Why you should delay iOS upgrades

Today is September 9th, 2017 and iOS 11 was released! Yay! This version has several new features that Apple fanboys are going gaga over. It’s exciting, it’s new, and in about a month you should install it on your device. For years I have advocated that major iOS upgrades should be delayed at least 3 weeks. Why? Math.

This simple timeline demonstrates Apple’s history with patches for iOS upgrades:

1.0.1 was released 32 days after 1.0.0. It was a security update.
1.1.1 was released 13 days after 1.1.0. It was a major stability update.
2.0.1 was released 14 days after 2.0.0. It was a major stability update.
2.1.1 was released 3 days after 2.1.0. It was a security update.
3.0.1 was released 44 days after 3.0.0. It was a security update.
3.1.1 was released the same day as 3.1.0. It was a security update.
3.1.2 was released 29 days after 3.1.1. It was a major stability update.
4.0.1 was released 24 days after 4.0.0. It was a major stability update.
4.3.1 was released 16 days after 4.3.0. It was a security update.
5.0.1 was released 29 days after 5.0.0. It was a security update.
5.1.1 was released 61 days after 5.1.0. It was a security update.
6.0.1 was released 61 days after 6.0.0. It was a security update.
6.1.1 was released 9 days after 6.1.0. It was a major stability update.
7.0.1 was released 1 day after 7.0.0. It was a security update.
7.0.2 was released 7 days after 7.0.1. It was a security update.
7.1.1 was released 43 days after 7.1.0. It was a major stability update.
8.0.1 was released 7 days after 8.0.0. It was a security update – and was so bad they pulled it.
8.0.2 was released 1 day after 8.0.1. It was a major stability update.
8.1.1 was released 28 days after 8.1.0. It was a security update.
8.4.1 was released 44 days after 8.4.0. It was a security update.
9.0.2 was released 14 days after 9.0.0. It was a security update.
9.2.1 was released 133 days after 9.2.0. It was a security update.
9.3.1 was released 10 days after 9.3.0. It was a major stability update.
10.0.2 was released 10 days after 10.0.0. It was a stability update.
10.1.1 was released 7 days after 10.1.0. It was a security update.
10.2.1 was released 42 days after 10.2.0. It was a security update.
10.3.1 was released 7 days after 10.3.0. It was a security update.

11.0.0 was released today. How long do you think it will be before they release their mandatory security update?

With history as our guide, we can safely assume it’s going to be roughly 26 days before they release whatever security update is required of the first major release of iOS 11.

Looking at the numbers we can also see that fixes for major updates are released on average 21 days after the initial major version (n.0.x), where minor version fixes average closer to 30 days after the release of the minor version (n.n.x). If we remove the outlier (9.2.1) because it’s over 4 months and double any other period, the averages become 20 days for serious patches to major updates and 22 days for serious patches to minor updates. Again: 21 days – three weeks – becomes the minimum average for your safety.

That means you should expect a security update for iOS 11 around October 10th, 2017. Be patient. The privacy you save will be your own.


Shawn K. Hall

Another Reason Why You Need a Password Manager

This Wordfence article is a great demonstration of why using a password manager is so important.

The message the author is pushing is “these browsers suffer because it’s easy to phish them” when the reality is that the specific “vulnerability” is actually the way the Internet is designed. The weakest link for all phishing is always PEBCAK – aka, “Problem Exists Between Chair and Keyboard”. Phishing is not your typical security problem, because it’s not the computer the attacker needs to convince, it’s the person.

Don’t get me wrong, I’m not saying that there should not be some visual and functional indication for IDN domains, but the user is still going to be the weakest link. Any indicator would go unnoticed or misunderstood by most people anyway.

A better solution is to use a password manager such as RoboForm. RoboForm bypasses this issue by preventing you from authentication to the forged domains. RoboForm (and most other password managers) authenticate only to trusted domains, so even though the IDN domain may visually appear to be the same, it will not be treated as the real domain within the password manager.

See how RoboForm addresses this problem. In the first image you can see the emboldened stored credentials which will only appear if the domain is a match for the stored login.

Demonstration of RoboForm Domain Match

RoboForm Domain Match

Here we have the punycode IDN variation, which, since it is actually a different domain, has no match in RoboForm.

Demonstration of RoboForm Domain Mismatch

RoboForm Domain Mismatch

While the specific issue at hand is phishing for ways to trick the user into authenticating to a domain that appears to be the real thing using a specific cosmetic effect, there are many other ways that domains can be made to look like the real thing, and each of them still works well after this particular issue is addressed.

Using a password manager is the best and easiest way to ensure that you’re visiting the real site. It also provides strong authentication and far better passwords than you can create on your own.

Okay, now go get RoboForm.

That’s all for now folks. Keep it clean out there. 😉


Shawn K. Hall

Creating a Facebook App ID


Some plugins and content management systems require a Facebook App ID to be created in order to provide various functionality. This simple guide helps you understand the process of adding a new app with the funky website/app domains functionality that Facebook make more difficult than it probably should be.

  • The first step is to login to Facebook and visit this page.
  • Click Add a New App


  • Enter the app Display Name, Contact Email and Category. Click Create App ID


  • Click Settings, Basic


  • Click Add Platform


  • Click Website


  • Enter your Site URL


  • Click Save Changes


  • Enter your website domain(s) in App Domains


  • Click Save Changes


You’re done.

At this point the plugin or content management system you’re using will need the App ID and App Secret (which you can get by clicking “Show”)


Windows 10 Upgrade: T-minus-10

Time is running out!

Microsoft’s free upgrade offer for Windows 10 ends on the 29th. That’s only 10 days away.

If you want to install Windows 10 you need to get on the ball. I can either do it for you (recommended) which will ensure that all the security and privacy settings are set the way I recommend, or I can provide you with the installation media to install the upgrade yourself, which will make it possible to upgrade on a slower connection. If you opt to install it yourself, be aware that there will be roughly 1.5gb of updates necessary to install after the Windows 10 installation completes.

I only charge for the media ($5/dvd or $12/usb) if you plan to do it yourself, or you can bring your computer to me and I can extract the installer onto your computer at no charge.

I’m having a special right now for Windows 10 Upgrades. For $50 I’ll perform an abbreviated system diagnostics, install the Windows 10 upgrade, install Windows updates and all other necessary software updates (even for software other than Windows itself). I then tune Windows for privacy and security to reduce unnecessary exposure, improve your security and minimize bandwidth consumption (very important for slow connections). If I discover other issues (such as malware, failing hardware or licensing problems) then those could incur additional costs. I will, of course, contact you before doing anything that would incur additional costs.

This offer requires you to bring the computer to me for the upgrade. I have a very fast Internet connection, which makes the upgrade process very smooth, but it still takes between 4-6 hours for most computers. In order to perform an effective diagnostic, I prefer to have the computer overnight. If you’d rather I skip diagnostics, I can usually have it finished the same day.

Come see me at The Farmory in Columbia, or call me at 209-565-1273, anytime.

Catphishing on the Rise

In the last week I’ve had three separate Facebook friends re-friend me using new accounts. A few months ago I even had a cousin re-friend me “after Facebook sent him a million dollars and he could finally afford to create a new account!” His words, not mine. He was, of course, not actually my cousin but an impostor trying to get me to click through a third party link to infect my computer. It was kinda cute. 🙂

Clients have reported that online friends they’ve known for years are now re-friending them and asking for money to bail them out of strange situations — everything from jail to “beta testing” to solar investment loans. In all cases, contacting the person directly with their (previously known) offline contact methods (phone, text, IRL) results in first surprise, then horror, as the person realizes what has been done in their name.

And that’s the real issue here. It’s not like you’re witnessing your friends falling for a scam from an anonymous Nigerian Prince. No, they’re friending you and you (in their mind) are responsible for anything that happens to them. From that moment forward, even long after they learn it was not really you, they’ll always associate you with this event. Some won’t talk to you anymore out of embarrassment. Some will blame you as though there were some way you could have prevented their folly. In any case, you’re both harmed by a total stranger using your name.

This phenomena is called catphishing: The process of creating a fake online persona based on someone else and using it to take advantage of the target’s friends. Impersonation through, quite literally, duplicity.

Here’s the problem

She was astonished to see how her grandmother looked.

She was astonished to see how her grandmother looked.

Online service providers, such as Facebook, Google, Yahoo, Microsoft and so on, don’t exactly perform DNA testing to ensure that the guy claiming to be your neighbor really is your neighbor. If they did, nobody would use their services. Since they don’t, it’s up to you to be able to identify whether it really is your neighbor.

They don’t make it easy.

These intelligent scammers will use just about any means possible to replicate the identity of the person they’re posing as. They’ll re-use the same or similar image as their personal photo. They might crop it differently than the original that they’ve harvested from the real person’s page, but it’ll be “real”. They’ll also migrate some content, mostly copied directly from the original account, onto the new catphishing page. They’ll also copy personal details, such as dates, employment or social history, possibly even replicating the victim’s relationships with additional accounts. All it really takes, when the information is already available only a click away, is the time to copy and paste.

These types of phishing accounts are usually short-lived. Within only a few days they’ll be identified by the targets friends as a phish, though in that time dozens or even hundreds of people may be victimized. This means the attacker will have to act fast. Once they’ve created the account they’ll quickly send out many friend requests to the targets existing friends. They’ll then add or contact many, and the few that answer quickly will then be social engineered.

First a little small talk, then mentioning some great event – like being mailed a million dollars by Mark Zuckerberg, or how they just saved a bunch of money by doing something different like taking advantage of a government program or loan gimmick. They won’t waste much time getting to the pitch, though they might not be able to respond to everyone all at once so it might be a day or two before they push. When you feign interest they’ll have a link at the ready to help you “research” their pitch. It might even be a personal page on a popular site or a typo-squatted version of a popular domain. They’ll seed the idea then send you a link to infect yourself or enable you to self-hijack by posting your account information at an untrustworthy site.

While you’re giving up your information, your real friend is completely oblivious to what is happening.

So how do you protect yourself?

First and foremost, don’t just friend everyone that asks. A very effective means of security (in most things) is to let other people be the guinea pig. This means you don’t respond to friend requests or new contacts immediately. Just wait. At least a couple days, but a week or more is ideal. By this time, there’s a good chance other people would have suffered at their hands if it’s a phish, and thus the account may have either been locked or shut down by the time you are prepared to accept the friend request. Patience really is it’s own reward.

Of course, if you suspect an account isn’t legitimate, report it. Most popular websites have tools to report various contacts and requests, and these are the tools you should be using. This allows the website owner (such as Facebook) to aggregate information about these attacks to block specific types of attacks or shut down entire networks of attackers all at once, and possibly prevent some of them in the future. It’s up to you to report it properly and fully, however. Simply blocking a user will not have any effect other than eliminating their unwelcome messages to you. If you want to stop it you have to be specific in how you report it.

On Facebook you can go to the fake user account page, click the account action button (…), select Report, Report this profile, then select “They’re pretending to be me or someone I know.” Then follow the prompts.

fb-report fb-report-profilefp-report-catphish

Don’t forget to tell the person they’re claiming to be, preferably through a previously known offline contact method.

What if they’re posing as me?!

Same thing. Report them quickly and warn your friends that may have succumbed to your fake friendship.

But wait, there’s more! In most states there are laws against phishing. Here in California the law is really written only to protect businesses, but you, as a victim, can sue an impostor for a half million dollars if they pose as your business.

It doesn’t hurt to regularly search social media for your own name, too. Not your account, mind you, just your name. This will return other accounts that are using your name so you can investigate them. Even a few minutes of effort once a month can save you and your friends from a lot of hurt down the road.

Another trick is to add a Google Alert to your name for social media. This bypasses your own social account (if configured correctly) and emails you whenever your name appears on a site. First go to Google Advanced Search and fill out the form to use a search phrase such as this:

“john t example” site:facebook.com -“johntexample”

This searches for his exact name, on Facebook, but excludes his Facebook slug/username. Now go to the Google Alerts page and search for the formula you composed above. “Show options” then set the alert to contact you once per day. It’s not a perfect solution, but it might catch a phish.

Good luck, and keep it clean out there,

Shawn K. Hall