tester for these guys for a time. Although In this context, I find it difficult to recommend. On the one hand, it is very user friendly. On the other hand, it doesn’t offer the same level of security as others on this list. The transfer is secure, but in their own words ‘data stored in Cozy is not encrypted, as this would negatively affect the overall user experience’. Quite how that holds I have no idea. Considering the major shortcomings of the platform are a lack of file sharing, and a single-user model. The UI is cute. I guess.
SeaFile — This is an interesting option. The developers even told PayPal tosod off when they tried to pry into the activities of their users. Open source, extremely secure. You will need some technical chops to set it up though. Now that NextCloud has client-side encryption sorted out I would recommend that first. But if for any reason you would prefer an alternative, take a look at SeaFile.
The advantage gained from Dropbox’s roll as the once de facto file system of iOS still lingers a little. But with iOS 11 the tide has started to turn. As apps embrace the new FileProvider API users will find genuine alternatives for syncing to iOS. This is another way that iOS is catching up as first choice platform for productivity.
As with myVPN spirit quest, I spent a fair amount of time cycling through alternatives to Dropbox. By now everybody is aware of the big names. If you are looking for a Dropbox alternative, chances are you have already considered Google Drive, OneDrive, or Box. If you’re anything like me you’re probably fatigued by the endless articles comparing those same big providers. Seeking Dropbox alternatives probably means your want to know what other options are available, besides the usual suspects.
There exists a roll call of services you have probably never heard of. Many of them are just as they sound, either too good to be true, or just plain dodgy. Others are lacking in functionality, or have questionable usability. But there are also some interesting ones out there. I quite like the Norwegian service, Jottacloud. If your only issues is a little paranoia about services from the US, Jottacloud has a simple business model for unlimited storage, and nice usable apps. If you have more serious needs, then you are looking for a solution with, end-to-end, client side encryption.
SpiderOakis probably the best known of these so-called Zero-Knowledge services. Since Edward Snowden endorsed it. I wouldn’t necessary do the same. SpiderOak is not particularly user friendly, and they show no signs of opening sourcing their code for audit. That continues to look a strange decision, as they open source code their other apps. I wouldn’t necessarily worry about the service, it is far more secure than your average cloud service. It’s still a mixed bag.
Swiss based service, Tresorit is a serious option. They have a good comparison against SpiderOak on their site. Their security is excellent, but I still have a couple of reservations. One, Tresorit has what I would consider a design flaw when it comes to file recovery. In other words, you cannot ‘undelete’ a file. Most academics researcher, writers, and students would find that unsettling. The nature of that kind includes a lot of drafts, and many versions of files. They offer versioning, without the redundancy for mistakes. Being able to recover files is non negotiable. The second reservation, you pay Swiss prices for a Swiss service. Tresorit is expensive.
What about iCloud?
I’m not going to address iCloud in detail here, it requires a more specific effort in itself. Most of the publicly known breaches of iCloud have involved some kind of phishing, or crude social engineering. But they have included brute force attacks too. Apple is notoriously secretive, it often takes forensic kremlinology to really understand the details. By all accounts Apple has taken a left turn in this area, to the point where privacy has become a unique selling point. Indeed, it is one of the reasons I’m on the Apple train. But here’s the rub, while the data on your devices themselves has become very secure, that doesn’t mean the same is true of iCloud.
Improvements to iCloud mean that — provided you use a strong password, and 2-factor authentication — you are much less likely to suffer the fate of Matt Honan these days. I use iCloud for all kinds of things, mostly for the convenience. I would much prefer to sync app data with iCloud than Dropbox. But the same rule applies with sensitive documents, or anything else that I am compelled to be responsible with. I wouldn’t keep any of that in iCloud Drive. If your motivation for seeking a dropbox alternative is data security, iCloud is not the drive you are looking for.
My Recommendation – Sync.com
Until I found Sync.com, I hadn’t tried a secure Dropbox alternative that had a comparable feature set. Not without one trade-off too many, or some kind of showstopper. Even if it came close, like Tresorit, something significant was missing. Sync is not perfect, but it does everything I need without being an eyesore, or being difficult to use. It has all the collaboration and sharing utility that is such a vital part of using Dropbox. It won’t suit everybody that the service is based in Canada. But, given the mechanics of the service, that doesn’t bother me. 8
For the kind of privacy and security I am talking about, it doesn’t get much easier. Anything you can do with Dropbox, you can do with Sync — and then some. They provide Zero-knowledge, end-to-end encryption. 9 Secure file sharing, shared folders. They even provide granular security for shared links, and a means for non-sync users to upload files. It goes on. If you want to go all-in, Sync will even handle your photos with the same kind of automatic uploading that Dropbox does.
Sync’s encryption technology is open source, and open to audit. If you want to get into the weeds a little, you can read the Sync privacy white paper. Written in plain English, it includes relevant details on what access the bigger services have to your data:
Google Drive — ‘The Google terms of service gives their automated systems permission to access the data stored on their servers for the purpose of monetization through advertising.’
Box — ‘The Box terms of service gives Box permission to view the files stored on their servers, to ensure users are in compliance with the Box terms of service. ‘
Dropbox — ‘The Dropbox terms of service gives Dropbox employees and trusted “third-parties” permission to access, view and share the files stored on their servers at any time.’
Microsoft OneDrive — ‘The Microsoft terms of service gives Microsoft employees permission to view the files stored on their servers, to ensure users are in compliance with the Microsoft terms of service.’
A lot of academic users will find conflicts between these terms and their own obligations for data security. Many others, including students, will consider it smart to implement a more secure system. A you can see, there are a lot of different options for that. To my mind, Sync.com is the best of those options.
Sync offers 5Gb free to anyone, which is not only vital for collaboration, but may be all your need if you are only storing text files. But if your need more, or you want to take advantage of the impressive backup features, the service is comparatively inexpensive. It costs $8 a months for a 2TB plan, or half that if you only want 500Gb. The same feature set from Dropbox will cost you twice that, and you will only have 1TB of storage.
I’m surprised I don’t hear more about Sync.com. Admittedly it is a relatively new player, having been established in 2011. But don’t let that put your off. The only reservation I ever really had was about their iOS App. Communication with their helpful, and responsive developers addressed the issue immediately. The suite of apps is user friendly, and constantly improving.
Regarding your Password
There is one this to be very aware of if you setup a zero-knowledge service like Sync.com. By design, your private key, and therefore your password, are never stored on the Sync servers. That means it cannot be reset if you forget it. You can change it yourself, if you ever need to, of course. But you cannot just have Sync send you an email to reset your password if your forget it. If you a serious about your security, you should be using a password manager anyway. When you setup Sync, make sure you have that base covered.
It shouldn’t be controversial to suggest Privacy and security for cloud storage is easier than you think. If you want to take I look at Sync.com, I suggest you start with the free 5GB plan. You can bump that free space up too, with the usual referral and walkthrough bonuses. As ever, let me know if you have any questions.
Besides, claiming expertise in this area is an open invite for a flood of ‘well, actually’ messages ↩
I’m talking about security with a capital S, but the implication is hard to avoid. Especially as that kind of security is used to justify the denial of this one
The Scrivener site claims that syncing is not possible with iCloud. For my money that is a little disingenuous. The Omni Group, for example, have run with the improvements to iCloud to fix the notoriously difficult to sync OmniOutliner. ↩
I was in early enough with Dropbox to have a decent amount of free storage. These days you won’t get much from referring all your friends who already have it! ↩