Insights For Success

Strategy, Innovation, Leadership and Security

Install IOS Update 10.3.3

GeneralEdward Kiledjian

As mentioned in my various articles, keeping your operating system and applications updates is a critical component to good overall security. 


Apple released IOS 10.3.3 yesterday, and amongst all of the bugs it fixes, there is one nasty security vulnerability that justifies installing it now. Right now. Do it. I'll wait. Come on, we don't have all day. 

Put Apple's banal sounding description aside for a second ("A memory corruption issue was addressed with improved memory handling".) This vulnerability comes from the Broadcom BCM43xx wifi chipset (CVE-2017-9417) and allows an attacker to execute code on the targeted device with kernel privileges.

To be clear, millions of Android smartphones (e.g. HTC, LG, Nexus and most Samsung devices) are also vulnerable to the BroadPwn vulnerability. 

Google also issued the BroadPwn fix in its July patch bundle (you are receiving the security updates for your phone right?)

Google hopes Hire gives it a better stronghold in corporations

GeneralEdward Kiledjian

Google sees the corporate world as an excellent cash cow and has been working hard to secure its place. Most recently we have the fruits of its labour with redesigned G-Suite offerings, the Jamboard and more.

Google is the king of data and has decided it can help HR do a better job with recruitment. Google Hire is a purpose built solution that promises to make the entire hiring process easier and more efficient (from finding to managing). 

The target customer is the small or medium organisation that may not be using any of the larger more expensive and complicated tools. 

  • A 2015 report by Bersin (Deloitte) claimed it took on average 52 days to fill a position (up from 48 in 2011) at the cost of $4,000
  • 48% of small businesses report there are few or no qualified applicants for the positions they are trying to fill (NFIB)
  • 27% of respondends believe lengthy hiring timelines are a major impedament to increasing staff headcount (Recruiter Sentiment Study 2015 2nd Half, MRI Network, December 2015)

So all in all, we can safely assume the hiring process is broken in small to medium size companies, which may equate to a nice chunk of change for Google (if it plays its cards right).

Google Hire leverages the G-Suite platform and integrates with email and calendaring. In addition to winning new business by offering innovative cost effective new solutions for the SMB market, it also adds value to G-Suite. 

It is conceivable that a long time Microsoft Office customer may eventually switch to Google's G-Suite if it has enough value added features. 

I have spoken to dozens of medium size start-ups that just don't want or need the big Office 365 offering and are just looking for an excuse to make the jump. It is small but targeted offerings like this that may make the difference.

You can check out the Google Hire website for more details.

Get thousands of dollars of Microsoft ebooks for free

GeneralEdward Kiledjian


It's Christmas in July for any tech enthusiast that loves getting "something for nothing". The books are presented in a straight text list (without pictures) and organised by category and file format.

There are no limits, conditions or restrictions. You can download one, or you can download them all.

The books will interest hardcore IT administrators or casual Windows users looking to sharpen their skills. You can click on this link to see the massive list.

Some General computing topics include:

  • An employee’s guide to healthy computing
  • 10 essential tips and tools for mobile working
  • How To Recover That Un-Saved Office Document

There are books on Azure. Books for developers. Books on Sharepoint, Dynamics CRM, Powershell, SQL Server and more.

Don't miss this opportunity. Download them now.

 

Review of HideMyAss VPN (HMA)

GeneralEdward Kiledjian

After writing my first VPN service review a couple of weeks ago, I asked my readers "what other VPN services" I should evaluate. A much-requested one was HideMyAss (HMA), so here is that review.

You can't evaluate VPN service providers without seeing HideMyAss.  They have ads everywhere. My first experience with HMA was through a 1-month free offer provided by Anonabox

Most security blogs and posts on review sites give HideMyAss a poor rating because they have (allegedly) turned over user log information to authorities (without putting up a fight).  Others complain that the service is "feature light".

HideMyAss has a massive network of termination points (one of the biggest in the world). 

HideMyAss cost

HideMyAss has increased its prices over the years and has a single tier plan (aka you don't pay for usage volume or number of connected devices).

Your commitment term determines your monthly price. At $6.99 for 12-months, they are competing with the likes of VyprVPN and ProtonVPN. HideMyAss is almost double the price of Internet Private Access (IPA), which is regarded as one of the best from a privacy-guarding perspective. Another much more popular cheaper alternative is UnlimitedVPN.

Once a season, HideMyAss does run a 50% off promo so....

HideMyAss features

The first major feature is the sheer size of its VPN network. HideMyAss offers 720+ VPN servers in 320+ locations in 190+ countries.

Now we get to the less feature part of our program. HideMyAss VPN support's two simultaneous connections per subscriber. ProtonVPN supports 2 with it's $4 a month basic plan. VyprVPN supports five simultaneous connections with its $6.67 a month plan. VPN Unlimited is offering a $49.99 lifetime plan with five simultaneous connection support. 

HideMyAss supports OpenVPN, PPTP and L2TP. 

People who buy HideMyAss aren't power users but people who are looking for a "simple" VPN solution with an extensive termination network. They support terminations in locations like Servia and Malawi.

Is HideMyAss Secure and Private?

So many security forums and Reddit threads discuss how HideMyAss (allegedly) turns over user data to police with little pushback. The most prominent example of this accusation is a 2011 situation where it is believed HMA turned over user information for Cody Kretsinger. Cody Kretsinger was a member of LulzSec and arrested by police for hacking Sony Pictures (he was convicted of the crime). 

There are dozens of other such claims, just do a quick Google search.

Reading the End User License Agreement, you learn that HideMyAss (Privax) is a UK company and is now owned by Avast (a Czech company). The UK is not known as a haven for privacy (e.g. snoopers charter). Most UK providers must maintain rich metadata logs.

The HideMyAss privacy statement for their VPN service says "We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service. We collect aggregated statistical (non-personal) data about the usage of our mobile apps and software." HMA claims this information is kept for 2 to 3 months but the UK Investigatory Powers Act requires that this type of information be kept for 12 months.

Does HideMyAss allow Peer2Peer networking? The answer is Yes for legal content and no for illegal ones. Here is an example of a Reddit thread where a user claims HMA cut-off his service for downloading copyrighted content. In this thread, a user called neonovo says "Yes, two dmca notices from the vpn hide my ass, which as they did not hide my ass I did some much-needed research and found btguard.

I do not condone downloading copyrighted material or breaking any laws but knowing your VPN will (allegedly) roll over quickly is not comforting.

If you want to download torrent based content (legal of course), you should check out the list of torrent friendly providers maintained by TorrentFreak

Is HideMyAss secure?

I emailed HideMyAss support asking for details about its encryption technologies and directed to this support write-up. This write-up does not answer any of my questions about what cyphers are used and how. I believe some of their protocols (like L2TP) use pre-shared keys (which is a bad thing).

Without any additional information, I have to assume the worst and say "I don't consider HideMyAss secure at this point". My starting position is to assume technology is insecure unless proven otherwise.

I could not find DNS leak protection as an option in the Windows client, but my tests showed that it did not leak DNS information. 

HideMyAss performance

Assuming everything above didn't scare you away, you may be wondering about performance. Anytime I perform a VPN test; it is done using a 100MB fibre connection (<10ms ping) with a cleanly installed and patched Windows 10 computer connected directly to the internet connection. 

Some HideMyAss connections had excellent performance, and other's cut my throughput by more than 50%. Through trial and error, you will be able to find the servers that work best for you, but there is no automated performance cataloguing function. 

One item I will add here is the ability to get US Netflix. I  test this with every VPN and Netflix never works, except this time it did with one of the US servers I tested. Since it did not work consistently, I am assuming there were a couple of IP addresses Netflix hadn't catalogued as VPN yet. 

Conclusion

I don't use VPN to hide illegal activities. I use VPN to protect my privacy when I am using untrusted networks or from my ISP [read Your ISP is tracking you]. With everything that I learned during this review, I can't recommend HideMyAss. There are so many better options (in my opinion) that you shouldn't settle for a company that doesn't go the extra mile. 

Get 7 months of Microsoft's Grove music service for $10

GeneralEdward Kiledjian

There's a good chance you never heard about Microsoft's very unpopular Grove music streaming service (Apple Music, Google Music, Pandora, Spotify, Deezer, etc.). 

Microsoft is determined to change the fate of this little-known offering by enticing you to subscribe with a fantastic deal: when you buy a single month of service for $US9.99, they give you two 3-month vouchers to share or use yourself. 

If you are a Microsoft fanboy already paying for this service, then you are out of luck, this applies to new subscribers only.

Here is the fine print:

Offer valid 6:00 PM PT July 10, 2017 until 12:00 AM PT July 12, 2017 or while supplies last for new Groove members only. Current paying subscribers are ineligible to redeem this offer. Valid in the US only. Sign up for a 30-day Groove Music Pass at $9.99 and we will send you two tokens codes within 30 days, each good for an additional 3 months of music at no charge (for a total of 6 months). Credit card required. Upon completion of the promotional period, membership will be automatically billed as specified at signup unless cancelled. Limit 2 token codes per person. Token codes expire September 4, 2017 and must be redeemed before that date. Token codes may be used by original recipient or transferred to another eligible user. Token codes may only be redeemed once. Cannot redeemed for cash or promo code(s). May not be combinable with other offers. Void where prohibited or restricted by law. Microsoft reserves the right to modify or discontinue offers at any time.

This is unfortunatly a US only deal. 

You can subscribe here