top of page
Connecting Dots

> Search Results

31 items found for ""

  • Telcos, with the help of the FCC, are dropping copper and replacing it with nothing

    — In August 2022, the FCC handed down Order 19-72, titled “FCC Grants Relief From Outdated, Burdensome Phone Industry Regulations”. Order 19-72 empowers telecommunications companies to discontinue support for and maintenance of their existing copper-based communications networks in favor of broad fiber-based network upgrades. That legacy copper networks would be upgraded to modern fiber networks is a drum telecom giants like AT&T have been beating since the 1990s. In practice, however, these upgrades still haven’t materialized for millions of households–particularly those in rural areas–because of a deeply ingrained anti-competitive spirit within the telecom industry. The Telecommunications Act of 1996, which is in fact an amendment of the Communications Act of 1934, sought a path to force incumbent telecommunications companies to upgrade their networks. However, as is the case with most modern legislation passed in the United States, this particular bill was largely toothless. Lacking the political power or regulatory authority to make incumbent telcos like AT&T do much of anything, the Telecommunications Act went largely ignored. Over the ensuing decades, incumbent telecom companies like AT&T, GTE, Sprint, Verizon, and Bell South have wrung their hands, dragged their feet, litigated, lobbied, and done everything in their power to delay performing this copper-to-fiber network transition. Worse, the same telcos have for years let their existing copper infrastructure languish and decay, citing “prohibitive” maintenance and upkeep costs. In 2015, AT&T reluctantly struck a deal with the federal government to receive $428 million in subsidies to provide a minimum of 10Mbps downstream Internet service to rural areas of the country. AT&T claimed that it shouldn’t have to provide anything better than the FCC’s existing broadband standard of 4Mbps downstream, 1Mbps upstream. Considering AT&T has long enjoyed a virtual protected monopoly thanks to ongoing subsidies from the federal government and special regulatory protections from state governments, their intransigence on performing basic network maintenance and upgrades is especially vexing. After the 1982 dissolution of AT&T’s historic “Bell System” and the partitioning of the Bell system into RBOCs (regional bell operating companies), the so-called “Baby Bell” companies were slowly reabsorbed into large, national telecommunications companies, thereby establishing new monopolies and effectively rendering the original intent of the 1982 Bell breakup completely moot. In a truly absurd show of the U.S. government’s apparent lack of regulatory authority, AT&T itself purchased BellSouth, which it had divested as an RBOC only 24 years earlier, for the sum of $86 billion in 2006. Now, these same legacy telecommunications companies, like AT&T, enjoy the same monopoly privilege that they were forced to divest over only about 40 years ago. AT&T abuses its monopoly position in broad daylight, as was evidenced by their paying a $23 million settlement to resolve a federal criminal investigation brought by the Department of Justice. In 2017, AT&T Illinois President Paul La Schiazza conspired with Speaker Michael J. Madigan, a friend of Madigan, and “other parties” to arrange a payment of $22,500 in order to essentially buy votes that AT&T found agreeable with its agenda (in this case, to step away from its copper landline obligations in Illinois). Returning to FCC Order 19-72, we see that the federal government continues to not only fail to pass or enforce effective regulatory measures on historically highly-regulated telecom companies, but that the FCC, under former Chairman Ajit Pai’s stewardship, actually went out of its way to facilitate these telecom companies in achieving their own goals. Citing “red tape”, Chairman Ajit Pai trotted out the oft-deployed Republican rhetorical device that regulation is what’s holding companies back from necessary innovation and investment, and that deregulation would solve such broad infrastructure problems as lack of telecom service in rural communities. In spite of ongoing subsidies from the federal government to telecom companies, these upgrades have a mysterious way of never, or rarely, materializing. We need look no further than the failed effort to break up AT&T’s monopoly in 1982 if we want a case study in the almost comical failure of deregulation to achieve the ends its proponents promise. As it stands now, in 2023, the FCC order to allow telcos to walk away from copper is in force, with no real roadmap for replacing copper in low income communities and rural areas, in particular. Of equal importance, there seems to have been little consideration by the FCC of the technical limitations of fiber-based networks as far as landline phone functionality is concerned. Copper-based phone systems carry passive voltage throughout the system, around 48 volts DC when the phone handset is on the hook. This passive voltage allows standard phone handsets, which are not externally powered, to remain online during a power outage. While this may not seem like an issue of major importance in the era of nearly-ubiquitous cell phone ownership, it is an issue which has not been properly addressed by fiber-based Voice-over-IP (VoIP) phone systems. Smartphones rely on batteries for power and on cell tower backup generators for network connectivity, and can’t guarantee reliable 911 or emergency service connectivity during an extended power outage, so placing our faith in smartphones to bridge the gap that telco companies’ neglect has caused is not a very effective solution. During a power outage, VoIP systems will go offline unless an appropriate battery backup system has been installed; such a backup must be of sufficient capacity to keep both an Optical Network Terminal (ONT), the fiber modem, router, or gateway, and any VoIP handsets connected during an extended power outage. Power outages in the United States, as it happens, are also becoming more frequent due to an increase in ‘extreme’ weather events and neglected infrastructure. As a consequence, backup battery systems that promise 8 hours of runtime should not be considered appropriate or sufficient. How many excess deaths can we expect thanks to monopolistic telecom companies and their allies in state and federal government allowing them to just walk away from their legal obligation to provide service? In an extended power outage event, the lack of access to a copper phone line can be a matter of life and death; alarm systems and other security devices also rely on copper phone line connectivity, in addition to traditional landline phones. The current patchwork of state-level regulation regarding copper line access only complicates the matter. VoIP service of any description, whether purchased from your Internet service provider or not, relies on effective backup power solutions at every point in the network: your home, the fiber cabinet, and the local fiber hub, depending on how widespread a given power outage is. Telcos, of course, will fight tooth and nail to spend the least money possible on ensuring continuity of service, as they have demonstrated over decades of grift, lobbying, and fighting basic, common-sense legislation–legislation that might just keep people online and alive during an emergency. While we don’t agree with the shifting of monetary burdens onto customers for the failures of telcos, Geek Housecalls can help you implement a phone system that will keep you connected in a power outage or other emergency. We have extensive experience in VoIP phone systems and in specifying battery backup systems for installations of any size. Get in touch with us today to discuss your phone system needs.

  • Microsoft mistreats its captive audience

    In the Before Times, the Windows operating system was sold on physical media: first, floppy diskettes, then CDs, then DVDs. When you purchased a physical copy of Windows (which until the mid-2000s was the only way to purchase it), you also purchased a license to use that copy of Windows. This license, while subject to Microsoft’s End User Licensing Agreement, was basically immutable; you bought a physical item and you owned a tangible good. In the years since Windows 7, Microsoft has labored tirelessly to turn Windows from a piece of software you bought every few years into a service that you rent. While Microsoft won’t say as much, the intention is to turn Windows into a subscription, like so many other products in the modern tech sphere. Starting with Windows 11 in 2021, an active Internet connection and Microsoft Account are now mandatory in order to complete Windows setup on a new PC (or on an existing PC being upgraded from Windows 10). While there were methods to bypass this requirement in earlier builds of Windows 11, Microsoft has since focused on eliminating such workarounds. The long and short of it is: Microsoft is dedicated to killing the Local Account, whether you like it or not. Windows 11 Pro, it must be noted, is exempted from this mandate (for now) and offers users an “I don’t have Internet” option during setup. Windows 11 Home users are not so favorably considered. While there remain a couple of ways to fool Windows 11 Home into letting the end user create a Local Account, it’s impossible to know for how much longer those tricks will work. The first way to fool Windows is to disable your Internet connection during setup, which is easy if your PC is plugged into an Ethernet cable (just pull the cable!), but becomes more of a chore if your PC connects strictly over WiFi; some users report pressing Alt+F4 when they reach the “Let’s get you connected” screen works to bypass this requirement, while others report it doesn’t. At this point, the use of the Command Prompt usually becomes necessary, requiring users to test various unsavory methods found on Google just to create a Local Account. None of this is to proclaim that Windows users shouldn’t be given the option to use a Microsoft account if they want, but rather that an option should be provided at all. The current paradigm within Big Tech of automatically opting unwitting users into things they don’t want or understand is reflected in Microsoft’s efforts to pretend Local Accounts never existed. And the strangest part of it all is that this behavior from Microsoft is so expected and mundane that the tech media has come to largely stop reporting on it. Rather than collectively hold Microsoft’s feet to the flame for their abuse of a largely captive audience, we’ve instead agreed to just suffer through it. Microsoft, being no stranger to antitrust lawsuits, has to imagine that they are walking on thin ice as they implement more anti-user and anti-competitive features that allow them to abuse their monopoly desktop operating system position. While Microsoft may hope to avoid further antitrust litigation, it has recently made itself a target by bidding to acquire video game giant Activision for an astounding $69 billion. Now, Microsoft’s legal team might, with some success, argue that it no longer has a monopoly in the operating system space. Rivals Apple and Linux-based operating systems do exist, and are suitable replacements to Windows for a minority of current Windows users. Whether Microsoft acknowledges it or not, it has a largely captive audience in its Windows user-base. When one considers that Microsoft Windows and Microsoft Windows Server are staples of the vast majority of corporate and government institutions, it becomes clear that just dumping Windows for Apple’s macOS or a variant of Linux is not only unlikely, it’s absurd. While Microsoft’s Windows hegemony has diminished from a lofty 92.02% of the total market in January 2011 to 74.14% in January 2023, it’s obvious that Windows is still king. Decades of backroom deals with other tech giants like Intel and vendor lock-in set Microsoft up for perpetual success, with little incentive to actually improve its products. While Linux might run the world, with the open source kernel powering operating systems that run on 96% of the world’s top one million web servers, Microsoft Windows is still an 800-pound gorilla in both end-user operating systems and corporate IT. Where does this leave users who need Windows because their software doesn’t run on anything else? Stuck. It doesn’t matter if Windows is the best solution, or the most affordable, or the easiest to integrate with an existing tech stack; if your program doesn’t have a Linux or macOS equivalent, you have no recourse. Happily, this forced marriage to Windows has begun to wane with the rise of cloud applications, which run in a web browser and are operating system agnostic. Adobe, once considered a Windows-only developer, now offers its Creative Cloud suite of applications which is available for both Windows and macOS (though, sadly, not Linux-based operating systems like Ubuntu). Microsoft’s own cash-cow productivity suite, Microsoft 365, is also available in web app form, which extends its reach to both macOS and Linux users. Microsoft even now claims to embrace the Linux kernel, having implemented Windows Subsystem for Linux in Windows 10 back in 2016. Such trends would indicate that Microsoft wants to distance itself from its checkered past as a monopolist, an industry bully. Why, then, does Microsoft continue to do its determined best to make Windows more stifling, more restrictive, and less usable with every subsequent release? The answer is perhaps not a surprising one: Microsoft wants an ecosystem. Apple, its largest rival in the desktop operating system space, has an ecosystem, and profits handsomely from tightly controlling the hardware, software, and services its users rely on. Having failed miserably in its foray into smartphones and being battered in the developer and server space by open source, Microsoft appears to be relenting and grudgingly embracing open source. Forgive my cynicism when I say “grudgingly”, as it stems from Microsoft’s public and private dismissal of open source software over the last three-and-a-half decades. Under current CEO Satya Nadella’s leadership, the culture at Microsoft does seem to have changed for the better, relative to the ‘bad old days’ under Steve Ballmer’s and Bill Gates’ tutelage. Attitudes toward open source at Microsoft in its Azure, IoT, and services divisions may well have shifted positively, but Windows remains a puzzling contradiction to those pro-open source shifts. We must consider that the Windows NT kernel is a sprawling, complex mess that few Microsoft engineers even understand, and that rewriting the Windows kernel would be a truly Herculean undertaking. Having said that, nothing changes if nothing changes. The momentum Microsoft has accrued in its other divisions must be applied to its Windows product or the operating system is destined to wither, adding to its market share losses since the turn of the century. Ultimately, we must consider Microsoft's new idea for its operating system now: to sell ad space. Microsoft's enduring obsession with injecting ads directly into Windows has miffed more than a few of its users, but it continues to toy with the idea, sometimes boldly, sometimes with more timidity. Application "stubs" for the likes of Instagram, Hulu, ClipChamp, and Disney+ litter the Start menu of a freshly-installed version of Windows 10 or Windows 11 now, thanks to undoubtedly lucrative partnerships that Microsoft has forged with these companies. These stubs are easily uninstalled and serve as more an annoyance than a privacy or security issue, since they aren't full applications, but they foretold a more ominous advertising future for Windows: Microsoft's current push to bake non-removable OneDrive and other first-party ads directly into the operating system itself. The sentiment toward these practices may be negative, but most people won't throw out their Windows PC because of it. Perhaps the larger issue at play isn't what Microsoft, Apple, or Google are doing with their products, but rather advertising itself. Technology and advertising have become so interwoven that the only way to keep ads from eating reality itself is effective legislation and regulation. We'll discuss the state of digital advertising, its future, and its unintended consequences in a later post.

  • Why consumer security products are bad

    With LastPass’s implosion and private equity firms buying up the tech sector, what’s to be done? LastPass, McAfee, Twitter, Optus, WhatsApp, Uber, Shein–you may be familiar with some of these companies, many of whom are now trying to shed the ignominy of rather self-inflicted poor reputations. Most recently, LastPass experienced a data breach in which its executive leadership has now admitted led to the exfiltration of users’ encrypted password files. More egregious than that, LastPass offers no remedy or advice to those affected users. How could a tech company of LastPass’s size get away with such obvious negligence? Private equity. In 2019, LogMeIn, parent company of LastPass, agreed to sell itself to two private equity firms to the tune of $4.3 billion. Understandably, there was concern among tech insiders and LastPass users that the sale would change LastPass’s business model; generally, private equity firms exist solely to purchase assets and maximize the value of those assets for a later sale. In LogMeIn’s case, this was very much the trajectory. Francisco Partners and Elliott Management were the two private equity firms which bought LogMeIn in 2019. Shortly thereafter, in 2020, LastPass announced it was raising prices. If users wanted access to their LastPass-managed passwords on more than one device, they’d have to pony up another $36 a year. This killed the free option previously offered by LastPass, which represented a significant portion of the company’s user base. Of course, this is expected behavior during a private equity takeover–raise prices, increase shareholder value. The downside, predictably, is that the increased costs that you pay are not reinvested in the company. In fact, one could imagine that LastPass took resources away from its security teams in wake of their sale to private equity interests. That would neatly explain why the platform was hacked multiple times in 2022 alone. As we covered previously, the password vaults that were stolen during these data breaches were and hopefully are still encrypted. But that doesn’t matter in the context of LastPass. Would you trust a company that didn’t follow basic security protocols to use the strongest available encryption for your data? Given the priorities of LogMeIn’s buyers, it seems far-fetched to believe that those password vaults won’t at some point be decrypted by the very same enterprising hackers who stole them. Handing a safe and a set of lockpicking tools to a master lockpicker doesn’t mean you won’t lose everything just because he doesn’t have the combination. This trend is a worrying one: the companies who promise to secure your data, monitor your credit, protect your identity, and keep your devices safe are increasingly selling out to the highest bidder, throwing security out the window, and exposing you to risks never before seen. We’ve entered into an age of consumer security chaos. Companies like McAfee preload their obnoxious, resource-intensive, and often ineffectual software onto millions of computers each year. For the record, McAfee, despite being an alleged security-focused company, has not been immune to such security breaches. In 2017, McAfee’s own network sent out malware that directed customers of its ClickProtect software to download a malware-infested Word document. In 2019, popular VPN service provider NordVPN revealed it had been hacked, although the scale and severity of this particular breach were much less significant than in other high-profile incidents over the last several years. Despite the lower profile of NordVPN’s breach, the incident demonstrated a means by which a cloud service provider (CSP) could be compromised on a larger scale. As threats have evolved, consumer security products, such as McAfee’s antivirus platform and other consumer-oriented security services, have not kept up. Zero-day threats, or threats which are known to bad actors before they’re known to software and hardware vendors, are often blind spots for these consumer-focused security solutions. In Q4 2021, 66% of malware attacks implemented zero-day vulnerabilities. These so-called zero-day vulnerabilities by definition can’t be detected by antimalware engines because definitions for them don’t exist until after the vulnerabilities are exploited. Therefore, security products use heuristics and machine learning models to detect such exploits as quickly as possible. While software teams are patching code and releasing antivirus signature updates, these heuristically-driven antimalware engines can, in theory, protect critical systems from zero-day attacks. In practice, however, 80 zero-day vulnerabilities were exploited in 2021–the highest number since monitoring of zero-days began. It must be noted that the majority of zero-day attacks originate from state-sponsored hacking groups, with the remainder largely from financially-motivated hackers. Zero-days are not trivial and are rarely carried out by lone actors. Consequently, the targets of zero-day attacks are usually governments, large corporations, or other valuable assets, rather than individual people. However, individuals are still affected by zero-days, nonetheless: in 2020, Citrix saw remote access vulnerability attacks increase by an astonishing 2066%. As threats grow ever more sophisticated, protecting yourself from them requires a more sophisticated defense. Installing antivirus software just isn’t enough anymore, in spite of what big antivirus vendors like McAfee, Norton, Kaspersky, and Avast would have you believe. These companies spend hundreds of millions of dollars per year, combined, to convince you that you need their ‘ultimate security’ package, which could cost you hundreds of dollars per year, at dubious benefit to your actual security. Security researchers increasingly think that antivirus software is redundant and unnecessary, considering that modern threats have shifted away from software viruses to ransomware, phishing, and complex social engineering attacks. Naturally, the companies who make antivirus software are incensed at the notion that you don’t need them anymore. To make up for this inevitable loss in revenue, security software vendors have taken to including mostly-worthless features like VPNs, identity theft monitoring, and other baubles as “value adds” in their security software. To their credit, it has been effective as the average computer user doesn’t know why they don’t need these things and fear-based marketing has always been a powerful tool in the tech space. The bottom line for customers, both individuals and businesses, is that their security solution must involve a multi-pronged approach: antimalware service (eg: Windows Defender), an effective ransomware protection and remediation strategy (eg: offsite data backups), a password manager that is audited and has been shown to be secure (eg: BitWarden), logical network segregation (eg: isolating more insecure devices onto their own networks), and device patching (eg: keeping all of your software and firmware up to date). Don’t go it alone–Geek Housecalls and Geeks for Business are here to help you navigate the ever-changing security landscape.

  • Smart-device company Eufy admits major camera security breach

    Another day, another breach; which companies can you trust? As 2022 came to a close, yet another security breach was disclosed (albeit only partially) by a large smart device manufacturer. On November 23, 2022, a security researcher and YouTuber named Paul Moore uploaded a video claiming that Eufy devices were sending photos and videos to the cloud, despite Eufy’s insistence that all photo and video analysis was performed by the devices themselves, rather than in the cloud. Moore’s research alleged that user images and facial recognition data were (and still are) being uploaded to an AWS server either maintained by Anker (parent company of Eufy) or Eufy themselves. Since late November, Moore has updated his initial findings, telling us that some of these security issues have been patched, although with no way to verify Anker’s and Eufy’s claims that previously-stored cloud data are actually being deleted. As the saga unfolded, The Verge uncovered that unencrypted camera streams from Eufy cameras could be accessed by video playback software such as VLC. The Verge questioned an Anker representative about this security vulnerability, to which Brett White, a senior PR manager at Anker, responded that it was not possible to initiate an unencrypted stream to a Eufy camera from a third-party video client like VLC. The Verge tested this claim and found that Anker lied: “But The Verge can now confirm that’s not true. This week, we repeatedly watched live footage from two of our own Eufy cameras using that very same VLC media player, from across the United States — proving that Anker has a way to bypass encryption and access these supposedly secure cameras through the cloud.” The Verge continues that, in spite of this disturbing revelation, there is no evidence that the vulnerability has been exploited in the wild. However, the method for connecting to cameras over the Internet involves simply knowing the cameras’ serial numbers, which are 16-digit codes encoded in Base64; decoding these addresses with freely available online calculators is trivial. This “unique” address also consists of a Unix timestamp, which is easily created by an attacker, as well as some sort of identity token which Eufy’s servers don’t appear to actually validate. Finally, a four-digit random hex code is needed to complete this process; such codes can also be easily brute-forced, as only 65,536 possible combinations of four-digit hex exist. Anker’s responses to these findings and allegations have varied from half-hearted admissions, to flat denials (even when faced with very damning evidence), to mere radio silence. Paul Moore, who initially broke the story, has initiated a lawsuit against Eufy and parent company Anker, as he alleges their security policies have violated GDPR regulations in Europe (Moore lives in the United Kingdom). But it gets worse. A few weeks after the initial story broke, The Verge wrote a follow-up article to their original investigative piece. They claim that Eufy has not answered any of their questions about these vulnerabilities, instead opting to remove the ten so-called “privacy promises” from their website that had been publicly visible on Eufy’s site until December 8th, 2022. The ten bullet points in Eufy’s now-defunct “privacy promise” follow: “To start, we’re taking every step imaginable to ensure your data remains private, with you.” “[Y]our recorded footage will be kept private. Stored locally. With military-grade encryption. And transmitted to you, and only you.” “Here at eufy, we’re not just all talk and no action.” “With secure local storage, your private data never leaves the safety of your home, and is accessible by you alone.” “All recorded footage is encrypted on-device and sent straight to your phone—and only you have the key to decrypt and watch the footage. Data during transmission is encrypted.” “There is no online link available to any video.” “You need to use Eufy software and your account to decrypt the clips for viewing. No one else can access or read this data.” “For Your Eyes Only” “Peeking Prohibited” “Everything In-House” It doesn’t seem surprising, then, that Eufy memory-holed these items from its website, given the potential legal ramifications of leaving them up, especially assuming that Eufy is already undergoing investigation from government regulators in other countries. But it does speak to the casual attitude that so many companies take toward data security and user privacy. Many of Eufy’s sins in this case come down to failure to implement basic information security best practices. These things are well-understood, well-documented, and increasingly given to regulatory scrutiny if not implemented properly. So what should you do? If you own any Eufy products, get rid of them. Anker and Eufy have amply demonstrated how they feel about their users’ security, given their responses to the very fair questions the media and security consultants have asked them. But this is not an isolated problem. Eufy is not the first smart device maker to have an unflattering spotlight shined on their information security practices. Wyze has been similarly implicated in failing to address security vulnerabilities in their security camera platform. Wyze also suffered a large data breach in 2019 when it failed to secure customer databases stored in the cloud. This leaves prospective customers with something of a dilemma: do I buy nothing or buy the least-bad option? When you use a device maker’s cloud services you’re agreeing to a certain amount of risk. A cloud server is just someone else’s computer, after all. When you buy an Internet-connected camera and pay for cloud video storage, AI recognition, and streaming, you’re implicitly trusting that device manufacturer to do the right thing and to be rigorous in their security policies. The only way to reduce this risk is to keep your smart devices off the Internet, which rather reduces their effectiveness, especially in the case of security cameras. Your best path forward consists of a multi-part strategy which I encourage everyone who has an interest in (or owns) smart devices to employ: Vet your suppliers: research the companies you’re buying your products from. Have they had data breaches or other security incidents? How did they respond to them? Has there been more than one such incident? Segregate your network traffic: don’t put smart devices on the same network your computers use. VLANs (virtual networks) suit this purpose perfectly. By creating a special network just for your smart devices, you ensure that they cannot communicate with sensitive data on your main home network. A compromised IoT device can wreak havoc, but the damage will be minimized if that device can’t talk to the rest of your network. Don’t rely solely on cloud solutions: companies like Eufy and Wyze want you to buy their cloud subscription services for things like video storage, as these are their cash cows, offsetting the often low price you pay for their hardware. These cloud storage and authentication solutions, as we’ve seen so many times before, are often breached, leak your data, or are otherwise compromised due to poor security practices and unpatched software and firmware vulnerabilities. Look for cameras that support local video recording by way of a microSD card or other local storage device. Use your firewall: create rules to prevent your cameras and other IoT devices from “phoning home” to remote servers that you don’t recognize, or that these devices needn’t otherwise communicate with. When performing a traffic analysis of these devices, you’ll often find they routinely ping a number of cloud servers (often Amazon Web Services servers). In the case of cloud-connected devices which need access to remote servers in order to upload photos and videos, this is expected and necessary behavior, but what about if you have no cloud subscriptions? What if the server it’s trying to access isn’t a legitimate server? When you consider the Chinese government’s hostility toward Western countries like ours, and that most of these devices are made in China with China-backed servers, these are important questions to ask. Retain a network engineer, if necessary, to perform an actual traffic analysis for you, to ensure that your devices aren’t actually making your home less secure. Finally, there is always the option of building a local-only security solution that doesn’t connect to the Internet at all. In this way, you’ll find your options in terms of hardware and software are numerous compared to the closed ecosystems that most IoT and smart device companies are selling you. Again, though, an offline security solution isn’t much use to a customer who wants to check in on their home, pets, or loved ones when they’re out of town, at work, or on an errand. However, you still have options to convert an offline system to a more secure online system by using our favorite smart device aggregation platform, HomeAssistant. HomeAssistant requires considerably more manual configuration and setup than any plug-and-play smart device, but it rewards users with greater security and emphasizes local control rather than handing your information to unknown, possibly malicious, third parties. Geek Housecalls has experience in installing and configuring HomeAssistant for home users, as well as businesses, with security foremost in mind. Contact us today for a free consultation!

  • LastPass Admits Data Breach Is Much Worse than Initially Revealed

    The last password manager you’d ever want to use In August 2022, popular password manager developer LastPass experienced a data breach from an “unknown threat actor” who gained access to an unsecured third-party cloud storage instance. We can pretty safely assume this “third-party storage instance” was an unsecured Amazon Web Services S3 data “bucket”. These so-called “leaky buckets” have been front-and-center in a number of high profile data breaches over the last several years. While it’s convenient to place the blame on AWS for these breaches, since AWS is hosting the S3 storage objects, the fault lies squarely with the companies who use S3 and fail to secure their S3 instances properly. In the case of LastPass, the original event in August 2022 turned out to be much worse than LastPass initially revealed. On December 21st, 2022, LastPass published a new blog post admitting that this unknown threat actor obtained access to sensitive customer data, including encrypted master passwords. Master passwords are used, in password manager parlance, to unlock a user’s password vault, giving a hacker access to every password a user has saved in LastPass, if the hacker manages to decrypt the master password. This is a big deal. It’s almost a worse-case scenario from the perspective of LastPass, but they won’t say as much because the optics are already terrible for the embattled company. In 2015, LastPass was acquired by LogMeIn, a popular developer of remote access software. In 2021, LastPass was spun off from LogMeIn, but remained under the ownership of the private equity firms that acquired former parent company, LogMeIn. During all of this buyout and spinoff drama, LastPass significantly altered the terms of its free product tier in early 2021, leading to a substantial shedding of its customer base. Password managers are high-profile targets for hackers and many contain security vulnerabilities, unfortunately. As these programs are essentially just storehouses for every password a customer regularly uses, threat actors prioritize gaining access to them. In 2020, researchers from the University of York discovered security vulnerabilities in popular password managers Dashlane, LastPass, Keeper, 1Password, and RoboForm. In LastPass’s case, the vulnerabilities were apparently not rectified at the time the study was published. These types of attacks are also distinct from, and potentially more damaging than, the more common phishing attacks that affect millions of people every year. So what should you do? If you’re a LastPass user in 2022, you have to assume that the threat actor has access to your encrypted master password and that they have the ability to decrypt it. At this point, LastPass’s word is essentially worthless. With that said, and painful as it may be, your best course of action is to change every password you stored in your LastPass vault and close your LastPass account. Which password manager should you use? We recommend BitWarden. So far, BitWarden’s security posture has led the pack in the field of password managers. BitWarden offers a free online password manager option, as well as paid versions with additional features, such as the ability to self-host your BitWarden instance (or have a technical service provider like Geek Housecalls do it for you!) This is especially critical in business and enterprise environments. In a 2020 report by Rapid7, researchers found effective password management and two-factor authentication were both very underutilized in corporate IT environments. Such failure to implement appropriate credential management and two-factor authentication has led to billions of dollars in lost productivity as well as in funds paid to ransomware hackers and to outside security companies. If you’re struggling with password management at home or credential security at work, give Geek Housecalls a call or email today. Our business division, Geeks for Business, is ready to help you secure your enterprise environment. Our home division, Geek Housecalls, can help you migrate away from LastPass and we’ll perform a full security audit to ensure that your online passwords are as secure as possible.

  • A Word on Tech Hype

    The Internet changed marketing and advertising forever. Nearly unlimited reach combined with advanced audience metrics have made online marketing the advertiser’s sine qua non. Not so coincidentally, the Internet has also enabled some of the greatest scams and swindles of our time. More germane to the tech service domain, though, are breathless promises of breakthrough cybersecurity products, IoT devices that’ll change your life, and a litany of other products and services that tend to overpromise and under-deliver (usually with “AI-powered” somewhere in the product’s ad copy). We cover a concept known as ‘zero trust’ on our website, which isn’t really one thing; it’s not a device, a service, or software. Zero trust describes a holistic approach to securing networks, no matter where users use their devices, by limiting user and app permissions to just the permissions they need to do the job at hand. Many MSPs (managed IT service providers) and TSPs (technical service providers) now claim to “offer” zero trust, as if it were a product. This kind of marketing belies an acute misunderstanding of how the technologies that these TSPs claim to implement actually work. Be wary of this kind of marketing. Even mildly technically inclined marketers and unscrupulous IT professionals will talk over the average customer’s head, knowing that the customer probably won’t call them out if they’re wrong. The amount of grift, hype, and overpromising within the IT sphere is vast. IT pros lie to other IT pros, sometimes without even knowing it; the amount of knowledge a modern systems administrator has to have in order to do his job well is enormous; grift exists because bad information exists and the signal-to-noise ratio in technical marketing is so out of proportion that skilled IT people just don’t have the time or bandwidth to separate the proverbial wheat from the chaff. You rely on IT pros to know how the sausage is made and to give you the bullet-points of a new technology, a systems migration, or even a new device. It’s troubling to think even a lot of the people who work in the industry are confused and overwhelmed by the sheer amount of conflicting and low quality information there is now. The Internet serves to democratize access to knowledge, but at the same time amplifies junk. Tech people tend to gather with other tech people and they’re usually not especially aware of the average person’s tech experience. Knowledge siloing is a problem among experts in any trade, wherein small communities form within a discipline and a relative few people end up knowing about one crucial element of a certain technology, while a few others know about another element. This is something that tech professionals and tech enthusiasts deal with on a daily basis. Tech marketers straddle a gulf that exists between engineers and garden variety marketers, tending to lean more toward the marketing side than the engineering. This isn’t a bug, it’s a feature: for all their skill, engineers tend not to be very good at translating spec sheets into easily digestible language for the general public. As a result, an ad for a new cybersecurity product that proclaims it’s the only security product your company will ever need is not telling you the truth. Security concepts like zero trust are important, but they are not ends unto themselves; as with all aspects of IT, cybersecurity is ever-evolving and demands multiple working pieces. An integrated, set-and-forget security system for your computers will never exist. If a company promises you a box that can sit in your server rack and protect your network from every threat, all without paying a security professional to manage it, they’re more interested in selling you something than they are in securing your corporate network. It is true, though, that cybersecurity is much different than it was 20 years ago. We have smartphone-enabled multifactor authentication, automation and orchestration tools, machine learning, artificial intelligence, and other things that make life for security professionals and customers easier. What we don’t have, however, is a single device or “killer app” that can mitigate your company’s risk from things like ransomware or denial-of-service attacks. Cybersecurity still requires that your employees be engaged and aware of their own security practices. It requires training and people won’t like it because good digital hygiene takes effort and is sometimes frustrating. But the payoff is that, by doing the right things, we at Geek Housecalls, you, and your employees can minimize your company’s downtime and reduce your risk of a costly security breach. Get in touch with us today to see how we can give you the best security solution, rather than the easiest one.

  • The Price of Paywalls

    In SMB (small-to-medium) and enterprise IT, locking hardware and software features behind paywalls is a common practice. This is a great model from the perspective of the hardware and software vendors, but not so much for smaller clients whose IT budgets generally aren’t as vast. Feature paywalling increases recurring revenues for vendors and, when done right, creates a segmented product or feature stack that never gives customers more than they paid for. At Geek Housecalls, we see this mostly in business/enterprise IT, but the practice is becoming more common in consumer IT, as well. Consider devices like Internet-connected security cameras from the likes of Ring, Wyze, and Nest: you can use the cameras without paying for a service subscription, but the manufacturers know you probably want to unlock those exciting paid features. In fact, most people who buy these smart devices do opt for paid subscriptions in order to realize the utility of their device. In the case of Wyze, which sells a variety of smart devices, including network cameras, smart locks, and doorbells, the hardware is enticingly inexpensive while the subscriptions are where Wyze sees bigger profit margins. A Wyze Cam v3 starts at $29.99, while its Cam Plus Pro subscription runs $3.33 per month when billed annually. The service may seem to come in at a radically low price, but when you consider a home might use 4 or more Wyze cameras for outdoor security, the subscription spending adds up quickly. Meanwhile, in the enterprise, let’s consider Fortinet, known for its hardware firewall devices, intrusion prevention systems, and cybersecurity services. A five-year license for its Fortigate 100F firewall appliance runs a staggering $21,896. This license includes FortiGuard 360 protection and ASE FortiCare, which are two of Fortinet’s comprehensive SaaS (software as a service) solutions. Broken down by year, that’s $4379.20, which may be well worth the expenditure in a larger organization, but then again a larger organization may find that the Fortigate 100F may find that the hardware itself isn’t appropriate for their size. Pricing models like these, which are easily digested by larger organizations, tend to alienate medium-sized organizations which need the hardware prowess but can’t necessarily afford the various service subscriptions that the hardware all but requires. Smaller organizations can get away with using consumer or prosumer networking hardware, but as your employee count grows, so do your IT demands. $4400 a year for software licensing for one piece of hardware could be a big hit to a medium-sized business’s bottom line; we can understand why managers and executives of these businesses are so reticent about buying into enterprise hardware. My own belief about this practice of locking away software features behind considerable paywalls is that it’s often a predatory business practice. Does it make sense in larger enterprise environments where service-level agreements and high uptime are absolutely critical? Yes. But most businesses in the United States are small businesses. According to the United States Small Business Administration, as of 2020, there are 31.7 million small businesses in the country, comprising 99.9% of all businesses. These businesses also account for 40.3% of private sector payroll. In addition, only 35% of small businesses survive for 10 or more years. Even in good times, keeping a small business growing and in good financial standing is tough, but when externalities like high inflation and decreasing access to capital are factored in, running a small business becomes a Herculean task (ask me how I know). Geek Housecalls doesn’t serve the large enterprise–they have their own massive IT departments and budgets that would make the average person’s eyes water. We work exclusively with small and medium-sized businesses. We understand that making payroll and reinvesting in the business is a higher priority than spending on IT. That notion might seem to run counter to our business model of selling IT services to businesses, but we believe that enabling clients to spend less time thinking about their technology problems is the real value here. Our hourly rates aren’t the lowest or the highest in the area–we believe demonstrated value more than justifies the rates we charge. We also believe that giving clients the hardware they bought, full stop, is the best practice for our clients and for us. If we installed a complete network solution for a client and then told them, “sorry, you’ll need to pay us another $4000 a year to unlock WiFi security”, the client would rightly be reluctant to ever work with us again. Practices like these alienate clients, which might be an acceptable outcome for the big IT players like Cisco who enjoy something of a monopoly in their industry, but it’s not acceptable to us. When we write a project proposal, the quote you receive includes the full functionality of the hardware you buy. If a vendor we purchase from wants to sell us hardware lockouts and ‘premium’ features, we look elsewhere. If your IT budget is spiraling out of control and you feel like you’re not getting the value you deserve, get in touch with Geek Housecalls today and let’s work together to install the right solution for your business.

  • The Right to Repair and Shocking Amounts of Waste

    The consumer electronics industry is, and has always been, perched on the need to manufacture demand for more stuff. Why do you need an iPhone 14 when you just bought the iPhone 13 a year ago? Because Apple needs more money, and the billions electronics manufacturers spend on advertising every year speaks to this. But what of your old iPhone? Apple, Best Buy, Staples, and others advertise electronic waste dropoff services at their stores, or by mail, with the promise that your discarded electronics will be responsibly dismantled and safely disposed of or reused, as appropriate. The reality of e-waste recycling, however, is not that much different than the reality of our plastics recycling programs: mostly, our crap is just shipped to a poor country and there's very little "responsibility" anywhere in the process. As The Verge describes in their coverage of a large Northwestern e-waste company, Total Reclaim, e-waste handed off to domestic e-waste recyclers usually ends up being shipped across the ocean where it is destructively dismantled and few, if any, of a device's components or raw materials are reused. In the cases where raw material is reprocessed from an old device, that material is often extracted by burning. Burning electronic substrates (PCBs), electrolytic capacitors, integrated circuits and other silicon-containing items releases dangerous chemicals into the air, soil, and groundwater, such as lead, cadmium, mercury, as well as other dioxins, hydrocarbons, and heavy metals. Such burning is also extremely detrimental to human and animal health. The routine exposure to heavy metal particulates alone is known to cause cardiovascular and pulmonary disease, in addition to neurodegenerative disorders and other central nervous system damage. The Global South, increasingly, is where the developed world ends up sending its e-waste. These developing countries' governments, desperate for the monetary opportunity that processing e-waste provides, are too eager to accept these agreements with Western nations. Recycling companies in these same developing countries are not known for their strict safety measures (if they abide by any at all) and the workers at these recycling plants bear the true cost of the electronics industry's need for growth. As an article by the University of Toronto describes, exposure to polybrominated diphenyl ethers in particular causes extremely serious negative outcomes for the human thyroid, as well as causing neurodevelopmental deficits, and various cancers. They write, "PBDE emissions are highest in areas of China, India, Bangladesh and Western Africa, the researchers say. Emissions take place mostly while these products are being recycled, often done in small backyard workshops with minimal safety standards. Wania says some emissions happen during the manufacture and use of consumer goods, but the vast majority occur at the end of a product's life cycle. Emissions in China from 2000 to 2020 were approximately 300 tonnes, with about half of that linked to imported e-waste. By comparison, PBDE emissions in Europe during that time were only about 5.5 tonnes, with more than 100 tonnes offloaded to other parts of the world. Studies show that exposure to PBDEs are likely to cause serious negative health consequences in animals and humans. While there’s a global restriction on new products containing the chemicals, existing consumer products will be used and recycled over decades." Such export of e-waste from developed nations, which should have the facilities and resources to process that waste responsibly constitutes further exploitation of the Global South. In countries like Ghana, children are tasked with extracting gold and other precious metals from electronic devices; exposure to the particulate form of heavy metals, as well as exposure to volatile aromatic compounds like toluene and benzene, are especially harmful to the developing nervous system. This is where Right to Repair comes in. The Right to Repair is a philosophical and legislative push to make repair parts for everything from laptops to farm tractors available to end users, in order to fix their devices. Right to Repair has gained more traction, ironically, in private industry than it has in our state and federal legislatures. In fact, a Right to Repair bill introduced in North Carolina in 2017 stalled in the House, with no progress made on ensuring customers have schematics and parts available to them to fix, rather than throw away, their electronics. In May 2022, a similar bill concerning farmers' right to repair their farm equipment, was killed in the North Carolina Senate, thanks to corporate interests' lobbying to have 'right to repair' language removed from the bill. State Sen. Brent Jackson (Republican) of Sampson County argued that more study was necessary to determine whether farmers actually needed the right to repair their own equipment and said, “That way we can go to the farmers where they live and breathe and work and see what they can do. And at the end of the day, we might change something or we might do nothing.” Senator Jackson's "wait and see" approach is made stranger when you consider he is a farmer. According to his campaign website: Brent Jackson is Founder, President, and CEO of Jackson Farming Company, Inc. in Autryville, North Carolina. Under his leadership, the company maintains thousands of acres of farmland and the wide distribution of its produce to a variety of retailers. Jackson has used his agriculture experience to protect North Carolina’s top industry as chair of the Senate Agriculture, Environment and Natural Resources Committee, and now as chair of the Senate Appropriations Committee. As a farmer with longstanding roots in agriculture and in state government, Sen. Jackson has a powerful conduit to those in positions of power for the advancement of Right to Repair. Unhappily, some Republicans stand in the way of Right to Repair legislation because they have received generous donations from corporations like Deere & Co., producer of the stalwart John Deere line of tractors and heavy farm equipment, which have adamantly opposed empowering customers to fix their own equipment. These high-ranking Republicans have disguised their wariness of Right to Repair under fears of intellectual property theft, an argument which is flimsy at best. The Federal Trade Commission notes, in its Report to Congress on Repair Restrictions, that “the assertion of IP rights does not appear to be a significant impediment to independent repair" and “considerations supporting repair . . . can nevertheless be accounted for, and woven into, intellectual property law and policymaking in a manner that preserves a space for a right to repair.” Thanks to John Deere's intransigence on the issue, the company has been hit with multiple class-action lawsuits. Deere & Co alleges that Right to Repair is incompatible with the company's computer-controlled safety features, arguing that an end user repairing their own equipment constitutes a significant risk to that user's safety while operating the equipment. Of course, closer examination reveals that Deere's argument is mostly hogwash, designed to protect Deere's closed software-hardware ecosystem and to keep profits going up, by locking farmers out of certain features via software kill switches. Deere even promised, on January 1st, 2021, that it would make schematics and parts available to farmers in order to stave off possible Right to Repair legislation being passed. In the nearly two years since, no federal Right to Repair bills have been signed into law and Deere has reneged on all of its promises. As a consequence, farmers have begun to look for methods to "jailbreak" their tractors' operating systems, much in the same way that iPhone users downloaded and installed third-party software to unlock additional features within iOS. The latest jailbreak, from August 2022, provides root-level access to the software that runs the tractors' computers. Having root access in a Linux or UNIX-based operating system means that the user can modify the operating system as they wish, with no restrictions from higher up (in this case, Deere & Co.'s servers). This may all sound absurd--that paying customers (in Deere's case, very well paying customers) have to resort to running third-party code from Ukraine in order to fix the equipment that they paid for. It is absurd, and it is a direct result of the sort of legislative atrophy that pervades the American political system at every level. When all is said and done, Right to Repair affects all of us. Your car, your laptop, your phone, your thermostat, your iPad, your lawnmower are all just e-waste if corporations get their way and manage to block further legislative attempts to codify Right to Repair into law. Remember this when you write your Congressmen, and when you go to the polls. The future of ownership depends on it.

  • Can 3D Printing Democratize Manufacturing?

    3D printing, which includes the subdisciplines of FDM (fused deposition modeling), SLA (stereolithography, or resin printing), and SLS (selective laser sintering), has seen rapid evolution in the consumer and industrial spaces over the last ten years. While the technology, especially in the consumer space, is still nascent, technological advances are giving rise to faster, more full-featured, and more reliable 3D printers. What can the average person extract from this technology? As it turns out, 3D printing tech synergizes with many other industries, from small-scale, single printer environments, to mass-production 3D printer farms. Hobbyist woodworkers can leverage 3D printing to rapidly prototype hardware for furniture, shelving, and other functional wooden designs. Hobbyist gardeners, farmers, and botanists may find that 3D printing allows them to rapidly create and print specialized plastic fittings and adapters for hydroponic systems, or to spin up a design for a seed-starting kit and sell it for a profit. Doctors and dentists have already used industrial 3D printing technology to decrease the cost and time-to-manufacture of prosthetic devices and dental implants. The technology behind FDM printing is now even used to “print” houses, using the same basic theory that makes additive manufacturing possible. Of course, 3D printing has its limitations: plastic parts, no matter how strong, are still plastic parts. For certain applications, especially those that demand high temperature resistance or flame retardance, even exotic, so-called “engineering” or “technical” plastics are not tough enough. Enter SLM, or selective laser melting, more generally known as “metal 3D printing”, even though SLM is not the only metal 3D printing technology available today. SLM allows the rapid creation of fully metal parts, most often using a technology called laser powder bed fusion (LPBF). Binder jetting is a more recent development in the world of metal 3D printing, and seems poised to replace LPBF as the favored method of creating metal parts. Binder jetting is less expensive than LPBF and allows for larger production quantities, more quickly. While binder jetting may be faster than LPBF, the metal parts produced still generally require post-processing, such as removal of support structures, sintering, depowdering, and annealing; these post-processing demands add additional time and complexity to 3D print metal, but still allow for rapid design and manufacture of parts ready to be installed in demanding environments. The average person has no need (or the budget) for a metal 3D printer, but consumer-grade plastic 3D printers have reached a point at which such printers can be run for long periods of time, fairly reliably, without deep technical knowledge of the process being a requirement. A low-end consumer-grade FDM printer costs around $300 currently, but printers in this price range are not printers we recommend, as they aren’t reliable enough for “set it and forget it” operation, and actually tend to require the printer operator’s having a fair degree of technical knowledge to keep the machine running. (A timeline of 3D printing technology, source: https://infomineo.com/additive-manufacturing-africa-middle-east/) As mentioned at the beginning of this article, 3D printing is still very much a nascent technology. While it has been around since the 1980s, 3D printing wasn’t available to the general public until the late 2000s, thanks to an English engineer and mathematician named Adrian Bowyer. Bowyer created the RepRap (replicating rapid prototyper) project with Vik Olliver at the University of Bath in 2005. The RepRap Project was monumental in opening up 3D printing to the public. The intent behind RepRap was to create a printer that could self-replicate, to the extent that each printer could reproduce all of the printable parts needed to build another RepRap printer. Between 2005 and 2012 the RepRap Project produced 3D printer designs of different sizes and different motion systems, all pushing 3D printing closer to the public consciousness. Thanks to Bowyer’s work and the open source nature of the RepRap Project, we have what Bowyer himself envisioned when he came up with the idea for RepRap: a democratized, desktop manufacturing and rapid prototyping system that can cheaply create many of the items we need and use in everyday life. Now, 3D printing is available to many more people than ever before, with a massively lower barrier to entry than other manufacturing technologies, like injection molding. This lowered barrier to entry, combined with the relatively low cost of replacement parts and raw printing materials, are especially desirable in impoverished areas and other low-resource environments, such as Sub-Saharan Africa. Owing to the portable nature and relatively low energy requirements of a desktop 3D printer, solar power is a viable option for running a small 3D printer farm. In a medical setting, such a printer farm could produce splints, face shield hardware, and even anatomically correct models of human organs to help doctors treat patients in the field more quickly, without access to a modern medical facility or reliable electricity. There are hurdles to be overcome for the desktop/consumer 3D printing sector, chief among them being printer reliability. In 2022, what the average person would consider a truly “reliable” desktop 3D printer, such as the Ultimaker S5, may cost upwards of $7000 and require additional spending on a support contract. That same average person would likely balk at the cost, and rightly so, but at the same time would not be excited at the prospect of constantly maintaining and repairing a $300 printer. Advances in technology and the generally accepted design of FDM printers will bridge this gap, as we see in other sectors. Even now, companies like Bambu Labs are integrating professional features into consumer 3D printers at attractive prices, but this is only the beginning. In ten years, the state of desktop 3D printing will no doubt be drastically different–it’s entirely possible that, before long, the 3D printer will be as common as paper printers are today. While the technology may still sound incredibly aspirational to many, consider Adrian Bowyer’s vision in the early 2000s: democratization of manufacturing. When that part in your refrigerator breaks and the company no longer sells it, 3D printing lets you design or download and print a replacement in a couple of hours. Obscure and commodity parts alike are often substantially marked up by their manufacturers, or made intentionally scarce or difficult to find; FDM printing takes away this power from corporations and gives the user a much-needed alternative. Geek Housecalls has relied on 3D printing for two years now to design and print parts that have been in short supply because of the pandemic and supply chain failures. In spite of the frustrations caused by 3D printers breaking down and needing to be serviced, I see great potential in the technology and in the philosophy behind giving everyone access to repair and make their own stuff. This topic dovetails well with the Right to Repair Movement, which we’ll cover at a later date.

  • Why we're leaving Yelp (and you should, too)

    In another era, Yelp was an important brand in online advertising and marketing, especially for small businesses. Founded in 2004, they were around before Google had fully realized its juggernaut AdWords and AdSense platforms, giving Yelp the first-mover advantage in the crowdsourced review and digital marketing spaces. However, as time passed and more competitors entered the space, including Google with its tight search integration with reviews and ad placement, Yelp became less and less relevant. Rather than improve their product to compete with the likes of Google, Microsoft, and latecomer Facebook, Yelp instead raised prices, instituted punitive new measures against small businesses who used their platform, and engaged in some very unsavory business practices. To wit, in 2019 Vice reported on a then-new practice by Yelp in New York City that involved inserting a third-party into phone calls between customers and local restaurants. This middleman was none other than Grubhub, well-known food ordering and delivery platform, whom Yelp completed an important 'market integration' the year before, in 2018. Yelp's tactic involved proxying customer calls to NYC restaurants through a Grubhub agent, which then connected the customer to the restaurant, while taking a transaction fee for each call, whether a particular call resulted in a sale for the restaurant or not. Vice reported that Grubhub assessed a 15-20% "referral" fee for each order. The State of New York later banned the practice of charging fees for phone calls that don't result in sales, as of May 2020. As is now obvious, this practice resulted in restaurants essentially competing with Yelp and Grubhub for their own customers. When you consider the restaurants who are also paying Yelp for PPC (pay-per-click) ad placement on their site, this practice seems like a conflict of interest at best and nakedly criminal at worst. But this is Yelp's new modus operandi. Their heyday has passed, their revenues are declining, and their proverbial lunch is being eaten by search behemoths like Google and Microsoft. Rather than reformulate their approach to indexing local businesses online and connecting them to customers, Yelp's solution was to instead attack their own lifeblood: the small business owners themselves. First in 2012, then again in 2015, the CBC reported on Yelp allegedly burying positive reviews on various business's Yelp profiles and then approaching the owners of those businesses to buy ad space on the site. You may already be familiar with this approach to business, as it is historically one that organized crime has employed for centuries--it's known as a protection racket. According to the CBC's investigation, restauranteurs in Canada had complained of negative Yelp reviews being featured prominently on their Yelp pages while legitimate positive reviews were hidden and marked as "not currently recommended". Coincidentally, Yelp did the same thing to our company, Geek Housecalls. If you take a look at our Yelp page here and scroll down just past the last visible review, you'll see "13 other reviews that are not currently recommended". If you click that link, you'll find 13 reviews which are all positive. What was Yelp's rationale for this? They claim that because the reviews were left in too-short a time period, Yelp questions their authenticity, despite this being a pretty easy thing to verify. Yelp further justifies this scummy behavior in a short missive on the hidden reviews page, thusly: The software does something no human can—regularly analyze billions of data points from all reviews, reviewers and businesses to evaluate the usefulness and reliability of each review. It’s engineered to provide a level playing field for all businesses on Yelp. Having a great reputation on Yelp shouldn't be about who has the time and resources to ask the most people to write reviews. Great Yelp reviews and ratings should come from consumers who had a great experience that they’re inspired to tell others about. Yelp freely admits that these determinations are made by software, not reviewed by actual humans and they claim with a great sense of ego that this deeply flawed system "provides a level playing field for all businesses on Yelp". Does it? Yelp then goes on to admonish business owners who send out review reminders for past clients, as if this is accepted as a forbidden practice in the world of online reviews. Let's see what Google, master of search engine optimization and digital ad placement, has to say on the matter of businesses reminding customers to leave honest reviews: Remind customers to leave reviews: Let them know it’s quick and easy to leave reviews. Business owners shouldn't offer incentives to customers to leave reviews. You can also get customers to leave reviews if you create and share a link. Reply to reviews to build customer trust: Your customers will notice your business values their input if you read and reply to their reviews. Value all reviews: Reviews are useful for potential customers when they’re honest and objective. Customers find a mix of positive and negative reviews more trustworthy. You can always respond to a review to show the customers that you care and provide additional context. If the review doesn't follow our posting guidelines, you can request its removal. - source: https://support.google.com/business/answer/3474122?hl=en So, Google's position on the matter is that reminding customers to leave honest feedback is a best practice for businesses with an online presence. Yelp, on the other hand, does not support this school of thought, probably because it cuts into their ability to push good reviews into a digital black hole and feature the few negative ones in a bid to extort ad money from local businesses. This is why Geek Housecalls is leaving Yelp and moving our advertising presence to Google, Bing, and Facebook. You may have recently received an email reminding you to leave your honest review of Geek Housecalls, which is exactly what we want: honesty. Yelp could take a lesson from that.

  • Do you trust your smart home?

    Much has been written on the subject of IoT (Internet of Things) security, or rather, the lack thereof. According to research by TrendMicro, as of 2020, the average U.S. household has access to 10 connected (IoT) devices. When we talk about the Internet of Things, we refer to devices in the following categories: Smart devices, such as WiFi-connected thermostats, refrigerators, LED fixtures/light bulbs, and generally any Internet-connected device that collects, stores, or sends data to the Internet. These devices are collections of sensors and radios, and may consist of many discrete, individual components, such as 802.11 WiFi radios, temperature and humidity sensors, air pollution sensors, sound meters, and so on. IoT gateways, which serve as intermediary devices between individual IoT endpoint devices and the Internet. Think of a gateway as a data broker, connecting to smaller, less complex wireless devices and aggregating their data in order to forward it to a cloud service. An IoT gateway may have multiple wireless radios, such as 802.11 (2.4/5GHz) WiFi and 433MHz radios which many household IoT devices use to communicate with one another. Cloud/on-premise servers, which typically are bigger, more powerful, consume more energy and perform more tasks than single-function IoT devices. There are broadly accepted 'best practices' with respect to securing Windows and Linux servers and client PCs, as both the Windows and Linux ecosystems are mature and established. That isn't to say Windows and Linux systems administration is less daunting because of these best practices--to the contrary, since most of the world runs on Windows and Linux, these two platforms are constantly targeted by malware. But what about the Internet of Things? The Internet of Things consists of many thousands of different devices, produced by different manufacturers, with different security standards, different (often proprietary) software, and firmware which may contain actively exploited bugs or other functional issues which may never be fixed by the manufacturer. Let's consider the following common security issues with IoT devices: Poor out-of-box security/improperly configured access control: many IoT devices are shipped with the same default user name and password, across every single manufactured device, such as 'admin'/'admin', or 'user'/'password'. The manufacturer may assume that the end user will update these default login credentials, but let's face it, the average person isn't going to do that. Thus, any would-be hacker with a modicum of computer savvy can discover these poorly-secured devices on a user's wireless network and exploit them to gain access to other, sensitive segments of that network. Root privileges out of the box: another common issue with IoT devices is the single level of account privilege, which grants essentially root-level access to the user who initially sets up the device. This single privilege level is extremely dangerous as it allows an attacker to arbitrarily execute (probably malicious) code and potentially take over other devices on the host network. Large attack surface: many IoT devices expose multiple services to the Internet, such as an unencrypted web server on port 80, an encrypted web server on port 443, an SSH server on port 22, and so on. The more services a device exposes to the Internet, the more vectors an attacker can utilize to compromise the device or the host network. Outdated software; potential for no further software/firmware updates: inexpensive IoT devices aren't known for their long software support cycle. Once the device is manufactured, the manufacturer is probably working on their next piece of hardware rather than dedicating necessary resources to updating the software and firmware of their existing devices. This lack of timely software updates contributes immensely to a device's susceptibility to attack; both white and black hat hackers continually probe these devices and the software and firmware that runs them for exploits. If an exploit isn't patched and spreads in the wild, devices can and will become compromised, potentially ending up in botnets or infecting networks with ransomware. Zero encryption: IoT devices are notorious for storing sensitive information on the devices themselves in plaintext--that is, without encryption. IoT devices communicating with one another or with an IoT gateway may also send information in plaintext, which makes a Man-in-the-Middle (MitM) attack trivial to execute. Weak encryption is better than no encryption, but in the case of weak encryption, the encryption algorithm itself can potentially be cracked, leading to a brute-force attack on the device and its host network. Robust encryption is a requirement for a modern IoT device. Application exploits: applications running on IoT devices can also become vectors for attack. IoT devices are typically just general purpose computers, using off-the-shelf ARM systems-on-chip (SoCs), or low-powered x86 processors made by Intel or AMD. As such, these devices can run a wide array of software, which is worsened by a lack of code-signing enforcement or a trusted execution environment on the device itself. In addition to the vulnerabilities which may exist in the device's firmware and operating system, more vulnerabilities likely exist within the applications that run on the device, creating a system with many possible points of entry for an attacker. Poor privacy controls: IoT devices, such as security cameras, store and process sensitive video and audio recordings of users' homes and businesses. It's incumbent upon the device manufacturer to ensure the user understands which data is being stored locally, which data is sent to the Internet, how the user can control that data, what the manufacturer will do in the event of an external security breach, and how the user can opt in or out of various cloud services and information sharing the manufacturer may provide. Is this usually the case? No. Privacy controls on modern IoT devices are still a nightmare. Intrusion detection and alert: if an unauthorized user accesses an IoT device, many devices will fail to alert the user of this intrusion. At this point, the attacker could be accessing sensitive information on the user's network and the user would be none the wiser. This ties into the access control issue we discussed above, and is a crucial component to IoT security. So what do we do with this information? The first thing you, as the consumer, must do is avail yourself of online resources and vet the companies that make the devices you intend to buy. If you can't get answers to the points outlined above, you shouldn't buy that company's hardware. If the manufacturer can't demonstrate a history of regularly updating their devices' software and firmware, you shouldn't buy from that company. This may limit your choice in devices, but you'll also find reputable manufacturers who do take security seriously, like Cradlepoint and Fortinet (Geek Housecalls is not affiliated with any company mentioned in this article). Additionally, ensuring your own home network is set up correctly is crucial to IoT security. When deploying IoT devices, best practice is to partition your IoT devices from the rest of your network. How do we accomplish this? By using VLANs (virtual local area networks). Some consumer-grade wireless routers support VLANs out of the box, but this tends to be a more business or enterprise-oriented feature. However, it is very much worth spending the extra money on a business-grade router that supports VLAN functionality. By giving your IoT devices, like your smart thermostat and Internet-connected refrigerator, their own virtual network within your home network, you functionally prevent those devices from being used to attack the rest of your network, should they become compromised by an attacker. For example, using VLANs, an attacker could compromise your WiFi-connected doorbell but he would fail to discover your MacBook or network storage server since they would be connected to a different VLAN. While this is still bad, it's much less bad than the alternative of an attacker using your IoT device as a 'jump box' to the rest of your home network, wreaking havoc in the process. Staying on top of security updates is also critical, no matter which IoT devices you use. Manufacturers often provide an 'automatically install updates' option within the user interface of their IoT devices, and this should always be enabled; you may encounter a bug here and there by installing updates as soon as they become available, but this is vastly preferably to delaying updates and potentially being hit with an IoT exploit. Firmware updates are also important. A device's firmware controls how its hardware interacts with its operating system--for example, controlling how a temperature sensor or Bluetooth radio interacts with its built-in software. These low-level functions are critical to the device's proper functioning and staying up to date on firmware ensures any bugs that may affect hardware performance are addressed in a timely fashion. Of course, managing the ever-growing number of things on our networks can become cumbersome, especially in business environments. That's why Geek Housecalls offers a full suite of IoT security tools and managed network services to ensure your own Internet of Things doesn't run amok. Get in touch today to find out how we can secure your devices, your networks, and give you some much-needed peace of mind.

  • Never have a single point of failure

    In our increasingly connected world, it's getting harder to avoid Internet-connected devices. The Internet-of-Things is here to stay. As a consequence, businesses and home users alike need to take into account how to both secure these devices and keep them reliably connected to their local networks. For businesses, the challenges presented by the growing complexity of networking are real. When you rely on your security system, point-of-sale terminals, cordless phones, and store computers to be constantly connected to the Internet, essentially any downtime becomes a nightmare. Twenty years ago, we still had landline phones and manual credit card processing options as failsafes if the Internet went down; today, few businesses are equipped to handle a network outage, whether the outage is local or on the Internet provider's end. In many cases, these small businesses just either don't have the budget to throw at additional hardware or they simply haven't reviewed their IT infrastructure in a while. More often than not, when a small business loses network or Internet access, the reason is that they have single points of failure within their IT systems. In this instance, a single point of failure is a link between two devices that has no backup or redundancy. Consider a small business with a wireless access point/router/modem combo unit supplied by their Internet service provider. They might have an Ethernet switch connected to this device, which is then connected to everything else in their business, including deskphones, wireless access points, printers, barcode scanners, and so on. If the single Ethernet cable connecting the switch to the modem fails, everything in the shop goes offline. Similarly, if the switch itself fails, everything goes offline. Worse yet, smaller businesses tend to rely on ISP-supplied hardware alone, which is rarely robust enough to handle guest WiFi networks and the demands of many connected devices. These cheap, consumer-grade devices rarely support VLANs (virtual local area networks) and the more advanced security features that businesses need. Redundancy is key in many aspects of life, but especially when it comes to the devices and services on which your livelihood depends. I've never been an advocate of overspending on hardware, though many IT service providers will try to convince you that throwing money at a technical problem is the best solution. At Geek Housecalls, I advocate for strategic IT spending, getting the most bang for your buck. Of course, I could make more money by selling $80,000 Cisco switches to medium-sized companies that don't need them, but in my opinion, that's a great way to lose clients. Often, a relatively small investment of a few hundred to a few thousand dollars can net big improvements in your business's network redundancy, so you aren't left hanging if one switch goes offline, one cable fails, or even if your primary Internet service provider experiences an outage. By combining a landline Internet connection with a cellular (4G/5G) connection through an affordable dual WAN (wide area network) router, you'll be able to keep your business running even if your main Internet connection goes down. Likewise, by installing two less expensive Ethernet switches, rather than one expensive switch, you've improved your local network's resiliency and kept important resources available to yourself and your employees in the event of a hardware failure. When budgeting for adding this kind of redundancy to your business or home IT systems, consider that a redundant Internet connection can often be had for as little as an additional $40 a month, or less if your bandwidth needs are lower. This is the kind of strategic spending I'm referring to when I say "don't overspend on IT". What's most important, moreso than agonizing over hardware choices, is having a reliable IT partner that's available when you need them. I routinely hear stories from our current clients about month-plus lead times just to get Internet installed at a new home--and these long wait times are from multibillion dollar corporations who should have the manpower at their disposal to get things done quickly. I consider that unacceptable. Tech companies seem to be getting worse at earning their customers' business, and are instead taking it as a given. This is not the way. Get in touch with Geek Housecalls today for a free analysis of your home or business's IT needs and let us give you the information you need to make the right choices rather than the expensive ones.

bottom of page