Friday, July 04, 2008

Dan's data reviews IDrive online backup, and mentions Mozy too

I suspect the "paid review" model will eventually produce the same results as PC Magazine of old, but it will take a while to corrupt Dan's Data. A recent review is very thorough and appropriately technical:
Review: IDrive online backup service

... The reason why I find IDrive particularly interesting, though, is that they're paying me via ReviewMe.com to write this review.

ReviewMe isn't one of those scummy services that allow payment to be conditional upon a favourable review, though. Whether I say IDrive is humankind's finest creation, or that it took both of my legs off at the knee, I get paid the same....
Dan's review of IDrive is pretty positive, though he only does XP stuff.

I've been looking for a good online backup solution for a while, to supplement my current Retrospect Pro USB disk solution. Apple's MobileMe might produce something, but it will be costly. I've about given up on Google -- they could deliver a service next week or next century.

DD says both IDrive and Mozy support XP and OS X. IDrive is setup for multiple accounts sharing the same space, that would work for me.

Incidentally, the primary reason to have offsite backup in Saint Paul MN is not fire, flood and quake, it's theft. True, smart thieves won't bother to steal hard drives, but most thieves are stone stupid. Elsewhere, fire and flood are right up there.

I wouldn't use these services as my primary backup solution, but as a supplementary solution they do interest me.

Update 4/11/09: Great comment below. At least some services (iDrive) don't back up OS X shortcuts/favorites -- which breaks some app data stores including some iPhoto and Aperture configurations. It's a good reminder to check how well security attributes are managed.
at 5 comments:
Labels: , ,

Blogger gets some real updates and Google moves away from Data Lock

There's still no update to the extremely antiquated BlogThis! blogger bookmarklet, but Google is, at long, long last, putting some energy into Blogger.

To see the new environment you need to be using FF 3 or Safari 3 (some versions of IE too) and running Blogger in draft. Today Safari 3 is showing the old editor, so things will be fluid.

The current big news is that Safari 3 is supposed to have full support -- which means it's a more viable browser for my use. The big future feature is promised FTP file upload and enclosures. Uploaded images are stored only in Picasa web albums.

I've run into these bugs and lost capabilities so far:
  1. Items authored in the BlogThis! window are formatted incorrectly when edited in the new editor.
  2. Items authored using ScribeFire for FF are formatted incorrectly in the new editor and cannot be fixed easily. (SF has just been updated, so this may change.)
  3. Lists don't work fully. So if you save an item and try to add to a list, it inserts the row without a list tag. (known issue)
  4. The Save Now button closes the draft, so you have to reopen it (known issue)
  5. No formatting  buttons in HTML mode (they will return soon)
Some highlights on the editor:
  1. The new post editor: Dynamic image resize, drag and drop location. Changes to the HTML editor that seem of unclear value to me (solving a non-existent problem?). Full Safari 3 support? (But today 3.1.2 gave me the old editor, so they may be tweaking something).
  2. How to report HTML bugs with the new post editor: Add a comment to this blog post? Seems that won't scale.
There are also some very nice big new features, the backup and ability to effectively merge blogs seems awfully big to me (note that this particular page has links to pages that are "saved in draft" and thus don't appear as regular post pages -- a curious choice):
  1. Star ratings. Readers only, personally I'd like to be able to rate my own posts too -- differentiate the ones I think are more interesting.
  2. Import / export of blogs. Back up all of your posts and comments to one Atom XML file on your computer, and import your posts from one blog to another.
  3. Embedded comment form. By incredibly popular demand, we’ve brought the comment form to your blog’s post pages, with support for Google Account and OpenID authentication.
    New post editor. We’ve completely revised the post editor, bringing in drag-and-drop image placement and better HTML handling.
Safari 3 support in the new editor is great, but for me the really big deal is import/export. Per blogger:
  1. Merge two or more blogs into one. Take the exported posts and comments from one blog and import them into another one.
  2. Move individual posts from blog to blog. After importing, select just a set of posts to publish and publish them with one click.
  3. Back up your blog to your own storage. You can keep your words safe and under your control in case anything happens to your blog, or us, or if you want to remove them from the Internet.
  4. Move your blog somewhere else. Our export format is standard Atom XML. We hope to see other blogging providers extend their Atom support to include import and export. And, if you decide to come back to Blogger, importing your export file will get you back up and running in seconds.
The last is big. Google claimed over a year ago that they were going to make user data portable (see also). I've been very skeptical, and it's taken them a heck of a long time to do anything real. Now I'm willing to give them some time to show genuine commitment -- such as the ability to move Picasa albums to other services.

Altogether this is the best Blogger news since it became a somewhat reliable service about a year ago. Maybe Google can do product commitment after all.

Now if Google would only fix BlogThis!
at No comments:
Labels: , ,

Thursday, July 03, 2008

iPhone 2.0 is MUCH more expensive than iPhone 1.0 for current AT&T customers

I think Apple is still boasting of how affordable the new iPhone is.

This marketing swill is so evil.

For a current AT&T customer the cost has not fallen, it's gone UP a lot -- an additional $360 over two years. The increase is so large because the previous iPhone pricing was a great deal for a current AT&T customer. Current AT&T customers could buy an iPhone for the same cost as a new AT&T customer, and that's unheard of in the US mobile marketplace.

AT&T has now moved iPhone pricing in line with other "smartphone" pricing (which must make BlackBerry happier).

I've updated a prior post, here are some key excerpts ...

The Cost of the iPhone: More Per Month for Data - Bits - Technology - New York Times Blog

... According to a press release from AT&T, the carrier will no longer give a portion of monthly usage fees to Apple. Instead carriers will pay Apple a subsidy for each phone sold, in order to bring the price from $399 down to $199 for the 8 Gigabyte model. The company did not specify the amount of the subsidy. Subsidies of $200 to $300 are common in the industry.

What is more, consumers will now pay $30 a month for unlimited data service from AT&T, compared to $20 under the plan introduced last year. So even though the phone will now cost $200, consumers will be out more cash at the end of a two-year contract compared to the previous deal.

Tidbits: $160 more expensive ...

...SMS messages are no longer included in the data plan either, so you'll have to pay extra for them. Previously, the data plan included 200 SMS messages per month. AT&T's Messaging 200 plan, which includes 200 SMS messages, costs $5 per month, so it would seem likely that the iPhone 3G's SMS plan would be similar...

Ok, so for a new AT&T customer buying an iPhone the price has gone up by $160 over two years. Things are worse, however, for an AT&T customer

Current AT&T customers don't get the $200 discount on new phones. So for a current AT&T customer, the two year cost of a 16GB iPhone hasn't increased by $160, it's increased by $360.

A $360 increase over a two year ownership period is a substantial increase.

I spit in the general direction of Apple marketing.
at No comments:
Labels: ,

The frailty of wireless encryption

WEP I knew was almost worthless. This is the most concise description of WPA limitations I’ve seen …
Coding Horror: Open Wireless and the Illusion of Security

… here are a few guidelines.
  1. WEP = Worthless Encryption Protocol
    WEP, the original encryption protocol for wireless networks, is so fundamentally flawed and so deeply compromised it should arguably be removed from the firmware of every wireless router in the world. It's possible to crack WEP in under a minute on any vaguely modern laptop. If you choose WEP, you have effectively chosen to run an open wireless network. There's no difference.
  2. WPA requires a very strong password
    The common "personal" (PSK) variant of WPA is quite vulnerable to brute force dictionary attacks. It only takes a trivial amount of wireless sniffing to obtain enough data to attack your WPA password offline -- which means an unlimited amount of computing power could potentially be marshaled against your password. While brute force attacks are still for dummies, most people are, statistically speaking, dummies. They rarely pick good passwords. If ever there was a time to take my advice on using long passphrases, this is it. Experts recommend you shoot for a 33 character passphrase.
In the end, perhaps wireless security is more of a deterrent than anything else, another element of defense in depth. It's important to consider the underlying message Bruce was sending: if you've enabled WEP, or WPA with anything less than a truly random passphrase of 33 characters, you don't have security.

You have the illusion of security.
The implication is that other versions of WPA (WPA-2?) are less vulnerable. In practice, as Schneier would probably say, it comes down to the value of what you’re trying to protect vs. the cost of the attack. Security is not a binary thing, it’s a spectrum. Relative, not absolute.

I suspect a good 20 character random password would suffice for most of us.

Update: A comment includes a nice link to a web site that helps create memorable passphrases.
at No comments:
Labels: ,

Tuesday, July 01, 2008

Best review of the OS X ARDA root escalation vulnerability

I might follow the advice outlined here, though I may simply avoid installing software until Apple provides a fix. It is a bigger problem than I'd assumed when I first saw the Slashdot story:
TidBITS Safe Computing: How to Protect Yourself from the New Mac OS X Trojans

... Simply running the AppleScript command

osascript -e 'tell app "ARDAgent" to do shell script "reallybadstuff"'

runs "reallybadstuff" as root, without asking you for your password....

... the attacker exploits a vulnerability that gives them access to your user account, then he uses privilege escalation to take over your system as root, often installing additional malicious software. These combined attacks are common, although we don't see them often on Macs (in fact, I've never seen one on Mac OS X). The attacker will use something like a Web browser vulnerability to get his foot in the door, followed by the privilege escalation...

... The first major Trojan to leverage the ARDAgent vulnerability is called "PokerStealer" (identified by antivirus vendor Intego). Rather than using some sort of attack to get on your system, it pretends to be a poker game. When it's run, it uses the ARDAgent vulnerability to escalate its rights (without asking for your password) and installs malicious software like a keystroke capture program.

A more serious problem is that, as reported by Brian Krebs at the Washington Post, some bad guys developed a tool to bundle a package of malicious software into any downloadable Mac application. It uses the ARDAgent vulnerability to run these pieces without your interaction, like PokerStealer. The program needs to run only once, then it embeds itself in your system. Interestingly enough, Krebs reports that this tool was in development since May 2008. We can expect the bad guys to use all sorts of social engineering tricks (like writing little games) to get us to run their software on our systems.

To protect yourself, if you don't use (or plan on using) Apple Remote Desktop (which is different from Screen Sharing), you can go to /System/Library/CoreServices/RemoteManagement/ in the Finder, copy ARDAgent.app to your Desktop, right-click and compress it, and move the file someplace like your Documents folder. Then delete the original file. That way you just need to unzip and reinstall the file if you ever need ARDAgent down the road...
Following these preventive measures may mess up future Apple updates however.

The most important security measure for most OS X users is not to run as an admin user -- save the admin account for admin tasks. This security defect bypasses that protection.
at No comments:
Labels: , ,

Monday, June 30, 2008

Why Blackberry deserves to die

Tolkien wrote: "Many that live deserve death. Some that die deserve life."

So I'm not saying that the Blackberry will die, just that it doesn't deserve to live.

It's not just the inexcusable memory capacity limitations. It's not even the astounding lack of imagination in the software environment. No, the ultimate offense is this:
Passwords are masked on entry. Even on the Blackberry Pearl -- with its predictive text matching.
I realize very few products are as smart as OS X, which allows users to optionally unmask passwords. I could forgive Blackberry for omitting this feature if the Pearl had a conventional keyboard. It doesn't of course, and, speaking only for myself, text prediction does not work on my passwords.

The brief single character display (not available for numeric entry) is not enough.

This is one of the stupidest things I've come across. I've had plenty of time to investigate my wife's Pearl while traveling cross-country flat on my back, and my relatively positive initial impressions have dissolved. It really deserves to perish. If the iPhone 2.0 is half-decent I'll be selling a Pearl cheap as soon as ePocrates will run on the iPhone.
at No comments:
Labels:

Saturday, June 28, 2008

Open DNS saves my day

OpenDNS has some issues:

[Gruber] I linked to OpenDNS last week, praising their service after Comcast’s own DNS servers had failed me for the last time. It ends up though that OpenDNS is a polarizing service — they’re both praised and scorned. One of the reasons they’re
scorned is that they redirect requests to www.google.com to their own internal server before forwarding the request along to Google’s www.l.google.com. They also do wildcard matching for unregistered domain names, a move most DNS experts consider a no-no. They’re open about these “features” (e.g. here’s their explanation for the Google redirection), but I tend to take the side that any sort of “DNS+” service is worse than just plain DNS.

I think it’s worth keeping OpenDNS on deck for use in a pinch if your regular DNS server conks out, but I can’t recommend them for primary use.

On the other hand, OpenDS saved me today. The resort we're staying at has very marginal net access, and today I could reach Google and Microsoft but not much else. I figured their DNS was down. From a Google Cache page I retrieved the openDNS addresses:
OpenDNS > Get Started > Enable OpenDNS

Our nameservers are 208.67.222.222 and 208.67.220.220.
Bingo, that worked. Now everyone on the resort is switching.

I may start using OpenDNS - especially when traveling. The filtering options are appealing for our home use too, so I may well sign up and pay them. More on that after I review Gruber's comments in context.
at No comments:
Labels:
Subscribe to: Posts (Atom)