Business IT Support
With business and technology changing at light speed, don't go it alone, get support that understands both.
With business and technology changing at light speed, don't go it alone, get support that understands both.
Recommendation, installation, back up, and up keep of servers provided by professionals who care and will take the time to understand your businesses needs.
Get the software and hardware your business needs, installed and maintained by those who understands your business' needs.
Spend your time on your business, let us maintain and manage your tech with a regular servicing schedule.
There was a shocking moment in this week’s Senate Commerce Committee hearing on the Stop Enabling Sex Traffickers Act (SESTA). Prof. Eric Goldman had just pointed out that members of Congress should consider how the bill might affect hundreds of small Internet startups, not just giant companies like Google and Facebook. Will every startup have the resources to police its users’ activity with the level of scrutiny that the new law would demand of them? “There is a large number of smaller players who don’t have the same kind of infrastructure. And for them, they have to make the choice: can I afford to do the work that you’re hoping they will do?”
Goldman was right: the greatest innovations in Internet services don’t come from Google and Facebook; they come from small, fast-moving startups. SESTA would necessitate a huge investment in staff to filter users’ activity as a company’s user base grows, something that most startups in their early stages simply can’t afford. That would severely hamper anyone’s ability to launch a competitor to the big Internet players—giving users a lot less choice.
Sen. Richard Blumenthal’s stunning response: “I believe that those outliers—and they are outliers—will be successfully prosecuted, civilly and criminally under this law.”
Given the extreme penalties for under-filtering, platforms would err in the opposite direction, removing legitimate voices from the Internet.
Blumenthal is one of 30 cosponsors—and one of the loudest champions—of SESTA, a bill that would threaten online speech by forcing web platforms to police their members’ messages more stringently than ever before. Normally, SESTA’s proponents vastly understate the impact that the bill would have on online communities. But in that unusual moment of candor, Sen. Blumenthal seemed to lay bare his opinions about Internet startups—he thinks of them as unimportant outliers and would prefer that the new law put them out of business.
Let’s make something clear: Google will survive SESTA. Much of the SESTA fight’s media coverage has portrayed it as a battle between Google and Congress, which sadly misses the point. Large Internet companies may have the legal budgets to survive the massive increase in litigation and liability that SESTA would bring. They probably also have the budgets to implement a mix of automated filters and staff censors to comply with the law. Small startups are a different story.
Indeed, lawmakers should ask themselves whether SESTA would unintentionally reinforce large incumbent companies’ advantages. Without the strong protections that allowed today’s large Internet players to rise to prominence, startups would have a strong disincentive to grow. As soon as your user base grows beyond what your staff can directly police, your company becomes a huge liability.
But ultimately, the biggest casualty of SESTA won’t be Google or startups; it will be the people pushed offline.
Many of SESTA’s supporters suggest that it would be easy for web platforms of all sizes to implement automated filtering technologies they can trust to separate legitimate voices from criminal ones. But it’s impossible to do that with anywhere near 100% accuracy. Given the extreme penalties for under-filtering, platforms would err in the opposite direction, removing legitimate voices from the Internet. As EFF Executive Director Cindy Cohn put it, “Again and again, when platforms clamp down on their users’ speech, marginalized voices are the first to disappear.”
The sad irony of SESTA is that while its supporters claim that it will fight sex trafficking, trafficking victims are likely to be among the first people it would silence. And that silence could be deadly. According to Freedom Network USA, the largest network of anti-trafficking advocate organizations in the country (PDF), “Internet sites provide a digital footprint that law enforcement can use to investigate trafficking into the sex trade, and to locate trafficking victims.” Congress should think long and hard before passing a bill that would incentivize web platforms to silence those victims.
Internet startups would take the much greater hit from SESTA than large Internet firms would, but ultimately, those most impacted would be users themselves. As online platforms ratcheted up their patrolling of their users’ speech, some voices would begin to disappear from the Internet. Tragically, some of those voices belong to the people most in need of the safety of online communities.
from Deeplinks http://ift.tt/2yxRMWa
via Computer Care Pros
Two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it’s becoming much more common across the web. With often just a few clicks in a given account’s settings, 2FA adds an extra layer of security to your online accounts on top of your password.
In addition to requesting something you know to log in (in this case, your password), an account protected with 2FA will also request information from something you have (usually your phone or a special USB security key). Once you put in your password, you’ll grab a code from a text or app on your phone or plug in your security key before you are allowed to log in. Some platforms call 2FA different things—Multi-Factor Authentication (MFA), Two Step Verification (2SV), or Login Approvals—but no matter the name, the idea is the same: Even if someone gets your password, they won’t be able to access your accounts unless they also have your phone or security key.
There are four main types of 2FA in common use by consumer websites, and it’s useful to know the differences. Some sites offer only one option; other sites offer a few different options. We recommend checking twofactorauth.org to find out which sites support 2FA and how, and turning on 2FA for as many of your online accounts as possible. For more visual learners, this infographic from Access Now offers additional information.
Finally, the extra layer of protection from 2FA doesn’t mean you should use a weak password. Always make unique, strong passwords for each of your accounts, and then put 2FA on top of those for even better log-in security.
When you enable a site’s SMS 2FA option, you’ll often be asked to provide a phone number. Next time you log in with your username and password, you’ll also be asked to enter a short code (typically 5-6 digits) that gets texted to your phone. This is a very popular option for sites to implement, since many people have an SMS-capable phone number and it doesn’t require installing an app. It provides a significant step up in account security relative to just a username and password.
There are some disadvantages, however. Some people may not be comfortable giving their phone number—a piece of potentially identifying information—to a given website or platform. Even worse, some websites, once they have your phone number for 2FA purposes, will use it for other purposes, like targeted advertising, conversion tracking, and password resets. Allowing password resets based on a phone number provided for 2FA is an especially egregious problem, because it means attackers using phone number takeovers could get access to your account without even knowing your password.
Further, you can’t log in with SMS 2FA if your phone is dead or can’t connect to a mobile network. This can especially be a problem when travelling abroad. Also, it’s often possible for an attacker to trick your phone company into assigning your phone number to a different SIM card, allowing them to receive your 2FA codes. Flaws in the SS7 telephony protocol can allow the same thing. Note that both of these attacks only reduce the security of your account to the security of your password.
Another phone-based option for 2FA is to use an application that generates codes locally based on a secret key. Google Authenticator is a very popular application for this; FreeOTP is a free software alternative. The underlying technology for this style of 2FA is called Time-Based One Time Password (TOTP), and is part of the Open Authentication (OATH) architecture (not to be confused with OAuth, the technology behind “Log in with Facebook” and “Log in with Twitter” buttons).
If a site offers this style of 2FA, it will show you a QR code containing the secret key. You can scan that QR code into your application. If you have multiple phones you can scan it multiple times; you can also save the image to a safe place or print it out if you need a backup. Once you’ve scanned such a QR code, your application will produce a new 6-digit code every 30 seconds. Similar to SMS 2FA, you’ll have to enter one of these codes in addition to your username and password in order to log in.
This style of 2FA improves on SMS 2FA because you can use it even when your phone is not connected to a mobile network, and because the secret key is stored physically on your phone. If someone redirects your phone number to their own phone, they still won’t be able to get your 2FA codes. It also has some disadvantages: If your phone dies or gets stolen, and you don’t have printed backup codes or a saved copy of the original QR code, you can lose access to your account. For this reason, many sites will encourage you to enable SMS 2FA as a backup. Also, if you log in frequently on different computers, it can be inconvenient to unlock your phone, open an app, and type in the code each time.
Some systems, like Duo Push and Apple’s Trusted Devices method, can send a prompt to one of your devices during login. This prompt will indicate that someone (possibly you) is trying to log in, and an estimated location for the login attempt. You can then approve or deny the attempt.
This style of 2FA improves on authenticator apps in two ways: Acknowledging the prompt is slightly more convenient than typing in a code, and it is somewhat more resistant to phishing. With SMS and authenticator apps, a phishing site can simply ask for your code in addition to your password, and pass that code along to the legitimate site when logging in as you. Because push-based 2FA generally displays an estimated location based on the IP address from which a login was originated, and most phishing attacks don’t happen to be operated from the same IP address ranges as their victims, you may be able to spot a phishing attack in progress by noticing that the estimated location differs from your actual location. However, this requires that you pay close attention to a subtle security indicator. And since location is only estimated, it’s tempting to ignore any anomalies. So the additional phishing protection provided by push-based 2FA is limited.
Disadvantages of push-based 2FA: It’s not standardized, so you can’t choose from a variety of authenticator apps, and can’t consolidate all your push-based credentials in a single app. Also, it requires a working data connection on your phone, while Authenticator apps don’t require any connection, and SMS can work on an SMS-only phone plane (or in poor signal areas).
Universal Second Factor (U2F) is a relatively new style of 2FA, typically using small USB, NFC or Bluetooth Low Energy (BTLE) devices often called “security keys.” To set it up on a site, you register your U2F device. On subsequent logins, the site will prompt you to connect your device and tap it to allow the login.
Like push-based 2FA, this means you don’t have to type any codes. Under the hood, the U2F device recognizes the site you are on and responds with a code (a signed challenge) that is specific to that site. This means that U2F has a very important advantage over the other 2FA methods: It is actually phishing-proof, because the browser includes the site name when talking to the U2F device, and the U2F device won’t respond to sites it hasn’t been registered to. U2F is also well-designed from a privacy perspective: You can use the same U2F device on multiple sites, but you have a different identity with each site, so they can’t use a single unique device identity for tracking.
The main downsides of U2F are browser support, mobile support, and cost. Right now only Chrome supports U2F, though Firefox is working on an implementation. The W3C is working on further standardizing the U2F protocol for the web, which should lead to further adoption. Additionally, mobile support is challenging, because most U2F devices use USB.
There are a handful of U2F devices that work with mobile phones over NFC and BTLE. NFC is supported only on Android. On iOS, Apple does not currently allow apps to interact with the NFC hardware, which prevents effective use of NFC U2F. BTLE is much less desirable because a BTLE U2F device requires a battery, and the pairing experience is less intuitive that tapping an NFC device. However, poor mobile support doesn’t mean that using U2F prevents you from logging in on mobile. Most sites that support U2F also support TOTP and backup codes. You can log in once on your mobile device using one of those options, while using your phishing-proof U2F device for logins on the desktop. This is particularly effective for mobile sites and apps that only require you to log in once, and keep you logged in.
Lastly, most other 2FA methods are free, assuming you already have a smartphone. Most U2F devices cost money. Brad Hill has put together a review of various U2F devices, which generally cost USD $10-$20. GitHub has written a free, software-based U2F authenticator for macOS, but using this as your only U2F device would mean that losing your laptop could result in losing access to your account.
Sites will often give you a set of ten backup codes to print out and use in case your phone is dead or you lose your security key. Hard-copy backup codes are also useful when traveling, or in other situations where your phone may not have signal or reliable charging. No matter which 2FA method you decide is right for you, it’s a good idea to keep these backup codes in a safe place to make sure you don’t get locked out of your account when you need them.
from Deeplinks http://ift.tt/2fgZ7kV
via Computer Care Pros
American companies face a difficult tradeoff when dealing with government requests, but they should just say no to Saudi Arabia, which is using social media companies to do its dirty work in censoring Qatari media. Over the past few weeks, both Medium and Snap have caved to Saudi demands to geoblock journalistic content in the kingdom.
The history of Silicon Valley companies’ compliance with requests from foreign governments is a sad one, and one that has undoubtedly led to more censorship around the world. While groups like EFF have been successful at pushing companies toward more transparency and at pushing back against domestic censorship in the United States, it seems that companies are unwilling or unable to see why protecting freedom of expression on their platforms abroad is important.
After Yahoo’s compliance with a user data request from the Chinese government in the early 2000s resulted in the imprisonment of two Chinese citizens, the digital rights community began to pressure companies to use more scrutiny when dealing with orders from foreign governments. The early work of scholars such as Rebecca MacKinnon led to widespread awareness amongst civil society groups and the eventual creation of the Global Network Initiative, which created standards guiding companies’ compliance with foreign requests. A push from advocacy groups resulted in Google issuing its first transparency report in 2010, with other companies following the Silicon Valley giant’s lead. Today—thanks to tireless advocacy and projects like EFF’s Who Has Your Back report—dozens of companies issue their own reports.
Transparency is vital. It helps users to understand who the censors are, and to make informed decisions about what platforms they use. But, as it turns out, transparency does not necessarily lead to less censorship.
The Kingdom of Saudi Arabia is one of the world’s most prolific censors, attacking everything from advertisements and album covers to journalistic publications. The government—an absolute monarchy—has in recent years implemented far-reaching surveillance, arrested bloggers and dissidents for their online speech, and allegedly deployed an online “army” against Al Jazeera and its supporters. Even before recent events, the country was known as the Arab world’s leader in Internet censorship, aggressively blocking a wide array of content from its citizens. American companies—including Facebook and Google—have at times in the past voluntarily complied with content restriction demands from Saudi Arabia, though we know little about their context.
Now, in the midst of Saudi Arabia’s sustained attack on Al Jazeera (and its host country, Qatar), the government is ramping up its takedown requests. In particular, the government of Saudi Arabia is going after the press, and disappointingly, Silicon Valley companies seem all too eager to comply.
In late June, Medium complied with requests from the government to restrict access to content from two publications: Qatar-backed Al Araby Al Jadeed (“The New Arab”) and The New Khaliji News. In the interest of transparency, the company sent both requests to Lumen.
Medium has faced government censorship before; In 2016, the Malaysian government blocked the popular blogging platform, while Egypt included the site in a long list of banned publications earlier this year. By complying with the orders of the Saudi government, Medium is less likely to face a full ban in the country.
This week, Snap disappointed free expression advocates by joining the list of companies willing to team up with Saudi Arabia against Qatar and its media outlets. The social media giant pulled the Al Jazeera Discover Publisher Channel from Saudi Arabia late last week. A company spokesperson told Reuters: “We make an effort to comply with local laws in the countries where we operate.”
As we’ve argued in the past, companies should limit their compliance with foreign governments which are not democratic and where they do not have employees or other assets on the ground. By censoring at the behest of a government like Saudi Arabia’s, Medium and Snap have chosen to side with the Saudi regime in a dangerous political game—and by censoring the press, they have demonstrated a stunning lack of commitment to freedom of expression. While other companies like Facebook and Twitter may have set the precedent, it’s not one that other companies should be proud to follow.
We urge Medium and Snap to reconsider their decisions, and for other companies to strengthen their commitment to freedom of expression by refusing to bow to demands from authoritarian governments when they’re not legally bound to.
from Deeplinks http://ift.tt/2ho7sDU
via Computer Care Pros
Law enforcement officers in Washington, D.C. violated the Fourth Amendment when they used a cell site simulator to locate a suspect without a warrant, a D.C. appeals court ruled on Thursday. The court thus found that the resulting evidence should have been excluded from trial and overturned the defendant’s convictions.
EFF joined the ACLU in filing an amicus brief, arguing that the use of a cell-site simulator without a warrant constituted an illegal search. We applaud the court’s decision in applying long-established Fourth Amendment principles to the digital age.
Cell-site simulators (also known as “IMSI catchers” and “Stingrays”) are devices that emulate cell towers in order to gain information from a caller’s phone, such as locational information. Police have acted with unusual secrecy regarding this technology, including taking extraordinary steps to ensure that use does not appear in court filings and is not released through public records requests. Concerns over the secrecy and privacy have led to multiple lawsuits and legal challenges, as well as legislation.
The new decision in Prince Jones v. U.S. is the latest to find that police are violating our rights when using this sophisticated spying technology without a warrant.
Jones was accused of sexual assault and burglary. Much of the evidence collected against him was derived from cell-site simulators targeting his phone.
The court determined that the use of a cell-site simulator to track and locate Jones was in fact a “search,” despite claims to the contrary from the prosecution. As the court wrote:
The cell-site simulator employed in this case gave the government a powerful person-locating capability that private actors do not have and that, as explained above, the government itself had previously lacked—a capability only superficially analogous to the visual tracking of a suspect. And the simulator’s operation involved exploitation of a security flaw in a device that most people now feel obligated to carry with them at all times. Allowing the government to deploy such a powerful tool without judicial oversight would surely “shrink the realm of guaranteed privacy” far below that which “existed when the Fourth Amendment was adopted.” … It would also place an individual in the difficult position either of accepting the risk that at any moment his or her cellphone could be converted into tracking device or of forgoing “necessary use of” the cellphone… We thus conclude that under ordinary circumstances, the use of a cell-site simulator to locate a person through his or her cellphone invades the person’s actual, legitimate, and reasonable expectation of privacy in his or her location information and is a search.
The decision should serve as yet another warning to law enforcement that new technologies do not mean investigators can bypass the Constitution. If police want data from our devices, they should come back with a warrant.
from Deeplinks http://ift.tt/2hj8ncf
via Computer Care Pros