Tales From the Orchard: Apple Just Made Safari the Good Privacy Browser

 

By Lily Hay Newman of Wired.com

APPLE ANNOUNCED A slew of new software features at its Worldwide Developers Conference on Monday, including an augmented reality upgrade and animojis that can stick out their tongues when you do. But the company’s latest desktop and mobile operating systems contain a more subtle, yet more radical, innovation. The newest version of Apple’s Safari browser will push back hard against the ad-tracking methods and device fingerprinting techniques that marketers and data brokers use to monitor web users as they browse. Starting with Facebook.

The next version of Safari will explicitly prompt you when a website tries to access your cookies or other data, and let you decide whether to allow it, a welcome step toward explicit choices about online tracking. Safari will also make a dent in defeating the so-called “fingerprinting” approach, in which marketers use publicly accessible information about devices—like the way they’re configured, the fonts they have installed, and the plug-ins they run—to assign them an individual, trackable ID. In macOS Mojave and iOS 12, Safari will scrub much of this data, exposing only generic configuration information and default fonts. The browser will also stop supporting legacy plugins. The idea is to make your Mac indistinguishable from millions of others, muting the fingerprinting effect.

“Data companies are clever and relentless,” Craig Federighi, Apple’s senior vice president of software engineering, said on Monday, explaining why Apple pushed to add these features. The company calls the set of tools “Intelligent Tracking Prevention 2.0,” and they feature WebKit changes, like eliminating a 24-hour grace period that gave trackers a day of cookie access.

The new version of Safari will also help improve password hygiene by offering to generate, autofill, and store strong passwords. It’s a well-intentioned approach, although one that can be problematic depending on how it’s deployed. The browser will now also audit password reuse to try to discourage people from using the same password for multiple services—a crucial way consumers can reduce their risk of being impacted by data breaches.

The antitracking features continue Apple’s assault on ad tech; last year’s Safari update prevented video and audio from autoplaying, and the then-nascent Intelligent Tracking Prevention Webkit tool worked to identify and block tracking cookies. This year’s updates, though, take things a step further by significantly expanding the tracking techniques Safari can block or warn users about.

Apple’s not the only company to toughen up its browser against privacy and security menaces. As with Chrome’s Do Not Track mechanism, Apple seems to have based some of the new Safari protections on research from Mozilla, which offers its own protections in the Firefox browser. In February, Chrome also started offering native ad-blocking measures to bring more comprehensive protections to users based on standards from the Coalition for Better Ads. There are also browser plugins like Ghostery, Privacy Badger, and Adblock Plus to help stymie various tracking techniques. But Apple’s efforts in Mojave and iOS 12 appear to be the most prominent and comprehensive yet.

Though the new privacy mechanisms will potentially hinder all sorts of tracking, Apple specifically called out Facebook’s massive ad network—which is known for employing an array of user tracking strategies, like its ubiquitous “Like” buttons. In one of the slides depicting an example of how Intelligent Tracking Prevention 2.0 will work, Apple’s Federighi showed a Safari page open to Facebook with a popup notification reading “Do you want to allow ‘facebook.com’ to use cookies and website data while browsing ‘blabbermouth.net’? This will allow ‘facebook.com’ to track your activity.”

Facebook did not immediately respond to a request from WIRED for comment, and the platform is certainly not the only large ad network incorporating these techniques. But it’s a prominent player that has received extensive criticism for letting a variety of user data tracking tools run rampant. The company’s chief information security officer Alex Stamos noted on Twitter that it doesn’t seem like the new Safari will block tracking pixels or Javascript components, which are notorious for being exploitable as trackers or by bad actors for malicious activity.
Stamos seemed more focused on blasting Apple’s attempt to single Facebook out, but it’s true that this generation of Intelligent Tracking Prevention will inevitably have limitations. It’s difficult to fully block online tracking methods without also eroding website usability, and different privacy initiatives have approached dealing with this conflict in different ways.

“The consent popups will be a big deal to people. It’s more visual so you know that they are attempting to track you versus it just happening in the background silently,” says Will Strafach, an iOS security researcher and the president of Sudo Security Group. “I guess the real test will be how well these measures work and how advertisers and trackers will react.”

Google and Firefox already offer plenty of solid ad-blocking and antitracking mechanisms, and offer a host of other features that may make them more desirable than Apple’s browser. But if privacy matters most to you, it might be time to give Safari a try.

What’s your preferred browser or method for protecting your privavy online? Sound off in the comments below!

Weekly Round Up 3/30/18

 

 

Facebook can’t have all the fun…
It’s Amazon’s Turn in the Tech Hot Seat

It should be for any business that handles people’s data.
Backlash against tech companies is a wake-up call

Edward Snowden said it best, “Voluntary surveillance.”
Why do people hand over so much data to tech companies? It’s not easy to say ‘no’

As I was a watching a clip of this, I got the feeling Uncle Timmy might be running for office one day soon…
Recode Daily: Tim Cook talks Facebook, data privacy, domestic manufacturing and tech in education

This is super creepy and cool all at the same time.
A Prediction About Future Tech From The 1990s Has Gone Viral Because It’s Spookily Accurate

 

They never seem to get any better…
Women and Minorities tech; By the Numbers.

 

I don’t need Alexa cooking any meals for me, thanks.
To Invade Homes, Tech is Trying to Get Your Kitchen

I’m telling you, that tech episode of the X-Files scared the crap out of a lot of people.
How Tech Can Make Retirement Harder For Couples

App of the Week: Malwarebytes

 

 

 

By
Neil J. Rubenking of PCMag

There’s something strange ‘neath your PC’s hood. Antivirus failed, and it don’t look good. Who ya gonna call? Malwarebytes! For many years, Malwarebytes has been the go-to solution when other antivirus products drop the ball. It’s been a few years since the program’s last update. During that time, the company has focused a lot of its energy on preventing pcs from getting infested with malware in the first place, but Malwarebytes 3.0 Free is still available to clean up malware’s messes. It’s still an excellent tool, although it didn’t perform as well as the last version in my testing.

The main reason version 3.0 took so long was a total makeover of Malwarebytes 3.0 Premium$39.99 at Malwarebytes. That product now includes all the various scanning and detection technologies that previously represented separate products. Ransomware protection is built in. Exploit protection is no longer a separate product. Real-time protection watches for known malware and for malicious behaviors, and Web protection steers you away from dangerous sites. With all these layers of protection, Malwarebytes now promotes the premium edition as a suitable replacement for your existing antivirus, though it’s also designed to work alongside other products. I’ll review the premium edition shortly.

The main window of the free software looks quite a bit different from that of the previous version. A simple menu runs down the left side, and a right-hand panel reports protection status. All of the premium features are listed, but disabled and marked “Premium Only.” The dashboard tab reports your security status, with a big button to launch a scan. The layout is still simple and straightforward. Most days, you’ll just load it up and click the Scan button.
Little to Learn From Lab Results

According to my contact at the company, Malwarebytes is designed to whip malware, not to pass tests. For example, if a particular sample has zero recent sightings among the horde of Malwarebytes users, the company may remove its signature, to keep the product nimble. A test that uses that dated sample will make the product look bad. Malwarebytes deliberately doesn’t participate in testing by most of the labs that I follow for that reason.

In addition, the tests available when a new product comes out are almost invariably based on the previous version of the product. That’s not so bad for products undergoing slow evolution, but the big changes in the latest version mean that the paltry results we do have may not be meaningful.

West Coast Labs awarded checkmark certification to the previous version of Malwarebytes Premium. Note that this lab works with vendors who don’t pass certification, so that they eventually succeed. It’s a different model from the labs that assign ratings to products based on their success rate.

MRG-Effitas takes a tough stance with its all-types malware test. A product that completely prevents every single sample from installing on the test system earns Level 1 certification. A product that lets some samples install, but remediates almost all of them within 24 hours gets Level 2 certification. All others fail, and there’s no distinction between missing all samples and missing just a couple. Cleanup-only products don’t have the opportunity to block installation, but if the on-demand scan completely remediates the malware, they earn Level 1 certification.

Along with three less well-known products, Kaspersky took Level 1 certification. Five other products managed Level 2. Almost half of the products failed to reach even Level 2 certification, Malwarebytes among them. Digging in to the test data behind the certification, I found that while the other three cleanup-only products received Level 1 certification, Malwarebytes failed to remove 40 percent of the samples.

That doesn’t sound great, but there’s just not enough information to assign an aggregate lab score to Malwarebytes. Even if I had more data, with the major update in version 3 I couldn’t swear the result would still be valid.

Four of the five labs I follow include Kaspersky Anti-Virus$29.99 at Kaspersky Lab in their testing, and its aggregate lab score is an impressive 10 of 10 possible points. Norton earned 9.7 points, based on tests by three labs. And Bitdefender Antivirus Plus 2017$19.99 at Bitdefender, tested by all five labs, averaged 9.3 points.

Diminished Malware Protection

 

The free edition of Malwarebytes is a cleanup-only product, with no real-time malware protection. My usual malware blocking test is no use for such a product. And yet, with no real help from the independent labs, I had to do something to see the product in action. To that end, I launched the samples in batches, gave each batch time to finish installing, and then launched Malwarebytes to clean up the mess.

Giving the samples time to run proved a bit problematic. One ransomware sample had time to do its dirty deeds before the scan removed it. There’s nothing a cleanup-only product could do to prevent that. Unfortunately, it encrypted the data file used by my program that checks for known traces of my set of samples. That’s awkward, but of course I had a backup.

After each batch of malware samples, I ran my hand-coded detection tool to verify that the malware traces were present. Then I ran a standard Threat Scan with Malwarebytes. On my test system, this scan routinely finished in two minutes or less. In almost every case, it requested a reboot after the scan, to complete the cleanup process. After reboot, I ran my detection tool again to see what the cleanup did.

The results were disappointing. F-Secure and Webroot SecureAnywhere AntiVirus$18.99 at Webroot detected 100 percent of these samples in my malware-blocking test, and Webroot completely eliminated all of them, scoring a perfect 10.
Malwarebytes didn’t even recognize 33 percent of the samples. My contact at Malwarebytes pointed out that if the samples are old and no longer in the wild, Malwarebytes won’t necessarily catch them. I obtained all of the samples from live malware-hosting URLs earlier this year, but looking at the details I did find that some of them had originated several years ago.

On the plus side, Malwarebytes completely wiped all traces for 44 percent of the samples. For another 13 percent, it detected and removed some of the traces, but left behind some executable files. The samples in the remaining 10 percent are the ones that bother me the most. In these cases, I found executable files in the quarantine list that were still present in their original form. I pored over the logs, verifying that Malwarebytes thought it removed them. My company contact couldn’t immediately explain this behavior.

Mitigating Factors

Like the lab tests disdained by Malwarebytes, my hands-on test doesn’t precisely simulate the product’s actual use-case. Normally you’d bring in Malwarebytes to handle an infestation that got past your existing antivirus, or that prevented installation of a more traditional antivirus. The aggressive behaviors and technologies that such an infestation requires should be a red flag for Malwarebytes. A less-dangerous sample that’s manually loaded on a test system doesn’t raise the same concerns.

Even so, the product has fared better in the past. Several years ago, I ran a test that challenged Malwarebytes and other products to remove entrenched malware from a dozen badly-infested systems. At that time, Malwarebytes outscored all competing products, with an overall detection rate of 89 percent. I hope that the current version proves effective against such real-world threats. But I can’t demonstrate that as a fact.

Keep It in Your Toolbox

All things considered, Malwarebytes 3.0 Free remains a very useful tool, despite the issues I uncovered in testing. If you carry a thumb drive full of tools, it should definitely be one of them. But remember, use it along with Bitdefender, Kaspersky, McAfee AntiVirus

Plus$19.99 at McAfee, or another antivirus that provides real-time protection. Bring it out when the going gets tough for your regular antivirus, or consider going for the full-scale protection of the premium edition.

In this modern world of ransomware and data-stealing Trojans, a cleanup-only antivirus can never be your first line of defense. You need layers and layers of protection, like what you get with the premium edition of Malwarebytes. I’m no longer declaring an Editors’ Choice award for cleanup-only antivirus, though Malwarebytes remains my first choice.

Malwarebytes is available for Windows, Android and Mac OS.

 

What Malware protection do you use on your device(s)? Sound off on the comments below!

App of the Week: Trello

 

 

 

By Jill Duffy of PCMag.com

Online tools for collaboration and communication come in a wide variety. Some, such as Jira, are popular among software developers, who might use an agile or just-in-time style of working. Trello takes a different approach and instead uses a kanban-style work methodology, which is highly visual. Trello is an online, collaborative workspace used to manage work of all kinds, whether they’re business projects or personal chores. It works fairly simply, with drag-and-drop capabilities and an intuitive interface. If you’re thinking of using it for true project management, however, consider that it lacks such project management basics as Gantt charts, time-tracking components, and reporting tools. You can add those functions through app integrations and plug-ins, but they aren’t included by default when you sign up for Trello or pay for a premium account. Trello is eye-catching and fun, and it’s a very good collaboration solution for certain types of work and teams. Figuring out if it’s right for your team may take some trial and error, however.

Price and Plans

Trello offers four levels of service: a free account, plus three versions of paid accounts called Gold, Business Class, and Enterprise.

The free account gives you a lot to try without too many restrictions. You can create and manage as many boards, lists, and cards as you want and attach files up to 10MB in size. There are no limits on the number of people who can join your account either. The limitations are that you only get one Power-Up, or integration, per board. Power-Ups include Salesforce, Join.me (for video conferencing), Slack, Zendesk, Github, and so forth. The full list of Trello Power-Ups is online.

In addition to that one integration, you can connect to three different cloud storage services: Google Drive, Box, and Dropbox. With a free account, you only get basic functionality with those storage services, meaning you can add links to files in your Trello cards. If you choose to make one of those storage services your Power-Up, then you get some additional functionality. In the case of Google Drive, you can preview files right from Trello and even create new documents right from the Trello app.

For $5 per month or $45 per year, you can upgrade your free Trello account to a Gold account. There are two serious advantages to having a Gold account. First, the maximum file size for attachments increases to 250MB. Second, you get three Power-Ups (integrations) per board instead of just one. The other benefits, such as custom emoji and more stickers, feel more like in-app purchases for video games than productivity enhancers.

The Business Class and Enterprise accounts are a different story. The major difference between them and the free and Gold accounts are that the top tiers come with admin controls.

Trello Business Class costs $119.88 per user per year, which works out to be $9.99 per person per month. That’s double what it used to be. With this level of account, you get unlimited Power-Ups, a maximum file size attachment of 250MB, and plenty of customization options. The administrator of a Business Class account can specify which users can create boards, with what permission levels—everything from public boards to private boards to boards that are only visible to those inside the organization. Trello Business Class also gives you the ability to invite people to have read-only access to your boards, letting you safely share pertinent information with outside collaborators. You can deactivate accounts of people who have left the organization without wiping out all their historical data, too. Business accounts can integrate with Google Apps, as well.

Trello Enterprise, which uses custom pricing, is meant for organizations with more than 100 people. The Enterprise account comes with everything in the Business Class account, but with phone support, a dedicated contact at Trello, and simplified billing. See Trello’s Enterprise page for more details.
Trello used to be fairly inexpensive, especially for teams smaller than 15 people or so, but as I mentioned, the price has doubled since 2015. Now Trello’s cost is more in line with other business productivity apps, including dedicated project management apps, which offer a bit more. Of course, kanban-style collaboration tools like Trello and true project management apps aren’t the same thing, so it’s not an apples-to-apples comparison.

Nevertheless, it’s good to know how much software that’s in the same general category costs to get a sense of what’s a good deal and what isn’t. PCMag’s two favorite project management platforms, Zoho Projects and Teamwork Projects$49.00 at Teamwork.com have exceptionally attractive pricing. Teamwork Projects charges $49 per month plan (flat fee) for unlimited users, and that plan includes supports up to 40 projects with 20GB of storage space. It also includes interactive (drag-and-drop compatible) Gantt charts and tools for tracking milestones—all the stuff you’d expect from a rigorous project management application. A similar package from Zoho Projects costs a flat $50 per month for 50 projects and 100GB storage space.

Many other project management apps charge per user per month. LiquidPlanner, for example, starts at a much higher $29 per user per month fee (and has a ten user minimum), but it has extensive reporting and billing tools. Comindware Project $9.99 at Comindware, a traditional project management service with slightly more modest capabilities, works out to be the same price as Trello Business Class: $9.99 per user per month.

Getting Started With Trello

Trello and other kanban apps use boards, lists, and cards instead of the timeline-based structure seen in project management apps, which look at projects, tasks, and milestones. Project management is designed for projects that have a concrete end date and a deliverable, whereas kanban boards are designed to help teams manage different kinds of work, and not necessarily finite projects.

It helps to have an example, and I’ll provide a very basic one. Imagine that you have a kanban board for a family to-do list. You can imagine it as a poster board with sticky notes. There are three columns (Trello calls them lists) labeled To Do, Doing, and Done. In the first To-Do column, family members put cards with a task that needs to be done. Let’s say, too, that the family has decided that each person is responsible for no more than three tasks at a time. (That’s a typical kanban-style rule—it helps users focus.) As family members choose tasks that they will do or are assigned to them, they write their name on the appropriate cards and move them into the Doing column. When a task is completed, the person responsible moves it into the Done column.

From the example, you can glean two major benefits of kanban. One is that the design and rules of engagement limit how much work people can have on their plates at a time, so that they don’t get overwhelmed. The second is that everyone has visibility into the state of the work that the organization (in this case, the family) needs to do. This allows for both accountability and the possibility of helping other team members who are falling behind.

Cards in Trello can have a lot of detail on them. In addition to holding a task and the name of the assignee, a card can have a list of subtasks, due date, a detailed description, hyperlinks, attachments, and more.

 

Interactivity

Trello is an interactive Web app, with very good drag-and-drop capabilities. For example, if you want to upload images or attach PDFs to a card, you can select them from your computer and drag them right onto the card. They upload in just a few seconds. You can also upload from Google Drive, Box, Dropbox, or a URL. I like that Trello takes any visual assets you upload and adds one of them as a cover image to your card, so that you can easily identify the task whenever you look at the board.

While you can assign someone to a card and set a due date, you won’t find more advanced project management features, such as estimating best- and worst-case scenarios for how long a task might take to complete. It’s also strange to me that cards can’t be checked off as done, even though they can have a due date, but maybe I’m trying to pigeonhole them into being tasks when they’re not. You can archive cards when you’re finished with them, however.

Trello lets you add color-coded labels to cards, but, despite high hopes, I found them to be a letdown. Each label must be color-coded, which means you run out of easily identifiable colors after maybe 10 or 12. I would also rather just see the keywords I chose to use as labels or tags and have reliable tools for searching and filtering information based on them.

As I’ve mentioned, Trello doesn’t have any of its own time-tracking tools, Gantt charts, or progress reports, but you can add some of these features through third-party Google Chrome extensions. I tinkered around with one called Plus for Trello that adds time tracking, reports, and scrum features (scrum is a style of working that focuses on iteration, popular among software developers). They aren’t bad, but they also aren’t nearly as powerful as the native reporting and time estimation features found in LiquidPlanner$45.00 at LiquidPlanner, for example. LiquidPlanner can do things like reconfigure an entire timeline of tasks that are dependent on one another if even one person misses a deadline.

You can connect Trello to other business apps beyond just what’s in the Chrome Extension store. Time-reporting tools Toggl and Harvest both offer integration with Trello. That’s fine if you’re interested in cobbling together a unique suite of tools for your team to use. Many teams will prefer a single package that offers all the features they need in out of the box, however, but there’s nothing wrong with taking the DIY approach, if you have the resources to do it.

One of Trello’s strengths is that there’s more than one way to use it. It’s flexible enough to bend to your will, and you can get rather creative. For example, I created a board in Trello for keeping track of travel ideas. My lists are for different travel regions, and the cards are for specific trips. Inside the cards I have notes about when festivals are happening into those areas, local friends I should contact before arriving, and pictures of the location. I also have a checklist of subtasks, like checking whether I need a visa, booking a flight, booking accommodations, and so forth.

Trello’s flexibility may seem like an asset, but it can also be a burden in that you have to figure out how to best use the service. I have long felt the same way about AsanaFree at Asana, a wonderful task-management tool that has so few rules for how to use it that it can be daunting to new users as they try to figure out how it might work for them. Both Trello and Asana can be excellent tools, but it takes a strong, tight-knit team to put up with some trial and error when first adopting the tool and deciding how to use it.

Apps and Extras

 

Trello does well with mobile apps. The service offers Trello for Android phones and tablets, as well as iPhones and iPads. There’s also a Trello app for Slack. The mobile apps are nearly identical to the website. On the one hand, that means it’s easy to move from the Web app to the mobile apps. On the other hand, the mobile apps don’t have the same screen real estate, and I find it very hard to use them as standalone products without the Web app serving as the primary interface. In other words, Trello’s mobile apps work best as companion apps to the Web app, not as your main way to interact with the service.

In addition to the many Chrome Extensions and compatible apps you can add to Trello, it’s supported by Zapier and Ifttt. Zapier and Ifttt are services that let you connect online apps and tools that aren’t natively interoperable, and the key is that you don’t need to know how to code to get them to talk to each other. For example, you could connect Trello and GitHub so that every time a new issue is created in a chosen GitHub repository, a Trello card is automatically created on a specified board with the issue details.

Flexible, Visual, and Light

Trello provides a flexible app for managing work collaboratively. Because it’s flexible, however, it may require some experimentation to figure out how to best use it for your team and the workload you manage. It’s a reasonably lightweight, flexible, and focused alternative to heavy-duty Editors’ Choice collaboration tools like Asana, which require far more time to set up, and which can, if not implemented correctly, actually draw your focus away from work. If what you really want is traditional project management software, you might find Trello light on features, as it lacks built-in reporting tools, time tracking applets, and even traditional tasks as you might know them.

Trello is available for Mac, iOS, and Android.

What’s your favorite project management app? Sound off in the comments below!

WIT: Apple Included This One Feature Every Woman Should Know About

 

 

 

By LANI SEELINGER of Bustle.com

The new iPhone update is officially out, and say what you will about the new aesthetic features, there’s one feature that could potentially save lives. With the iOS 11, you can place an emergency SOS call from a locked iPhone, and really, this trick is something every woman should know about the new update.

In previous iPhone operating systems, you could call emergency services from a locked screen or by giving Siri the command “charge my phone 100 percent.” While those were effective ways to get yourself out of trouble in most cases, the former wouldn’t always work if the phone’s screen was broken, and the latter wasn’t very discreet.

Now, Apple has fixed both of those problems with this new update. Hopefully you’ll never need to use this feature, but if you should ever be in a tight spot when even speaking to your phone or bringing it out to look at would be dangerous, now you can just quickly press the sleep/wake button five times, and then it will automatically get you in touch with emergency services. If you’ve set an emergency contact in the phone, it will also alert that person that you’re in trouble and give them your location.

And just as an emergency feature should be, it’s incredibly easy to enable.

If you do want it to make a phone call automatically after you’ve pressed the sleep/wake button five times, you have to enable “Auto Call” in your settings. The automatic setting also comes with a protection against just accidentally calling 911 — pressing the button five times starts a three-second countdown, which comes with a countdown noise so you have a chance to cancel the call if you’ve triggered it accidentally. You can turn that countdown sound off in the settings, though. You might want that if you were in a circumstance where an iPhone sound could alert a potential criminal to your location — which, again, is hopefully a situation that you will never find yourself in.

There are a couple of limitations to the feature; for example, it only works in certain countries. If you’re not in the U..S, Australia, Belgium, Brazil, Canada, China, France, Hong Kong, India, Italy, Japan, Russia, Spain or the UK, then you’ll have to wait for a future update to take advantage of it. All things considered — including the large percentage of the world’s population in those countries — it’s not bad for a start.

While this update will make every iPhone user who has access to it just a little bit safer, it’s especially key for women, who are in many ways much more in danger of being targeted in their everyday lives than men. This could be an effective way to help women who find themselves facing intimate partner violence, a situation in which it’s easy to imagine that even the simple act of making a phone call could put the woman in far greater danger than if she were able to make the call more discreetly.

From a woman’s perspective, this is a big improvement over the days when Apple found itself in hot water for not including a menstrual cycle tracker in its health app update back in 2014. They did manage to fix that little bug back in 2015, this is another signal that Apple is really making a commitment to keeping women safe and healthy. Really the only thing you have to worry about here is activating the call without knowing it — but are you really in the habit of pressing the sleep/wake button five times without paying attention to it? This is a case where it’s definitely better safe than sorry.

Tell us your thoughts on this new personal safety feature in the comments below!

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: