> Search Results

The last password manager you’d ever want to use In August 2022, popular password manager developer LastPass experienced a data breach from an “unknown threat actor” who gained access to an unsecured third-party cloud storage instance. We can pretty safely assume this “third-party storage instance” was an unsecured Amazon Web Services S3 data “bucket”. These so-called “leaky buckets” have been front-and-center in a number of high profile data breaches over the last several years. While it’s convenient to place the blame on AWS for these breaches, since AWS is hosting the S3 storage objects, the fault lies squarely with the companies who use S3 and fail to secure their S3 instances properly. In the case of LastPass, the original event in August 2022 turned out to be much worse than LastPass initially revealed. On December 21st, 2022, LastPass published a new blog post admitting that this unknown threat actor obtained access to sensitive customer data, including encrypted master passwords. Master passwords are used, in password manager parlance, to unlock a user’s password vault, giving a hacker access to every password a user has saved in LastPass, if the hacker manages to decrypt the master password. This is a big deal. It’s almost a worse-case scenario from the perspective of LastPass, but they won’t say as much because the optics are already terrible for the embattled company. In 2015, LastPass was acquired by LogMeIn, a popular developer of remote access software. In 2021, LastPass was spun off from LogMeIn, but remained under the ownership of the private equity firms that acquired former parent company, LogMeIn. During all of this buyout and spinoff drama, LastPass significantly altered the terms of its free product tier in early 2021, leading to a substantial shedding of its customer base. Password managers are high-profile targets for hackers and many contain security vulnerabilities, unfortunately. As these programs are essentially just storehouses for every password a customer regularly uses, threat actors prioritize gaining access to them. In 2020, researchers from the University of York discovered security vulnerabilities in popular password managers Dashlane, LastPass, Keeper, 1Password, and RoboForm. In LastPass’s case, the vulnerabilities were apparently not rectified at the time the study was published. These types of attacks are also distinct from, and potentially more damaging than, the more common phishing attacks that affect millions of people every year. So what should you do? If you’re a LastPass user in 2022, you have to assume that the threat actor has access to your encrypted master password and that they have the ability to decrypt it. At this point, LastPass’s word is essentially worthless. With that said, and painful as it may be, your best course of action is to change every password you stored in your LastPass vault and close your LastPass account. Which password manager should you use? We recommend BitWarden. So far, BitWarden’s security posture has led the pack in the field of password managers. BitWarden offers a free online password manager option, as well as paid versions with additional features, such as the ability to self-host your BitWarden instance (or have a technical service provider like Geek Housecalls do it for you!) This is especially critical in business and enterprise environments. In a 2020 report by Rapid7, researchers found effective password management and two-factor authentication were both very underutilized in corporate IT environments. Such failure to implement appropriate credential management and two-factor authentication has led to billions of dollars in lost productivity as well as in funds paid to ransomware hackers and to outside security companies. If you’re struggling with password management at home or credential security at work, give Geek Housecalls a call or email today. Our business division, Geeks for Business, is ready to help you secure your enterprise environment. Our home division, Geek Housecalls, can help you migrate away from LastPass and we’ll perform a full security audit to ensure that your online passwords are as secure as possible.

The Internet changed marketing and advertising forever. Nearly unlimited reach combined with advanced audience metrics have made online marketing the advertiser’s sine qua non. Not so coincidentally, the Internet has also enabled some of the greatest scams and swindles of our time. More germane to the tech service domain, though, are breathless promises of breakthrough cybersecurity products, IoT devices that’ll change your life, and a litany of other products and services that tend to overpromise and under-deliver (usually with “AI-powered” somewhere in the product’s ad copy). We cover a concept known as ‘zero trust’ on our website, which isn’t really one thing; it’s not a device, a service, or software. Zero trust describes a holistic approach to securing networks, no matter where users use their devices, by limiting user and app permissions to just the permissions they need to do the job at hand. Many MSPs (managed IT service providers) and TSPs (technical service providers) now claim to “offer” zero trust, as if it were a product. This kind of marketing belies an acute misunderstanding of how the technologies that these TSPs claim to implement actually work. Be wary of this kind of marketing. Even mildly technically inclined marketers and unscrupulous IT professionals will talk over the average customer’s head, knowing that the customer probably won’t call them out if they’re wrong. The amount of grift, hype, and overpromising within the IT sphere is vast. IT pros lie to other IT pros, sometimes without even knowing it; the amount of knowledge a modern systems administrator has to have in order to do his job well is enormous; grift exists because bad information exists and the signal-to-noise ratio in technical marketing is so out of proportion that skilled IT people just don’t have the time or bandwidth to separate the proverbial wheat from the chaff. You rely on IT pros to know how the sausage is made and to give you the bullet-points of a new technology, a systems migration, or even a new device. It’s troubling to think even a lot of the people who work in the industry are confused and overwhelmed by the sheer amount of conflicting and low quality information there is now. The Internet serves to democratize access to knowledge, but at the same time amplifies junk. Tech people tend to gather with other tech people and they’re usually not especially aware of the average person’s tech experience. Knowledge siloing is a problem among experts in any trade, wherein small communities form within a discipline and a relative few people end up knowing about one crucial element of a certain technology, while a few others know about another element. This is something that tech professionals and tech enthusiasts deal with on a daily basis. Tech marketers straddle a gulf that exists between engineers and garden variety marketers, tending to lean more toward the marketing side than the engineering. This isn’t a bug, it’s a feature: for all their skill, engineers tend not to be very good at translating spec sheets into easily digestible language for the general public. As a result, an ad for a new cybersecurity product that proclaims it’s the only security product your company will ever need is not telling you the truth. Security concepts like zero trust are important, but they are not ends unto themselves; as with all aspects of IT, cybersecurity is ever-evolving and demands multiple working pieces. An integrated, set-and-forget security system for your computers will never exist. If a company promises you a box that can sit in your server rack and protect your network from every threat, all without paying a security professional to manage it, they’re more interested in selling you something than they are in securing your corporate network. It is true, though, that cybersecurity is much different than it was 20 years ago. We have smartphone-enabled multifactor authentication, automation and orchestration tools, machine learning, artificial intelligence, and other things that make life for security professionals and customers easier. What we don’t have, however, is a single device or “killer app” that can mitigate your company’s risk from things like ransomware or denial-of-service attacks. Cybersecurity still requires that your employees be engaged and aware of their own security practices. It requires training and people won’t like it because good digital hygiene takes effort and is sometimes frustrating. But the payoff is that, by doing the right things, we at Geek Housecalls, you, and your employees can minimize your company’s downtime and reduce your risk of a costly security breach. Get in touch with us today to see how we can give you the best security solution, rather than the easiest one.

In SMB (small-to-medium) and enterprise IT, locking hardware and software features behind paywalls is a common practice. This is a great model from the perspective of the hardware and software vendors, but not so much for smaller clients whose IT budgets generally aren’t as vast. Feature paywalling increases recurring revenues for vendors and, when done right, creates a segmented product or feature stack that never gives customers more than they paid for. At Geek Housecalls, we see this mostly in business/enterprise IT, but the practice is becoming more common in consumer IT, as well. Consider devices like Internet-connected security cameras from the likes of Ring, Wyze, and Nest: you can use the cameras without paying for a service subscription, but the manufacturers know you probably want to unlock those exciting paid features. In fact, most people who buy these smart devices do opt for paid subscriptions in order to realize the utility of their device. In the case of Wyze, which sells a variety of smart devices, including network cameras, smart locks, and doorbells, the hardware is enticingly inexpensive while the subscriptions are where Wyze sees bigger profit margins. A Wyze Cam v3 starts at $29.99, while its Cam Plus Pro subscription runs $3.33 per month when billed annually. The service may seem to come in at a radically low price, but when you consider a home might use 4 or more Wyze cameras for outdoor security, the subscription spending adds up quickly. Meanwhile, in the enterprise, let’s consider Fortinet, known for its hardware firewall devices, intrusion prevention systems, and cybersecurity services. A five-year license for its Fortigate 100F firewall appliance runs a staggering $21,896. This license includes FortiGuard 360 protection and ASE FortiCare, which are two of Fortinet’s comprehensive SaaS (software as a service) solutions. Broken down by year, that’s $4379.20, which may be well worth the expenditure in a larger organization, but then again a larger organization may find that the Fortigate 100F may find that the hardware itself isn’t appropriate for their size. Pricing models like these, which are easily digested by larger organizations, tend to alienate medium-sized organizations which need the hardware prowess but can’t necessarily afford the various service subscriptions that the hardware all but requires. Smaller organizations can get away with using consumer or prosumer networking hardware, but as your employee count grows, so do your IT demands. $4400 a year for software licensing for one piece of hardware could be a big hit to a medium-sized business’s bottom line; we can understand why managers and executives of these businesses are so reticent about buying into enterprise hardware. My own belief about this practice of locking away software features behind considerable paywalls is that it’s often a predatory business practice. Does it make sense in larger enterprise environments where service-level agreements and high uptime are absolutely critical? Yes. But most businesses in the United States are small businesses. According to the United States Small Business Administration, as of 2020, there are 31.7 million small businesses in the country, comprising 99.9% of all businesses. These businesses also account for 40.3% of private sector payroll. In addition, only 35% of small businesses survive for 10 or more years. Even in good times, keeping a small business growing and in good financial standing is tough, but when externalities like high inflation and decreasing access to capital are factored in, running a small business becomes a Herculean task (ask me how I know). Geek Housecalls doesn’t serve the large enterprise–they have their own massive IT departments and budgets that would make the average person’s eyes water. We work exclusively with small and medium-sized businesses. We understand that making payroll and reinvesting in the business is a higher priority than spending on IT. That notion might seem to run counter to our business model of selling IT services to businesses, but we believe that enabling clients to spend less time thinking about their technology problems is the real value here. Our hourly rates aren’t the lowest or the highest in the area–we believe demonstrated value more than justifies the rates we charge. We also believe that giving clients the hardware they bought, full stop, is the best practice for our clients and for us. If we installed a complete network solution for a client and then told them, “sorry, you’ll need to pay us another $4000 a year to unlock WiFi security”, the client would rightly be reluctant to ever work with us again. Practices like these alienate clients, which might be an acceptable outcome for the big IT players like Cisco who enjoy something of a monopoly in their industry, but it’s not acceptable to us. When we write a project proposal, the quote you receive includes the full functionality of the hardware you buy. If a vendor we purchase from wants to sell us hardware lockouts and ‘premium’ features, we look elsewhere. If your IT budget is spiraling out of control and you feel like you’re not getting the value you deserve, get in touch with Geek Housecalls today and let’s work together to install the right solution for your business.

The consumer electronics industry is, and has always been, perched on the need to manufacture demand for more stuff. Why do you need an iPhone 14 when you just bought the iPhone 13 a year ago? Because Apple needs more money, and the billions electronics manufacturers spend on advertising every year speaks to this. But what of your old iPhone? Apple, Best Buy, Staples, and others advertise electronic waste dropoff services at their stores, or by mail, with the promise that your discarded electronics will be responsibly dismantled and safely disposed of or reused, as appropriate. The reality of e-waste recycling, however, is not that much different than the reality of our plastics recycling programs: mostly, our crap is just shipped to a poor country and there's very little "responsibility" anywhere in the process. As The Verge describes in their coverage of a large Northwestern e-waste company, Total Reclaim, e-waste handed off to domestic e-waste recyclers usually ends up being shipped across the ocean where it is destructively dismantled and few, if any, of a device's components or raw materials are reused. In the cases where raw material is reprocessed from an old device, that material is often extracted by burning. Burning electronic substrates (PCBs), electrolytic capacitors, integrated circuits and other silicon-containing items releases dangerous chemicals into the air, soil, and groundwater, such as lead, cadmium, mercury, as well as other dioxins, hydrocarbons, and heavy metals. Such burning is also extremely detrimental to human and animal health. The routine exposure to heavy metal particulates alone is known to cause cardiovascular and pulmonary disease, in addition to neurodegenerative disorders and other central nervous system damage. The Global South, increasingly, is where the developed world ends up sending its e-waste. These developing countries' governments, desperate for the monetary opportunity that processing e-waste provides, are too eager to accept these agreements with Western nations. Recycling companies in these same developing countries are not known for their strict safety measures (if they abide by any at all) and the workers at these recycling plants bear the true cost of the electronics industry's need for growth. As an article by the University of Toronto describes, exposure to polybrominated diphenyl ethers in particular causes extremely serious negative outcomes for the human thyroid, as well as causing neurodevelopmental deficits, and various cancers. They write, "PBDE emissions are highest in areas of China, India, Bangladesh and Western Africa, the researchers say. Emissions take place mostly while these products are being recycled, often done in small backyard workshops with minimal safety standards. Wania says some emissions happen during the manufacture and use of consumer goods, but the vast majority occur at the end of a product's life cycle. Emissions in China from 2000 to 2020 were approximately 300 tonnes, with about half of that linked to imported e-waste. By comparison, PBDE emissions in Europe during that time were only about 5.5 tonnes, with more than 100 tonnes offloaded to other parts of the world. Studies show that exposure to PBDEs are likely to cause serious negative health consequences in animals and humans. While there’s a global restriction on new products containing the chemicals, existing consumer products will be used and recycled over decades." Such export of e-waste from developed nations, which should have the facilities and resources to process that waste responsibly constitutes further exploitation of the Global South. In countries like Ghana, children are tasked with extracting gold and other precious metals from electronic devices; exposure to the particulate form of heavy metals, as well as exposure to volatile aromatic compounds like toluene and benzene, are especially harmful to the developing nervous system. This is where Right to Repair comes in. The Right to Repair is a philosophical and legislative push to make repair parts for everything from laptops to farm tractors available to end users, in order to fix their devices. Right to Repair has gained more traction, ironically, in private industry than it has in our state and federal legislatures. In fact, a Right to Repair bill introduced in North Carolina in 2017 stalled in the House, with no progress made on ensuring customers have schematics and parts available to them to fix, rather than throw away, their electronics. In May 2022, a similar bill concerning farmers' right to repair their farm equipment, was killed in the North Carolina Senate, thanks to corporate interests' lobbying to have 'right to repair' language removed from the bill. State Sen. Brent Jackson (Republican) of Sampson County argued that more study was necessary to determine whether farmers actually needed the right to repair their own equipment and said, “That way we can go to the farmers where they live and breathe and work and see what they can do. And at the end of the day, we might change something or we might do nothing.” Senator Jackson's "wait and see" approach is made stranger when you consider he is a farmer. According to his campaign website: Brent Jackson is Founder, President, and CEO of Jackson Farming Company, Inc. in Autryville, North Carolina. Under his leadership, the company maintains thousands of acres of farmland and the wide distribution of its produce to a variety of retailers. Jackson has used his agriculture experience to protect North Carolina’s top industry as chair of the Senate Agriculture, Environment and Natural Resources Committee, and now as chair of the Senate Appropriations Committee. As a farmer with longstanding roots in agriculture and in state government, Sen. Jackson has a powerful conduit to those in positions of power for the advancement of Right to Repair. Unhappily, some Republicans stand in the way of Right to Repair legislation because they have received generous donations from corporations like Deere & Co., producer of the stalwart John Deere line of tractors and heavy farm equipment, which have adamantly opposed empowering customers to fix their own equipment. These high-ranking Republicans have disguised their wariness of Right to Repair under fears of intellectual property theft, an argument which is flimsy at best. The Federal Trade Commission notes, in its Report to Congress on Repair Restrictions, that “the assertion of IP rights does not appear to be a significant impediment to independent repair" and “considerations supporting repair . . . can nevertheless be accounted for, and woven into, intellectual property law and policymaking in a manner that preserves a space for a right to repair.” Thanks to John Deere's intransigence on the issue, the company has been hit with multiple class-action lawsuits. Deere & Co alleges that Right to Repair is incompatible with the company's computer-controlled safety features, arguing that an end user repairing their own equipment constitutes a significant risk to that user's safety while operating the equipment. Of course, closer examination reveals that Deere's argument is mostly hogwash, designed to protect Deere's closed software-hardware ecosystem and to keep profits going up, by locking farmers out of certain features via software kill switches. Deere even promised, on January 1st, 2021, that it would make schematics and parts available to farmers in order to stave off possible Right to Repair legislation being passed. In the nearly two years since, no federal Right to Repair bills have been signed into law and Deere has reneged on all of its promises. As a consequence, farmers have begun to look for methods to "jailbreak" their tractors' operating systems, much in the same way that iPhone users downloaded and installed third-party software to unlock additional features within iOS. The latest jailbreak, from August 2022, provides root-level access to the software that runs the tractors' computers. Having root access in a Linux or UNIX-based operating system means that the user can modify the operating system as they wish, with no restrictions from higher up (in this case, Deere & Co.'s servers). This may all sound absurd--that paying customers (in Deere's case, very well paying customers) have to resort to running third-party code from Ukraine in order to fix the equipment that they paid for. It is absurd, and it is a direct result of the sort of legislative atrophy that pervades the American political system at every level. When all is said and done, Right to Repair affects all of us. Your car, your laptop, your phone, your thermostat, your iPad, your lawnmower are all just e-waste if corporations get their way and manage to block further legislative attempts to codify Right to Repair into law. Remember this when you write your Congressmen, and when you go to the polls. The future of ownership depends on it.

3D printing, which includes the subdisciplines of FDM (fused deposition modeling), SLA (stereolithography, or resin printing), and SLS (selective laser sintering), has seen rapid evolution in the consumer and industrial spaces over the last ten years. While the technology, especially in the consumer space, is still nascent, technological advances are giving rise to faster, more full-featured, and more reliable 3D printers. What can the average person extract from this technology? As it turns out, 3D printing tech synergizes with many other industries, from small-scale, single printer environments, to mass-production 3D printer farms. Hobbyist woodworkers can leverage 3D printing to rapidly prototype hardware for furniture, shelving, and other functional wooden designs. Hobbyist gardeners, farmers, and botanists may find that 3D printing allows them to rapidly create and print specialized plastic fittings and adapters for hydroponic systems, or to spin up a design for a seed-starting kit and sell it for a profit. Doctors and dentists have already used industrial 3D printing technology to decrease the cost and time-to-manufacture of prosthetic devices and dental implants. The technology behind FDM printing is now even used to “print” houses, using the same basic theory that makes additive manufacturing possible. Of course, 3D printing has its limitations: plastic parts, no matter how strong, are still plastic parts. For certain applications, especially those that demand high temperature resistance or flame retardance, even exotic, so-called “engineering” or “technical” plastics are not tough enough. Enter SLM, or selective laser melting, more generally known as “metal 3D printing”, even though SLM is not the only metal 3D printing technology available today. SLM allows the rapid creation of fully metal parts, most often using a technology called laser powder bed fusion (LPBF). Binder jetting is a more recent development in the world of metal 3D printing, and seems poised to replace LPBF as the favored method of creating metal parts. Binder jetting is less expensive than LPBF and allows for larger production quantities, more quickly. While binder jetting may be faster than LPBF, the metal parts produced still generally require post-processing, such as removal of support structures, sintering, depowdering, and annealing; these post-processing demands add additional time and complexity to 3D print metal, but still allow for rapid design and manufacture of parts ready to be installed in demanding environments. The average person has no need (or the budget) for a metal 3D printer, but consumer-grade plastic 3D printers have reached a point at which such printers can be run for long periods of time, fairly reliably, without deep technical knowledge of the process being a requirement. A low-end consumer-grade FDM printer costs around $300 currently, but printers in this price range are not printers we recommend, as they aren’t reliable enough for “set it and forget it” operation, and actually tend to require the printer operator’s having a fair degree of technical knowledge to keep the machine running. (A timeline of 3D printing technology, source: https://infomineo.com/additive-manufacturing-africa-middle-east/) As mentioned at the beginning of this article, 3D printing is still very much a nascent technology. While it has been around since the 1980s, 3D printing wasn’t available to the general public until the late 2000s, thanks to an English engineer and mathematician named Adrian Bowyer. Bowyer created the RepRap (replicating rapid prototyper) project with Vik Olliver at the University of Bath in 2005. The RepRap Project was monumental in opening up 3D printing to the public. The intent behind RepRap was to create a printer that could self-replicate, to the extent that each printer could reproduce all of the printable parts needed to build another RepRap printer. Between 2005 and 2012 the RepRap Project produced 3D printer designs of different sizes and different motion systems, all pushing 3D printing closer to the public consciousness. Thanks to Bowyer’s work and the open source nature of the RepRap Project, we have what Bowyer himself envisioned when he came up with the idea for RepRap: a democratized, desktop manufacturing and rapid prototyping system that can cheaply create many of the items we need and use in everyday life. Now, 3D printing is available to many more people than ever before, with a massively lower barrier to entry than other manufacturing technologies, like injection molding. This lowered barrier to entry, combined with the relatively low cost of replacement parts and raw printing materials, are especially desirable in impoverished areas and other low-resource environments, such as Sub-Saharan Africa. Owing to the portable nature and relatively low energy requirements of a desktop 3D printer, solar power is a viable option for running a small 3D printer farm. In a medical setting, such a printer farm could produce splints, face shield hardware, and even anatomically correct models of human organs to help doctors treat patients in the field more quickly, without access to a modern medical facility or reliable electricity. There are hurdles to be overcome for the desktop/consumer 3D printing sector, chief among them being printer reliability. In 2022, what the average person would consider a truly “reliable” desktop 3D printer, such as the Ultimaker S5, may cost upwards of $7000 and require additional spending on a support contract. That same average person would likely balk at the cost, and rightly so, but at the same time would not be excited at the prospect of constantly maintaining and repairing a $300 printer. Advances in technology and the generally accepted design of FDM printers will bridge this gap, as we see in other sectors. Even now, companies like Bambu Labs are integrating professional features into consumer 3D printers at attractive prices, but this is only the beginning. In ten years, the state of desktop 3D printing will no doubt be drastically different–it’s entirely possible that, before long, the 3D printer will be as common as paper printers are today. While the technology may still sound incredibly aspirational to many, consider Adrian Bowyer’s vision in the early 2000s: democratization of manufacturing. When that part in your refrigerator breaks and the company no longer sells it, 3D printing lets you design or download and print a replacement in a couple of hours. Obscure and commodity parts alike are often substantially marked up by their manufacturers, or made intentionally scarce or difficult to find; FDM printing takes away this power from corporations and gives the user a much-needed alternative. Geek Housecalls has relied on 3D printing for two years now to design and print parts that have been in short supply because of the pandemic and supply chain failures. In spite of the frustrations caused by 3D printers breaking down and needing to be serviced, I see great potential in the technology and in the philosophy behind giving everyone access to repair and make their own stuff. This topic dovetails well with the Right to Repair Movement, which we’ll cover at a later date.

In another era, Yelp was an important brand in online advertising and marketing, especially for small businesses. Founded in 2004, they were around before Google had fully realized its juggernaut AdWords and AdSense platforms, giving Yelp the first-mover advantage in the crowdsourced review and digital marketing spaces. However, as time passed and more competitors entered the space, including Google with its tight search integration with reviews and ad placement, Yelp became less and less relevant. Rather than improve their product to compete with the likes of Google, Microsoft, and latecomer Facebook, Yelp instead raised prices, instituted punitive new measures against small businesses who used their platform, and engaged in some very unsavory business practices. To wit, in 2019 Vice reported on a then-new practice by Yelp in New York City that involved inserting a third-party into phone calls between customers and local restaurants. This middleman was none other than Grubhub, well-known food ordering and delivery platform, whom Yelp completed an important 'market integration' the year before, in 2018. Yelp's tactic involved proxying customer calls to NYC restaurants through a Grubhub agent, which then connected the customer to the restaurant, while taking a transaction fee for each call, whether a particular call resulted in a sale for the restaurant or not. Vice reported that Grubhub assessed a 15-20% "referral" fee for each order. The State of New York later banned the practice of charging fees for phone calls that don't result in sales, as of May 2020. As is now obvious, this practice resulted in restaurants essentially competing with Yelp and Grubhub for their own customers. When you consider the restaurants who are also paying Yelp for PPC (pay-per-click) ad placement on their site, this practice seems like a conflict of interest at best and nakedly criminal at worst. But this is Yelp's new modus operandi. Their heyday has passed, their revenues are declining, and their proverbial lunch is being eaten by search behemoths like Google and Microsoft. Rather than reformulate their approach to indexing local businesses online and connecting them to customers, Yelp's solution was to instead attack their own lifeblood: the small business owners themselves. First in 2012, then again in 2015, the CBC reported on Yelp allegedly burying positive reviews on various business's Yelp profiles and then approaching the owners of those businesses to buy ad space on the site. You may already be familiar with this approach to business, as it is historically one that organized crime has employed for centuries--it's known as a protection racket. According to the CBC's investigation, restauranteurs in Canada had complained of negative Yelp reviews being featured prominently on their Yelp pages while legitimate positive reviews were hidden and marked as "not currently recommended". Coincidentally, Yelp did the same thing to our company, Geek Housecalls. If you take a look at our Yelp page here and scroll down just past the last visible review, you'll see "13 other reviews that are not currently recommended". If you click that link, you'll find 13 reviews which are all positive. What was Yelp's rationale for this? They claim that because the reviews were left in too-short a time period, Yelp questions their authenticity, despite this being a pretty easy thing to verify. Yelp further justifies this scummy behavior in a short missive on the hidden reviews page, thusly: The software does something no human can—regularly analyze billions of data points from all reviews, reviewers and businesses to evaluate the usefulness and reliability of each review. It’s engineered to provide a level playing field for all businesses on Yelp. Having a great reputation on Yelp shouldn't be about who has the time and resources to ask the most people to write reviews. Great Yelp reviews and ratings should come from consumers who had a great experience that they’re inspired to tell others about. Yelp freely admits that these determinations are made by software, not reviewed by actual humans and they claim with a great sense of ego that this deeply flawed system "provides a level playing field for all businesses on Yelp". Does it? Yelp then goes on to admonish business owners who send out review reminders for past clients, as if this is accepted as a forbidden practice in the world of online reviews. Let's see what Google, master of search engine optimization and digital ad placement, has to say on the matter of businesses reminding customers to leave honest reviews: Remind customers to leave reviews: Let them know it’s quick and easy to leave reviews. Business owners shouldn't offer incentives to customers to leave reviews. You can also get customers to leave reviews if you create and share a link. Reply to reviews to build customer trust: Your customers will notice your business values their input if you read and reply to their reviews. Value all reviews: Reviews are useful for potential customers when they’re honest and objective. Customers find a mix of positive and negative reviews more trustworthy. You can always respond to a review to show the customers that you care and provide additional context. If the review doesn't follow our posting guidelines, you can request its removal. - source: https://support.google.com/business/answer/3474122?hl=en So, Google's position on the matter is that reminding customers to leave honest feedback is a best practice for businesses with an online presence. Yelp, on the other hand, does not support this school of thought, probably because it cuts into their ability to push good reviews into a digital black hole and feature the few negative ones in a bid to extort ad money from local businesses. This is why Geek Housecalls is leaving Yelp and moving our advertising presence to Google, Bing, and Facebook. You may have recently received an email reminding you to leave your honest review of Geek Housecalls, which is exactly what we want: honesty. Yelp could take a lesson from that.

Much has been written on the subject of IoT (Internet of Things) security, or rather, the lack thereof. According to research by TrendMicro, as of 2020, the average U.S. household has access to 10 connected (IoT) devices. When we talk about the Internet of Things, we refer to devices in the following categories: Smart devices, such as WiFi-connected thermostats, refrigerators, LED fixtures/light bulbs, and generally any Internet-connected device that collects, stores, or sends data to the Internet. These devices are collections of sensors and radios, and may consist of many discrete, individual components, such as 802.11 WiFi radios, temperature and humidity sensors, air pollution sensors, sound meters, and so on. IoT gateways, which serve as intermediary devices between individual IoT endpoint devices and the Internet. Think of a gateway as a data broker, connecting to smaller, less complex wireless devices and aggregating their data in order to forward it to a cloud service. An IoT gateway may have multiple wireless radios, such as 802.11 (2.4/5GHz) WiFi and 433MHz radios which many household IoT devices use to communicate with one another. Cloud/on-premise servers, which typically are bigger, more powerful, consume more energy and perform more tasks than single-function IoT devices. There are broadly accepted 'best practices' with respect to securing Windows and Linux servers and client PCs, as both the Windows and Linux ecosystems are mature and established. That isn't to say Windows and Linux systems administration is less daunting because of these best practices--to the contrary, since most of the world runs on Windows and Linux, these two platforms are constantly targeted by malware. But what about the Internet of Things? The Internet of Things consists of many thousands of different devices, produced by different manufacturers, with different security standards, different (often proprietary) software, and firmware which may contain actively exploited bugs or other functional issues which may never be fixed by the manufacturer. Let's consider the following common security issues with IoT devices: Poor out-of-box security/improperly configured access control: many IoT devices are shipped with the same default user name and password, across every single manufactured device, such as 'admin'/'admin', or 'user'/'password'. The manufacturer may assume that the end user will update these default login credentials, but let's face it, the average person isn't going to do that. Thus, any would-be hacker with a modicum of computer savvy can discover these poorly-secured devices on a user's wireless network and exploit them to gain access to other, sensitive segments of that network. Root privileges out of the box: another common issue with IoT devices is the single level of account privilege, which grants essentially root-level access to the user who initially sets up the device. This single privilege level is extremely dangerous as it allows an attacker to arbitrarily execute (probably malicious) code and potentially take over other devices on the host network. Large attack surface: many IoT devices expose multiple services to the Internet, such as an unencrypted web server on port 80, an encrypted web server on port 443, an SSH server on port 22, and so on. The more services a device exposes to the Internet, the more vectors an attacker can utilize to compromise the device or the host network. Outdated software; potential for no further software/firmware updates: inexpensive IoT devices aren't known for their long software support cycle. Once the device is manufactured, the manufacturer is probably working on their next piece of hardware rather than dedicating necessary resources to updating the software and firmware of their existing devices. This lack of timely software updates contributes immensely to a device's susceptibility to attack; both white and black hat hackers continually probe these devices and the software and firmware that runs them for exploits. If an exploit isn't patched and spreads in the wild, devices can and will become compromised, potentially ending up in botnets or infecting networks with ransomware. Zero encryption: IoT devices are notorious for storing sensitive information on the devices themselves in plaintext--that is, without encryption. IoT devices communicating with one another or with an IoT gateway may also send information in plaintext, which makes a Man-in-the-Middle (MitM) attack trivial to execute. Weak encryption is better than no encryption, but in the case of weak encryption, the encryption algorithm itself can potentially be cracked, leading to a brute-force attack on the device and its host network. Robust encryption is a requirement for a modern IoT device. Application exploits: applications running on IoT devices can also become vectors for attack. IoT devices are typically just general purpose computers, using off-the-shelf ARM systems-on-chip (SoCs), or low-powered x86 processors made by Intel or AMD. As such, these devices can run a wide array of software, which is worsened by a lack of code-signing enforcement or a trusted execution environment on the device itself. In addition to the vulnerabilities which may exist in the device's firmware and operating system, more vulnerabilities likely exist within the applications that run on the device, creating a system with many possible points of entry for an attacker. Poor privacy controls: IoT devices, such as security cameras, store and process sensitive video and audio recordings of users' homes and businesses. It's incumbent upon the device manufacturer to ensure the user understands which data is being stored locally, which data is sent to the Internet, how the user can control that data, what the manufacturer will do in the event of an external security breach, and how the user can opt in or out of various cloud services and information sharing the manufacturer may provide. Is this usually the case? No. Privacy controls on modern IoT devices are still a nightmare. Intrusion detection and alert: if an unauthorized user accesses an IoT device, many devices will fail to alert the user of this intrusion. At this point, the attacker could be accessing sensitive information on the user's network and the user would be none the wiser. This ties into the access control issue we discussed above, and is a crucial component to IoT security. So what do we do with this information? The first thing you, as the consumer, must do is avail yourself of online resources and vet the companies that make the devices you intend to buy. If you can't get answers to the points outlined above, you shouldn't buy that company's hardware. If the manufacturer can't demonstrate a history of regularly updating their devices' software and firmware, you shouldn't buy from that company. This may limit your choice in devices, but you'll also find reputable manufacturers who do take security seriously, like Cradlepoint and Fortinet (Geek Housecalls is not affiliated with any company mentioned in this article). Additionally, ensuring your own home network is set up correctly is crucial to IoT security. When deploying IoT devices, best practice is to partition your IoT devices from the rest of your network. How do we accomplish this? By using VLANs (virtual local area networks). Some consumer-grade wireless routers support VLANs out of the box, but this tends to be a more business or enterprise-oriented feature. However, it is very much worth spending the extra money on a business-grade router that supports VLAN functionality. By giving your IoT devices, like your smart thermostat and Internet-connected refrigerator, their own virtual network within your home network, you functionally prevent those devices from being used to attack the rest of your network, should they become compromised by an attacker. For example, using VLANs, an attacker could compromise your WiFi-connected doorbell but he would fail to discover your MacBook or network storage server since they would be connected to a different VLAN. While this is still bad, it's much less bad than the alternative of an attacker using your IoT device as a 'jump box' to the rest of your home network, wreaking havoc in the process. Staying on top of security updates is also critical, no matter which IoT devices you use. Manufacturers often provide an 'automatically install updates' option within the user interface of their IoT devices, and this should always be enabled; you may encounter a bug here and there by installing updates as soon as they become available, but this is vastly preferably to delaying updates and potentially being hit with an IoT exploit. Firmware updates are also important. A device's firmware controls how its hardware interacts with its operating system--for example, controlling how a temperature sensor or Bluetooth radio interacts with its built-in software. These low-level functions are critical to the device's proper functioning and staying up to date on firmware ensures any bugs that may affect hardware performance are addressed in a timely fashion. Of course, managing the ever-growing number of things on our networks can become cumbersome, especially in business environments. That's why Geek Housecalls offers a full suite of IoT security tools and managed network services to ensure your own Internet of Things doesn't run amok. Get in touch today to find out how we can secure your devices, your networks, and give you some much-needed peace of mind.

In our increasingly connected world, it's getting harder to avoid Internet-connected devices. The Internet-of-Things is here to stay. As a consequence, businesses and home users alike need to take into account how to both secure these devices and keep them reliably connected to their local networks. For businesses, the challenges presented by the growing complexity of networking are real. When you rely on your security system, point-of-sale terminals, cordless phones, and store computers to be constantly connected to the Internet, essentially any downtime becomes a nightmare. Twenty years ago, we still had landline phones and manual credit card processing options as failsafes if the Internet went down; today, few businesses are equipped to handle a network outage, whether the outage is local or on the Internet provider's end. In many cases, these small businesses just either don't have the budget to throw at additional hardware or they simply haven't reviewed their IT infrastructure in a while. More often than not, when a small business loses network or Internet access, the reason is that they have single points of failure within their IT systems. In this instance, a single point of failure is a link between two devices that has no backup or redundancy. Consider a small business with a wireless access point/router/modem combo unit supplied by their Internet service provider. They might have an Ethernet switch connected to this device, which is then connected to everything else in their business, including deskphones, wireless access points, printers, barcode scanners, and so on. If the single Ethernet cable connecting the switch to the modem fails, everything in the shop goes offline. Similarly, if the switch itself fails, everything goes offline. Worse yet, smaller businesses tend to rely on ISP-supplied hardware alone, which is rarely robust enough to handle guest WiFi networks and the demands of many connected devices. These cheap, consumer-grade devices rarely support VLANs (virtual local area networks) and the more advanced security features that businesses need. Redundancy is key in many aspects of life, but especially when it comes to the devices and services on which your livelihood depends. I've never been an advocate of overspending on hardware, though many IT service providers will try to convince you that throwing money at a technical problem is the best solution. At Geek Housecalls, I advocate for strategic IT spending, getting the most bang for your buck. Of course, I could make more money by selling $80,000 Cisco switches to medium-sized companies that don't need them, but in my opinion, that's a great way to lose clients. Often, a relatively small investment of a few hundred to a few thousand dollars can net big improvements in your business's network redundancy, so you aren't left hanging if one switch goes offline, one cable fails, or even if your primary Internet service provider experiences an outage. By combining a landline Internet connection with a cellular (4G/5G) connection through an affordable dual WAN (wide area network) router, you'll be able to keep your business running even if your main Internet connection goes down. Likewise, by installing two less expensive Ethernet switches, rather than one expensive switch, you've improved your local network's resiliency and kept important resources available to yourself and your employees in the event of a hardware failure. When budgeting for adding this kind of redundancy to your business or home IT systems, consider that a redundant Internet connection can often be had for as little as an additional $40 a month, or less if your bandwidth needs are lower. This is the kind of strategic spending I'm referring to when I say "don't overspend on IT". What's most important, moreso than agonizing over hardware choices, is having a reliable IT partner that's available when you need them. I routinely hear stories from our current clients about month-plus lead times just to get Internet installed at a new home--and these long wait times are from multibillion dollar corporations who should have the manpower at their disposal to get things done quickly. I consider that unacceptable. Tech companies seem to be getting worse at earning their customers' business, and are instead taking it as a given. This is not the way. Get in touch with Geek Housecalls today for a free analysis of your home or business's IT needs and let us give you the information you need to make the right choices rather than the expensive ones.

A report published by Barracuda Networks in 2021 found that almost 40% of Internet activity, globally, is produced by malicious bots and bot networks; these include web scrapers, advanced persistent threats, and attack scripts, among others. Bot activity generally makes up about 64% of all web traffic, Barracuda found. Key findings from the report include: most bot traffic originates in the two largest public clouds: Microsoft Azure and Amazon Web Services (AWS). e-commerce applications and login portals are the biggest targets for advanced persistent threats North America accounts for 67% of bad bot traffic bad bots follow a standard workday, to avoid raising suspicions of victim organizations Unpacking the last point a bit more: bad bots are designed to follow a standard workday to blend in with other legitimate traffic. In doing so, the developers of these bots avoid raising human suspicion while they perform attacks against online resources, such as impersonating legitimate security vulnerability scanners. Another example of malicious bot activity during the workday: bots accessing the login page of a medical service provider by altering browser header strings. By posing as a standard installation of Internet Explorer (which is now deprecated by Microsoft) on Windows 10 and appending seemingly random UTM parameters to the end of the URL. The bot used a brute force technique with stolen login credentials in an attempt to access wider company resources. Finally, a malicious bot was found doing large scale scraping of a business-to-business e-commerce site in the UK. In this instance, browser header information appeared normal but Barracuda's network detected the client using Web SDK, typically used for automation (such as web scraping, which has plenty of legitimate uses). Additional red flags were raised in this instance since the site was being accessed from a residential IP address, which would be very rarely seen in a B2B website's network logs. In most of these malicious bot scenarios, things like browser header manipulation and unusual traffic patterns give away the bot's true intent, but only if businesses have an IDS/IPS (intrusion detection/intrusion prevention) system in place. As web-based attacks grow more sophisticated and particularly costly and damaging variants like ransomware-based attacks grow in number, your organization needs a coherent web security system in place, with access control and credentialing policies to minimize your attack surface. The good news is that, along with the increase in sophistication of malicious bot activity on the Internet, defenses have also grown appreciably more sophisticated, to boot. AI and machine learning have allowed threat detection and prevention platforms to evolve rapidly over the past decade, from comparatively crude programs relying on simpler heuristics to detect zero-day and advanced threats, to agile systems that can detect and stop threats that haven't been previously seen. Is your business at risk? Get in touch with Geek Housecalls today for a free security assessment and let us help you protect your critical online resources.

Netflix's latest effort in stanching its hemorrhaging user base has proved unpopular but, perhaps, ultimately necessary. The stalwart streaming giant has recently announced plans to crack down on users who share password (which, ironically, Netflix encouraged during the early 2010s). Set to go into effect on August 22nd, the new policy creates 'homes', which are physical locations (like your home--thanks for the clarification, Netflix) that are tied to your Netflix account. By default, each plan includes one home, and more can be added for an additional cost. See all the gory details below: This seems to be Netflix's ham-handed attempt at dealing with a problem it has historically had very little control over: password sharing. These aren't good optics for Netflix, but the decision is probably good and necessary, from Netflix's point of view, in light of declining customer numbers, an increasingly threadbare catalogue of shows, and Netflix's own poor spending decisions. Will this drive away more customers? No doubt. But the bean counters have no doubt done their calculus that the increase in revenue will offset the losses from alienated watchers. Why all the focus on Netflix? Because Netflix is a bellwether. They've been around for a long time and they have the video-as-a-service thing down to a cold science. When it comes to password sharing, no streaming platform is excepted; the Hulus and Amazons of the world are probably tangling with the same problem, and if they aren't now, they will be, soon. What does this have to do with you, the subscriber? You were used to your cable bill going up at least once a year--and being the most expensive utility you pay for--right? So who cares if Netflix charges another $3 a month so you can watch stuff in more than one 'home'? Philosophically, maybe some readers out there don't care about being nickel-and-dimed during a historic cost of living crisis, but I imagine many of you do care. What can be done? We're probably all feeling a bit wistful for the days of DVD collections, as it stands. Price increases in digital services, coupled with onerous digital rights management and constantly shifting availability of digital catalogues, are indicative of a much more troubling problem in our digitized economy: you don't really own much of anything, anymore. We've reached a point in the evolution of capitalism where even heated seats have become a service, not a tangible product you bought when you bought the car they were attached to. There are plenty of status quo'ers who will defend the right of publicly traded companies to maximize profits for their shareholders, no matter how bad things get. Good for them--I'm sure the companies they've invested in will be there for them when they fall on hard times. As for the rest of us, it's time to reconsider ownership in the digital age. Streaming video platforms have become the new cable TV, as was predicted by some, years ago, at the genesis of the 'cord-cutting' phenomenon and the rise of streaming services like Netflix. If you're spending $70 a month on streaming stuff and renting movies, are you doing much better than a basic cable package, in terms of value? It should come as a shock to no one that streaming services and the companies that own them are largely the same players from the cable television age of yore: Comcast owns Xfinity, Walt Disney owns Hulu, Dish Network owns Sling, and so on. The names and faces may have changed, but the song remains the same. And what happens when these media monoliths decide to sell the rights to a movie or a TV series, or to simply memory-hole it and pretend it never existed on their platform? Too bad for you--you can simply enjoy a mediocre selection from their rotating catalogue of garbage! It's a bit dystopian, isn't it? "You will own nothing and be happy", to paraphrase Ida Auken, Dutch MP, in her essay to the World Economic Forum in 2016. At least, as far as digital video goes, you do have another option: host your own content. We used to warehouse VHS, DVD, and Blu-Ray collections in our homes, which no one really seemed to mind until the siren call of on-demand video hit the scene in the early-to-mid aughts. What I propose is even simpler: purchase two large capacity hard drives, configure them in a RAID-1 array, build up a modest home server around that array, and put all your music, movies, and TV shows on it. Easier said than done, right? The fact is you still can own your own content. You can buy movies on discs and rip them to a digital format that can then be streamed, with an assist from an app like Plex, to your smart TV, computer, tablet, or smartphone. In the case of Plex, there still may be a monthly fee involved (although they sell pay-once 'lifetime' subscriptions), but that alternative is much more palatable to me than handing my money and my dignity to a panoply of streaming video giants who couldn't give a damn about my time, my privacy, my security, or my interests. Geek Housecalls would like to help you cut the cord from cutting the cord. 'Everything-as-a-service' has become perverse; in this simple way, you, the customer, can democratize the shows and movies you love and tell the likes of Netflix that you're not going to pay for something you never really owned anyway.

On June 24th, 2022, the United States Supreme Court issued a ruling that overturned Roe v. Wade. Roe v. Wade was a landmark case decided by the Supreme Court in 1973. The Supreme Court ruled 7-2 in favor of one 'Jane Roe' (Norma McCorvey) that it was unconstitutional for states to make access to abortion unduly restrictive or illegal. The basis for this ruling was that denying access to abortions violated the Fourteenth Amendment, specifically, the Amendment's due process clause. Though Roe later became enshrined in subsequent case law and upheld for nearly fifty years through other judicial challenges, it is no more. As a consequence, women must now consider data that tech companies are collecting from health apps, such as menstrual cycle tracking apps. In fact, women, their families, and loved ones must now think of the way they use technology for accessing certain medical services in a new light, thanks to the Supreme Court's reversal of Roe. Hostile governments have historically engaged in dragnet surveillance, wire-tapping phones of political enemies, and hacking the computers and digital services of both foreign adversaries and allies. Tech companies serve as convenient data brokers in this surveillance state. It's no secret your smartphone is a trove of data both for corporate third-parties as well as state and federal governments. When women are in need of a critical medical service, such as abortion care, they must now consider their anonymity when searching for and accessing those services, as well as when communicating with medical professionals. Call it paranoid, but in an age where the Supreme Court can disembowel judicial precedent for basic human rights on a whim, we must take more extraordinary measures in order to protect our online privacy. So what can you do? Vet your apps, both on your phone and on your computer. Read the Terms of Service, and if the Terms of Service aren't readily available, demand that the app developer make them available to you. Examine what data are being sent to the app developer as well as to third-party data brokers. Assume that some or all of the data produced by your app may at some point be accessed by state or federal government. Uninstall apps you don't trust, especially those which contain sensitive medical or personally-identifying information. Use a VPN (virtual private network) when on public WiFi. Assume that unsecured, public wireless networks are being monitored, potentially by law enforcement or the state. If your traffic is encrypted, your data is much more difficult to analyze or to connect to an individual person. Use anonymous browsing mode in your web browser of choice. Deny all trackers, cookies, and do your best to disable browser fingerprinting Use an ad blocker extension for your browser, such as uBlock Origin. Advertisements have been known to bundle in malicious content, such as malware, cryptocurrency mining programs, and ransomware. Advertisements also collect information from your browser when they're allowed to load. Consider using the Tor Browser for additional anonymity online, such as when researching medical services. The Tor Browser is developed by the Tor Project, a nonprofit group dedicated to preserving people's right to digital anonymity. This is a tech blog, first and foremost. I don't really relish the thought of mixing in politics; however, this issue goes beyond 'politics' as it concerns human rights. Technology, as you can imagine, regularly intersects with, and runs afoul of, those rights. I also make no reservations in considering this decision by the Supreme Court to be another step toward transforming our country into a dystopian theocracy. During times like these, it is imperative we do everything we can to fight against the state weaponizing technology to achieve its goal. Hopefully, the tips above help in that cause.

In the information tech service industry, things break, constantly. As an IT manager, yours is a Sisyphaen task; during any given day, you’re responsible for keeping many plates spinning. From a customer’s perspective, it probably looks like you’re not doing anything until something breaks. When it breaks, you’re not working fast enough to fix it. This reality has been made more complex as the business world adopts the “everything-as-a-service” model for its IT needs. With an unseen litany of interlocking pieces that must work together day in and day out, it’s not surprising that when things go wrong within your infrastructure or across the broader internetworked world, the solutions may not be fast, cheap, or easy. In the early days of the Internet, there was no cloud–not in the sense that we understand it today, at least. The mainframe/dumb terminal paradigm was still in force (having since been rebranded as the server/thin-client paradigm) and resources were highly localized: when something broke, you had an on-site IT staff to deal with it. Businesses still leverage on-site engineers and technicians to keep their infrastructure running, but it’s no secret that the amount of stuff they have to manage at a physical location has dwindled over the last two decades, in particular. Does this then spell the end of on-site sysadmins and network engineers? Hardly. If anything, while the venues have shifted, the workload of the typical IT employee hasn’t dwindled. With technologies in the networking world such as SD-WAN (software-defined wide area networking), IT providers are more able to do their work without being on-site. As you might imagine, reducing the number of IT people who need to be on-site at any given time reduces your costs as a business owner. As cloud management capabilities continue to grow in scope and performance, the idea of on-site anything seems at first glance outdated and rather technologically quaint. This is true, to some extent. A small business owner doesn’t need a 42U rack of servers and routers roaring away in their back office. A florist doesn’t need a dual-socket workstation with loads of memory to do their daily business. The fact is most businesses have become more reliant on technology and the Internet to process transactions, order from suppliers, reach clients, monitor inventory and so on. This has pointedly emphasized the need for competent IT service providers. If you think you can’t budget for managed IT services, or if you consider your current spending on IT services too large already, we at Geek Housecalls would love a half hour or so of your day to change your thinking and reduce both your IT costs and complexity. IT audits generally reveal that the average small business owner is paying for redundant cloud services, software licenses they don’t need, hardware that’s totally out of spec for what their employees do. As more of what we do and rely on moves to the cloud, our data counterintuitively becomes harder to manage. Our digital footprints grow and become harder to secure. Technologies like password-based authentication have fallen out of favor as security threats grow more sophisticated and ransomware poses a serious risk to businesses of all sizes. An entire industry has grown up around information security alone, and for good reason: the average cost of recovering from a ransomware attack reached nearly $2 million in 2021, according to research done by Sophos. These numbers are potentially debilitating for a small business. The landscape has changed, for better and for worse. By all metrics, information security should be top of mind for individuals and business owners. A single security incident could bring about disastrous results; the implications become more grim when sensitive or personally-identifying information is lost, such as HIPAA-protected medical records, payroll, or tax records. In partnership with Sophos and other leading security solutions providers, Geek Housecalls is here to help you run your business with the peace of mind you deserve.