How to Lock Down Your iPad or iPhone For Kids
iPads and iPhones give you control over how your kids can use your devices. You can quickly lock your device to a certain app before handing it over or lock down an entire device with comprehensive parental controls.
These features are named Guided Access and Restrictions, respectively. Guided Access is ideal for temporarily handing your iPad or iPhone to a kid, while Restrictions are ideal for locking down a device your kids use all the time.
Guided Access allows you to lock your device to a single app. For example, you could lock your device to only run a specific educational app or game and then hand it to your kid. They’d only be able to use that specific app. When they’re done, you can unlock the device with a PIN you set, allowing you to use it normally.
To set up Guided Access, open the Settings app and navigate to General > Accessibility > Guided Access. From here, you can ensure guided access is enabled and set a passcode.
To enable Guided Access, open the app you want to lock the device to — for example, whatever educational app or game you want your kid to use. Quickly press the Home button three times and the Guided Access screen will appear.
From here, you can further lock down the app. For example, you could disable touch events completely, disable touch in certain areas of the app, disable motion, or disable hardware buttons.
You don’t have to configure any of these settings, however. To start a Guided Access session, just tap the Start option at the top-right corner of the screen.
If you try to tap the Home button to leave the app, you’ll see a “Guided Access is enabled” message at the top of the screen. Press the Home button three times again and you’ll see a PIN prompt. Enter the PIN you provided earlier to leave Guided Access mode.
That’s it — whenever you want to enable Guided Access, just open the app you want to lock the device to and “triple-click” the Home button.
To set up Restrictions, open the Settings app and navigate to General > Restrictions. Enable Restrictions and you’ll be prompted to create a PIN that you’ll need whenever you change your Restrictions settings.
From here, you can scroll down through the list and customize the types of apps, content, and settings you want your kids to have access to.
For example, to enforce content ratings, scroll down to the Allowed Content section. Tap the Apps section and you can choose which types of apps your kids can install. For example, you could prevent them from installing apps with the “17+” age rating.
Tap the Websites option and you’ll be able to block the Safari browser from loading certain types of websites. You can limit access to certain types of adult content or choose to only allow access to specific websites. You can customize which exact websites are and are not allowed, too.
If you wanted to block access to the web entirely, you could disable access to the Safari browser and disable the Installing Apps feature, which would prevent your kids from using the installed Safari browser or installing any other browsers.
Other settings allow you to lock certain privacy and system settings, preventing them from being changed. For example, you could prevent your kids from changing the Mail and Calendar accounts on the device. Near the bottom, you’ll also find options for Game Center — you can prevent your kids from playing multiplayer games or adding friends in Apple’s Game Center app.
The settings you choose will always be enforced until you enter the Restrictions screen in the settings, tap the Disable Restrictions option, and provide the PIN you created.
iOS still doesn’t provide multiple user accounts, but these features go a long way to letting you control what your kids can do on an iPad, whether the iPad is primarily yours or primarily theirs.
Guided Access and Restrictions will work on an iPod Touch, too. If you purchased an iPod Touch for your kid, you can lock it down in the same way.
Image Credit: Brad Flickinger on Flickr
How to Prevent Your Kids From Spending Thousands of Dollars on In-App Purchases
More than $5000. That’s how much one man’s child ran up on his credit card by playing “free” games on his iPad. Many games may be advertised as free, but they actually try to push expensive “in-app purchases.”
Some children – particularly younger ones – may not realize that the “buy more stuff” option in a free game actually adds charges to the credit card you have saved on your tablet or smartphone.
What’s an In-App Purchase?
Operating systems with app stores like iOS, Android, and Windows Phone allow apps you’ve installed from the store to use in-app purchases. For example, you could theoretically install a video store app, search for a video in the app, and then rent it. The app could use an in-app purchase to charge your credit card for the video so you could quickly pay without leaving the app. This is the concept behind in-app purchases.
Many games are shifting away from paid models, where you pay a few dollars to buy the game, to “freemium” models, where the game is available for free but requires or encourages payments to continue playing the game. This could be in the form of paying a dollar for a few more levels, but it’s usually something much worse and more expensive. Many freemium games have extremely cynical business models and push players towards spending tens or even hundreds of dollars on in-game items that may not even last very long, making these “free” games more expensive than many paid games.
Some freemium games use in-app purchases in responsible ways, but some – particularly ones targeted at children – use very unethical business models. Tap Fish, a mobile game that was once exposed by The Daily Show, is a virtual aquarium where fish die if you don’t feed them. But don’t worry – if your beloved virtual fish do die, you can resurrect them at the cost of real money. It’s not hard to see why games with in-app purchases designed for children can be extremely unethical.
iPhone & iPad
Apple’s iOS allows you to enable Restrictions for in-app purchases. You can create a passcode that you’ll need whenever someone tries to perform an in-app purchase.
- Open the Settings app and tap the General category.
- Tap Restrictions on the General screen.
- Enable Restrictions and create a password. Choose one that only you, and not your kids, will know.
- Scroll down to Allowed Content, and set In-App Purchases to Off. Your device will ask for your password every time an in-app purchase is attempted.
- Set Require Password to Immediately. This ensures that you’ll be asked to confirm each in-app purchase. The default 15 minute setting allows in-app purchases to be performed without a password in the 15 minute period after you enter your password.
Google’s Play Store allows you to create a PIN, which you’ll need to enter each time you purchase an app from the store or use in-app purchases.
- Open the Google Play store app.
- Tap the menu button and select Settings.
- Under User Controls, tap Set or change PIN and create a PIN. Choose one that your kids won’t know or be able to guess.
- Check the Use PIN for purchases option.
The Amazon Appstore on the Kindle Fire allows you to restrict in-app purchases and even disable them entirely.
- Open the Store app, press the menu button, and tap Settings.
- Tap Parental Controls.
- Tap the Enable Parental Controls checkbox. You’ll now need to enter your Amazon.com password every time you make a purchase. You can also tap Use PIN to create a PIN for purchases.
You could also tap In-App Purchasing on the settings screen and disable In-App Purchases entirely. However, they could also be re-enabled from here if you don’t enable parental controls.
Restricting in-app purchases is important if you have young children using your device. It sure beats having to explain your story to the local newspaper in the hopes that you can pressure Apple into reversing thousands of dollars in credit card charges.
Image Credit: 401(K) 2013 on Flickr
Reduce Eye Strain and Get Better Sleep by Using f.lux on Your Computer
f.lux changes the color temperature of your computer’s display depending on the time of day. Everything’s normal during the day, but f.lux users warmer colors after sunset to match your indoor lighting.
This free tool is available for Windows, Mac, and Linux, and it’s most often used on laptops and desktops. However, f.lux can also be used on iPhones and iPads if you jailbreak, and there are similar utilities available for Android.
The Theory Behind f.lux
But our computers didn’t get the message. The theory is that staring at these bright, sun-like screens — late into the night or morning, as many of us do — strains our eyes and inhibits melatonin production. Yes, some computers have brightness sensors and will adjust the screen brightness depending on how bright it is around you, but the color temperature doesn’t change.
f.lux will use warmer colors at night than during the day, making white colors appear a bit more reddish. The theory is that looking at a warmer display at night will help reduce eye strain, and — because you’re not staring at a bright, sunlight-like screen — cause your brain to secrete more melatonin and help you get to sleep earlier and sleep better.
Just look at the blue glow you see coming from a screen at night, and then compare it to the warmer, redder glow coming from a typical light bulb. f.lux aims to make that blue glow more of a reddish glow. Here’s a good illustration of the Kelvin color temperature scale, which is used to quantify color temperature.
Does It Actually Work?
We just covered the promise of f.lux, anyway. Some people just use f.lux because it makes their screens easier on the eyes, some use it because they think it helps them sleep better, and some use it for both reasons. But, obviously, we can’t just trust these claims without looking at the science behind them.
Unfortunately, there have been no scientific studies of f.lux itself. However, a variety of studies have found that being exposed to bright blue light can affect your sleep schedule. Subjectively, many of us have realized that staying on the computer staring at a bright screen late at night keeps us awake, while stepping away from that screen helps make us more tired.
f.lux’s website has information about research in the area. While we can’t say f.lux’s claims have been scientifically proven, we can certainly say they seem plausible.
How to Get Started With f.lux
f.lux is free to download and use, so you can try it out for yourself if you’re curious.
- Windows, Mac, and Linux: Grab f.lux from the official website and install it.
- iPhone and iPad: You’ll have to jailbreak your iOS device and get this software from Cydia if you desperately want it. Apple’s restrictions prevent software from doing this.
- Android: No official f.lux software is available for Android, although they say they’re working on an Android version. Similar apps like Twilight are available.
f.lux isn’t the kind of program you constantly fiddle with. Instead, you’ll want to set it up once and then mostly forget about it.
It will try to automatically detect your location, but it doesn’t work all that well. You’ll want to go into the Settings screen to enter a more precise location. You can also adjust the desired light temperatures and choose a slow transition speed, so the colors on your screen will gradually change over 60 minutes instead of 20 seconds. Remember, you won’t see any change until after sunset — or up to an hour before sunset, if you choose the Slow transition speed.
f.lux also has various extra features. For example, it can automatically adjust the colors of Phillips Hue lights in your house, as well. The Mac version can even automatically enable OS X Yosemite’s dark theme at night.
When You Might Not Want to Use f.lux
To help with this, f.lux provides an easy option that allows you to quickly disable it for an hour or for an entire night. There’s also a “Movie Mode” option that lasts two and a half hours after you enable it. As the official FAQ puts it: “We designed Movie Mode to preserve sky colors and shadow detail, while still providing a warmer color tone. It’s not perfect on either count, but it strikes a balance.”
f.lux doesn’t make any permanent changes — after you disable it, it will go back to the same color calibration your monitor was set to use.
f.lux may seem very pink at first, so be sure to stick with it for a while if you decide to give it a try. As the official FAQ puts it: “On first use, it can take a while to adjust to the halogen settings. Try adjusting the color temperature sliders under Settings until you find one you like. Start with fluorescent or halogen and change it when your eyes adjust.”
This certainly matched my experience — at first, f.lux looked very pink. After fifteen minutes, it started to look normal. And, after disabling f.lux, everything looked very blue.
HTG Explains: How Antivirus Software Works
Antivirus programs are powerful pieces of software that are essential on Windows computers. If you’ve ever wondered how antivirus programs detect viruses, what they’re doing on your computer, and whether you need to perform regular system scans yourself, read on.
An antivirus program is an essential part of a multi-layered security strategy – even if you’re a smart computer user, the constant stream of vulnerabilities for browsers, plug-ins, and the Windows operating system itself make antivirus protection important.
Antivirus software runs in the background on your computer, checking every file you open. This is generally known as on-access scanning, background scanning, resident scanning, real-time protection, or something else, depending on your antivirus program.
When you double-click an EXE file, it may seem like the program launches immediately – but it doesn’t. Your antivirus software checks the program first, comparing it to known viruses, worms, and other types of malware. Your antivirus software also does “heuristic” checking, checking programs for types of bad behavior that may indicate a new, unknown virus.
Antivirus programs also scan other types of files that can contain viruses. For example, a .zip archive file may contain compressed viruses, or a Word document can contain a malicious macro. Files are scanned whenever they’re used – for example, if you download an EXE file, it will be scanned immediately, before you even open it.
It’s possible to use an antivirus without on-access scanning, but this generally isn’t a good idea – viruses that exploit security holes in programs wouldn’t be caught by the scanner. After a virus has infected your system, it’s much harder to remove. (It’s also hard to be sure that the malware has ever been completely removed.)
Full System Scans
Because of the on-access scanning, it isn’t usually necessary to run full-system scans. If you download a virus to your computer, your antivirus program will notice immediately – you don’t have to manually initiate a scan first.
Full-system scans can be useful for some things, however. A full system scan is helpful when you’ve just installed an antivirus program – it ensures there are no viruses lying dormant on your computer. Most antivirus programs set up scheduled full system scans, often once a week. This ensures that the latest virus definition files are used to scan your system for dormant viruses.
These full disk scans can also be helpful when repairing a computer. If you want to repair an already-infected computer, inserting its hard drive in another computer and performing a full-system scan for viruses (if not doing a complete reinstall of Windows) is useful. However, you don’t usually have to run full system scans yourself when an antivirus program is already protecting you – it’s always scanning in the background and doing its own, regular, full-system scans.
Your antivirus software relies on virus definitions to detect malware. That’s why it automatically downloads new, updated definition files – once a day or even more often. The definition files contain signatures for viruses and other malware that have been encountered in the wild. When an antivirus program scans a file and notices that the file matches a known piece of malware, the antivirus program stops the file from running, putting it into “quarantine.” Depending on your antivirus program’s settings, the antivirus program may automatically delete the file or you may be able to allow the file to run anyway, if you’re confident that it’s a false-positive.
Antivirus companies have to continually keep up-to-date with the latest pieces of malware, releasing definition updates that ensure the malware is caught by their programs. Antivirus labs use a variety of tools to disassemble viruses, run them in sandboxes, and release timely updates that ensure users are protected from the new piece of malware.
Antivirus programs also employ heuristics. Heuristics allow an antivirus program to identify new or modified types of malware, even without virus definition files. For example, if an antivirus program notices that a program running on your system is trying to open every EXE file on your system, infecting it by writing a copy of the original program into it, the antivirus program can detect this program as a new, unknown type of virus.
No antivirus program is perfect. Heuristics can’t be too aggressive or they’ll flag legitimate software as viruses.
Because of the large amount of software out there, it’s possible that antivirus programs may occasionally say a file is a virus when it’s actually a completely safe file. This is known as a “false positive.” Occasionally, antivirus companies even make mistakes such as identifying Windows system files, popular third-party programs, or their own antivirus program files as viruses. These false positives can damage users’ systems – such mistakes generally end up in the news, as when Microsoft Security Essentials identified Google Chrome as a virus, AVG damaged 64-bit versions of Windows 7, or Sophos identified itself as malware.
Heuristics can also increase the rate of false positives. An antivirus may notice that a program is behaving similarly to a malicious program and identify it as a virus.
Despite this, false positives are fairly rare in normal use. If your antivirus says a file is malicious, you should generally believe it. If you’re not sure whether a file is actually a virus, you can try uploading it to VirusTotal (which is now owned by Google). VirusTotal scans the file with a variety of different antivirus products and tells you what each one says about it.
Different antivirus programs have different detection rates, which both virus definitions and heuristics are involved in. Some antivirus companies may have more effective heuristics and release more virus definitions than their competitors, resulting in a higher detection rate.
Some organizations do regular tests of antivirus programs in comparison to each other, comparing their detection rates in real-world use. AV-Comparitives regularly releases studies that compare the current state of antivirus detection rates. The detection rates tend to fluctuate over time – there’s no one best product that’s consistently on top. If you’re really looking to see just how effective an antivirus program is and which are the best out there, detection rate studies are the place to look.
Testing an Antivirus Program
If you ever want to test whether an antivirus program is working properly, you can use theEICAR test file. The EICAR file is a standard way to test antivirus programs – it isn’t actually dangerous, but antivirus programs behave as if it’s dangerous, identifying it as a virus. This allows you to test antivirus program responses without using a live virus.
Antivirus programs are complicated pieces of software, and thick books could be written about this subject – but hopefully this article brought you up to speed with the basics.
How to Test Your Antivirus, Firewall, Browser, and Software Security
So you have an antivirus guarding your system, your firewall is up, your browser plug-ins are all up-to-date, and you’re not missing any security patches. But how can be sure your defenses are actually working as well as you think they are?
These tools can also be particularly useful if you’re trying to quickly determine how secure someone else’s PC is. They can show you just how much vulnerable software the PC has installed.
Test Your Antivirus
No, we’re not going to recommend downloading a virus to test your antivirus program – that’s a recipe for disaster. If you ever want to test your antivirus software, you can use the EICAR test file. The EICAR test file isn’t an actual virus – it’s just a text file containing a string of harmless code that prints the text “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!” if you run it in DOS. However, antivirus programs are all trained to recognize the EICAR file as a virus and respond to it just as they would respond to an actual virus.
You can use the EICAR file to test your real-time antivirus scanner and ensure it’s going to catch new viruses, but it can also be used to test other types of antivirus protection. For example, if you’re running antivirus software on a Linux mail server and you want to test that it’s working properly, you can email the EICAR file through the mail server and ensure it’s caught and quarantined.
Note: it’s important to test and make sure all your defenses are correctly configured and working properly, but this can’t guarantee your anti-virus will catch every new virus. Since there are new viruses every day, it pays to still be vigilant about what you download.
You can download an EICAR test file from the EICAR website. However, you could also create your own EICAR test file by opening a text editor (such as Notepad), copy-pasting the following text into the file, and then saving it:
Your antivirus program should react as though you had just created an actual virus.
Port Scan Your Firewall
If you’re behind a router, the router’s network address translation (NAT) feature effectively acts as a firewall, preventing other computers on the Internet from connecting to your computer. To ensure that your computer’s software is sheltered from the Internet – either with a NAT router or through a software firewall if your computer is connected directly to the Internet – you can use the ShieldsUP! test website. It will perform a port scan of your IP address, determining whether ports are open or closed at your address. You want ports to be closed to protect potentially vulnerable services from the wild west environment of the open Internet.
Check Browser Plug-ins
Browser plug-ins are now the most common attack vector – that’s software like like Java, Flash, and Adobe’s PDF reader. You should ensure that you always have the latest, most up-to-date versions of all your browser plug-ins if you want to stay safe online.
Mozilla’s Plugin Check website is particularly good for this. It’s made by Mozilla, but it doesn’t just work in Firefox. It also works in Chrome, Safari, Opera, and Internet Explorer.
If you have any out-of-date plug-ins, you should update them to the latest, secure versions. If you have Java installed at all, you should just uninstall it now – or at least disable its browser plug-in. Java is subject to a constant flood of zero-day vulnerabilities and seems to spend most of its time vulnerable to attack.
Scan For Vulnerable Software
On operating systems with central software repositories (like Linux) or app stores (like iOS, Android, and Windows 8’s Modern environment), it’s easy to tell that all your applications are up-to-date with the latest released security patches. It’s all handled through a single tool that updates them automatically. The Windows desktop doesn’t have this luxury.
Secunia, an IT security company, develops a free application named Secunia Personal Software Inspector to help with this. When installed, Secunia PSI scans the software installed on your computer and identifies any out-of-date, potentially vulnerable programs on your computer. It doesn’t know about every piece of software ever created for Windows, but it does help identify software you should update.
Of course, this doesn’t cover everything. There’s no way to ensure your antivirus will catch every virus ever created — it won’t because no antivirus is perfect. There’s no way to ensure you won’t fall prey to phishing or another social-engineering attack. But these tools will help you test some of your most important defenses and ensure they’re ready for an assault.
Image Credit: David Stanley on Flickr
Who is Making All This Malware — and Why?
We’ve come a long way since the days of infected floppy disks moving between DOS computers. Malware isn’t about messing with you, joking around, or just causing damage — it’s all about profit.
To understand why all this malware is out there and why people are making it, all you have to keep in mind is the profit motive. Criminals make malware and other nasty software to make money.
If you used computers in the 90s, you remember the first mainstream computer viruses. They were often practical jokes of just proofs of concepts, created to mess with your computer and cause damage by people with too much time on their hands. Getting infected by a piece of malware meant that your desktop might be taken over by a pop-up proudly proclaiming that you’ve been infected. Your computer’s performance might deteriorate as a worm tried to send as many copies of itself out onto the Internet as possible. A particularly vicious piece of malware might try to delete everything from your hard drive and make your computer unbootable until you reinstalled Windows.
For example, the Happy99 worm, considered the first virus to spread itself via email, existed only to spread itself. It emailed itself to other computers, caused errors on your computer while doing so, and displayed a “Happy New Year 1999 !!” window with fireworks. This worm didn’t do anything beyond spreading itself.
Keyloggers and Trojans
Malware creators are almost purely motivated by profit these days. Malware doesn’t want to inform you that you’ve been compromised, degrade your system performance, or damage your system. Why would a piece of malware want to destroy your software and force you to reinstall Windows? That would only be inconveniencing you and the malware’s creator would have one less infected computer.
Instead, the malware wants to infect your system and hide quietly in the background. Often, malware will function as a keyloggerand intercept your credit card numbers, online banking passwords, and other sensitive personal data when you type it into your computer. The malware will send this data back to its creator. The malware’s creator may not even use these stolen credit card numbers and other personal information. Instead, they may sell it cheaply on a virtual black market to someone else who will take the risk of using the stolen data.
Malware may also function as a Trojan, connecting to a remote server and waiting for instructions. The Trojan will then download whatever other malware the creator wants it to. This allows a malware’s creator to keep using those infected computers for other purposes and update them with new versions of malware.
Botnets and Ransomware
Many types of malware also create a “botnet.” In effect, the malware turns your computer into a remotely-controlled “bot” that joins with other bots in a large network. The malware’s creator can then use this botnet for whatever purpose it likes — or, more likely, the botnet’s creator may rent access to the botnet to other criminal enterprises. For example, a botnet could be used to perform a distributed denial-of-service (DDoS) attack on a website, bombarding it with traffic from a huge amount of computers and causing the servers to become unresponsive under the load. Someone could pay for access to a botnet to perform a DDoS attack, perhaps of a competitor’s website.
A botnet could also be used to load web pages in the background and click on advertising links on a huge number of different PCs. Many websites make money each time a page loads or an advertising link is clicked, so these page loads and advertising link clicks — designed to look like real traffic from many different computers — can make the website money. This is known as “click fraud.”
Ransomware like CryptoLocker is an extreme example of this trend taken to its logical extreme. When it infects you, CryptoLocker will encrypt the personal files it finds on your computer with a secret encryption key and delete the originals. It will then pop up a polite, professional wizard asking you to spend money to get your files back. If you don’t pay, you’ll lose your files — but, don’t worry, they’ll accept several different methods of payment to make it convenient for you. You apparently will get your files back when you pay them — of course, because otherwise word would spread and no one would pay them. Performing regular backups can defeat CryptoLocker and we don’t recommend paying criminals their ransom, but this is a clear example of malware being for-profit. They want to cause just enough trouble for you that you’ll pay up to get them to go away.
Phishing and Social Engineering Attacks
Online threats aren’t just about malware, either. Phishing and other social-engineering attacksare now also a huge threat. For example, you might get an email claiming to be from your bank that might take you to an imposter website designed to look like your bank’s. If you enter your banking information, the attacker will be able to gain access to your bank account on your bank’s website.
These attacks are profit-driven in the same way malware is. The attacker isn’t performing a phishing attack just to mess with you — they’re doing it to gain access to your sensitive financial information so they can make a profit.
This lens can also help you understand other obnoxious types of software, like adware that displays advertisements on your computer and spyware that spies on your browsing information and sends it over the Internet. These obnoxious types of software are made for the same reason — profit. Their creators make money by serving you advertisements and tailoring them to you.
How to Avoid Installing Junk Programs When Downloading Free Software
The web is littered with traps for novice users when downloading software, from fake “Download” buttons that are actually advertisements to installers full of bundled toolbars and other junk software. Learning how to avoid the junk is an important skill.
As geeks, we know how to dodge all the junk when downloading free software for our Windows PCs. But not everyone knows how. People must be falling for these tricks or they wouldn’t still be in such wide use.
Fake Download Links
When downloading free software, the first trap you’ll encounter may be a fake download link — or multiple fake download links — on the software’s web page. You’ll often find large, brightly colored buttons with text like “Free Download” or “Download Now.” These are often just advertisement banners designed to mimic real download links, tricking you into clicking them and installing different software.
Be aware that such advertisments are trying to trick you — that’s the first step. To identify fake download links, you can generally hover your mouse cursor over the link and look at where it leads.
In the below example, the fake download link leads to a page at “googleadservices.com” — a clear advertising link. If we moused over the real download link, we’d see that it leads to elsewhere on “winaero.com”, the current website we’re on.
Additional Software Bundled on Web Pages
Even legitimate, popular software providers want to trick you into installing additional software you probably don’t want.
For example, when trying to download the Flash Player from Adobe’s official download page, you’ll find McAfee Security Scan Plus is checked by default. Users who accept the default option or don’t read it will end up with this additional software on their computers. McAfee is clearly paying Adobe for this inclusion.
To avoid this sort of thing, be careful on download pages — uncheck any additional software you don’t want to install before downloading the intended installer.
Junk Selected By Default in Installers
Software installers often bundle browser toolbars and other junk software. The developer distributes their software for free and makes some money by including this junk. Some installers may even try to change your browser’s home page and default search engine to a different home page or search engine — almost always a clearly inferior one with a worse user experience.
Don’t be fooled — the installer may say the developer “recommends” the software, but the only reason they recommend is it because they’re paid to do so. The bundled software is probably fairly bad — if it were good, you would seek it out and install it on your own.
When installing software, always be careful to uncheck any toolbars, junk software, or home page and search engine changes. It’s usually possible to disable this stuff during the installation process. Read carefully — sometimes you may have to check a box saying you don’t want to install the software or click a Decline button instead. Developers are hoping you’ll quickly click through the installation wizard and install the junk — so be careful when you install new software.
Uninstalling the Junk and Reverting Your System Settings
If you slip up and accidentally install some of this stuff, you’ll have to remove it later. While you can generally turn down the additional software by unchecking it during the software installation process, it’s often harder to remove it afterwards.
For example, the terrible Ask toolbar bundled with Oracle’s Java and other software is sneaky. After you install the software, it lies in wait for ten minutes before installing itself. If you accidentally leave it checked during the installation process and try to uninstall it right afterwards, you won’t find it there. It will only appear in your list of installed software ten minutes later.
To remove the bad software, you’ll generally just need to hunt it down in the list of installed programs in the control panel and uninstall it. A particularly bad installer might pull in multiple junk programs that you’ll have to remove. You may also have to install the toolbar or other browser extensions from within your browser. If you’re having trouble removing something, perform a Google search for it — you may need a specialized removal tool or instructions.
If an installer changed your browser’s home page and default search engine, you’ll have to change those back manually. These changes won’t be reversed, even if you uninstall the unwelcome software. Use your browser’s settings to change your home page and search engine back to your preferred choices.
If you have an infestation of particularly bad junk software, you may need to use an antivirus or antispyware program to remove it from your system.
Sadly, we probably won’t see the situation improve any time soon. Bundling unwanted software with installers has become widely accepted in the Windows software ecosystem, with companies as big as Adobe and Oracle bundling junk software along with their free downloads. Oracle even bundles the terrible Ask toolbar and other junk software along with Java security updates.
Secure Your Wireless Router: 8 Things You Can Do Right Now
A security researcher recently discovered a backdoor in many D-Link routers, allowing anyone to access the router without knowing the username or password. This isn’t the first router security issue and won’t be the last.
To protect yourself, you should ensure that your router is configured securely. This is about more than just enabling Wi-Fi encryption and not hosting an open Wi-Fi network.
Disable Remote Access
Routers offer a web interface, allowing you to configure them through a browser. The router runs a web server and makes this web page available when you’re on the router’s local network.
However, most routers offer a “remote access” feature that allows you to access this web interface from anywhere in the world. Even if you set a username and password, if you have a D-Link router affected by this vulnerability, anyone would be able to log in without any credentials. If you have remote access disabled, you’d be safe from people remotely accessing your router and tampering with it.
To do this, open your router’s web interface and look for the “Remote Access,” “Remote Administration,” or “Remote Management” feature. Ensure it’s disabled — it should be disabled by default on most routers, but it’s good to check.
Update the Firmware
Like our operating systems, web browsers, and every other piece of software we use, router software isn’t perfect. The router’s firmware — essentially the software running on the router — may have security flaws. Router manufacturers may release firmware updates that fix such security holes, although they quickly discontinue support for most routers and move on to the next models.
Unfortunately, most routers don’t have an auto-update feature like Windows and our web browsers do — you have to check your router manufacturer’s website for a firmware update and install it manually via the router’s web interface. Check to be sure your router has the latest available firmware installed.
Change Default Login Credentials
Many routers have default login credentials that are fairly obvious, such as the password “admin”. If someone gained access to your router’s web interface through some sort of vulnerability or just by logging onto your Wi-Fi network, it would be easy to log in and tamper with the router’s settings.
To avoid this, change the router’s password to a non-default password that an attacker couldn’t easily guess. Some routers even allow you to change the username you use to log into your router.
Lock Down Wi-Fi Access
To prevent this, ensure your router’s Wi-Fi is secure. This is pretty simple: Set it to use WPA2 encryption and use a reasonably secure passphrase. Don’t use the weaker WEP encryption or set an obvious passphrase like “password”.
To avoid UPnP-based problems, disable UPnP on your router via its web interface. If you use software that needs ports forwarded — such as a BitTorrent client, game server, or communications program — you’ll have to forward ports on your router without relying on UPnP.
Log Out of the Router’s Web Interface When You’re Done Configuring It
Cross site scripting (XSS) flaws have been found in some routers. A router with such an XSS flaw could be controlled by a malicious web page, allowing the web page to configure settings while you’re logged in. If your router is using its default username and password, it would be easy for the malicious web page to gain access.
Even if you changed your router’s password, it would be theoretically possible for a website to use your logged-in session to access your router and modify its settings.
To prevent this, just log out of your router when you’re done configuring it — if you can’t do that, you may want to clear your browser cookies. This isn’t something to be too paranoid about, but logging out of your router when you’re done using it is a quick and easy thing to do.
Change the Router’s Local IP Address
If you’re really paranoid, you may be able to change your router’s local IP address. For example, if its default address is 192.168.0.1, you could change it to 192.168.0.150. If the router itself were vulnerable and some sort of malicious script in your web browser attempted to exploit a cross site scripting vulnerability, accessing known-vulnerable routers at their local IP address and tampering with them, the attack would fail.
This step isn’t completely necessary, especially since it wouldn’t protect against local attackers — if someone were on your network or software was running on your PC, they’d be able to determine your router’s IP address and connect to it.
Install Third-Party Firmwares
Consumer routers are shaping up to be a perfect storm of security problems — they’re not automatically updated with new security patches, they’re connected directly to the Internet, manufacturers quickly stop supporting them, and many consumer routers seem to be full of bad code that leads to UPnP exploits and easy-to-exploit backdoors. It’s smart to take some basic precautions.
Image Credit: Nuscreen on Flickr
But Java isn’t just used for traditional applications. Back in the 90’s, Sun developed a browser plug-in that allowed you to run Java programs –or “Java applets” — inside web browsers. The Java plug-in isn’t widely used anymore, and it’s been a source of endless security problems. You do not want to run Java applets inside your browser if possible. The Java plug-in — and Java content in web browsers — has proven insecure and bad.
There’s just one Java plug-in, and it’s created by Oracle and bundled along with the Java runtime. If there’s a problem with it, you have to wait for Oracle to fix it. There’s no competition to improve it.
We’ve moved away from Java content in the browser over the years. While Java is still widely used, it’s become a dirty name when associated with web browsers. Java has also become an increasingly disliked piece of consumer software known for bundling junkware with security updates.
On the other hand, the Java browser plug-in is used on very, very few websites. If you disable the Java browser plug-in, the web will continue working normally. You’ll probably never notice you don’t have it.
Google’s Location History is Still Recording Your Every Move
The culprit is a largely ignored feature in Android called Google Location history. The actual location service isn’t unusual. It uses information like Cell IDs and Wi-Fi routers to locate and place your device. Other companies such as Apple and Microsoft use similar services for their devices.
The existence of Google’s Location history is nothing new, in fact other sources have reported it previously, but it’s still surprising how few people know or realize what it is and how it works. What isn’t surprising are the reactions to it, which usually range from “creepy” to “scary” and a few others between.
The thing about the Google Location service is that while the standard Android setup routine asks you if you want to enable it, it doesn’t inform you of the Location history option, let alone any way to opt-out of it. To be clear, the Location service is useful, and unless you’re extremely privacy sensitive, you should enable it.
Unfortunately, Google Location history is another matter altogether. Here’s what it entails, how to disable and delete it, as well as a few ideas as to how Google can better implement it into Android.
New Phone? Take a Deep Breath and Choose Wisely
Here’s the scenario: you finally take the plunge and buy yourself that shiny new Android phone, which is wonderful. It’s sleek and fast, and you just can’t wait to use it, but there’s a few things you have to do when setting it up before you can finally get to your home screen.
Pay close attention to what Google says below the Location options:
“Google’s location service uses Wi-Fi and other signal to determine location more precisely and quickly, often with lower power usage than GPS. Some data may be stored on your device. Data may be collected even when apps are running.”
GPS helps provide your device with a precise location so you can use it for stuff like routing and turn-by-turn navigation. But, it consumes a ton of battery life. The only time you ever really want to have GPS running on your mobile device is when you need it.
The Location service circumvents this problem by using signals that your device is usually using in the first place. It hones in on cell sites and Wi-Fi signals to locate your device, often very accurately. If you check out the second Location option on the setup screen, you see that it can even scan Wi-Fi signals when Wi-Fi is off, and it can do this with a minimal hit to your battery.
The problem though are the words “anonymous” and “collected.” As you will see, it is not really anonymous because it is tied to your account, and that it is collected, means that your movements are being recorded.
Cue Google Maps and Location History
To illustrate how your location data is being collected, and why you might want to be concerned, let’s look at an example. The following map is from our own Google Location history on January 7, 2014 when How-To Geek visited Las Vegas for the Consumer Electronics Show.
You see we departed from San Antonio bright and early, with a quick stop in Dallas just before noon, as indicated on the timeline below the map. The timeline peaks when we arrive in Las Vegas. If you click on the timeline, it will show you where you were and when you were there. In this case, we arrived in Vegas (or turned off airplane mode) at 2:58 PM.
If you zoom in just like you’d do normally on any Google Map, you can see all the various places we traveled that day.
Each point on the map represents where Google used Wi-Fi Positioning System (WPS) to locate this device. Each time the phone was within range of a Wi-Fi access point, it would send its MAC address and SSID to Google’s servers. Using GPS (when available) and cell ID data, it can locate where that Wi-Fi access point is, which is then collected and stored to create the history you see on the map.
It’s easy to be alarmed, but there’s absolutely nothing new about this. All of these, and the many more apps and services that have resulted from WPS are awesome and can yield some extremely useful results. For example, your phone can know when you’re at the airport, it knows from the confirmation e-mail the airline sent you that you’re leaving on x date at y time, and it can then automatically display your boarding pass so you don’t have to keep track of a paper one.
We can also see the use of maintaining a history. Let’s say you live in the suburbs and you commute to and from work at approximately the same time each day. Location history can interpret your movements and display pertinent information such as weather and traffic information so you have travel conditions in your hand before you hit the road.
Yeah, But What if You Don’t Want All That History?
Like we said, we’re hardly the first to report on this and yet, it’s surprising just how few people know that their location history is so easily available and so much about your comings and goings can be gleaned from it.
This location history is troubling not because it exists, but because users seemingly have almostno control over it. You cannot, for example, limit how long location data is retained, and it doesn’t expire automatically. Moreover, you can’t delete data from any point going backward. You can delete history for any period (from one to thirty days), or you can delete it all, but you cannot specify that you only retain history from the past day, week, or month.
Perhaps, the worst part is that it’s really easy to exploit for evil purposes.
Keep it On or Turn it Off
If you’re using an Android device, the Location services settings are easy enough to attend to, once you know where they are located and what they mean to you. You want to first open the Location settings as shown in the screenshot below.
If you want, you can simply turn off the Location settings and you’re done, at least with regard to anything on your device reporting your location. However, if you want certain apps to still be able to pinpoint your location, you can’t do that.
Luckily, the more nuanced approach is to tap “Google location reporting” for its settings.
First, you have the option to turn off Location Reporting completely. This will stop reporting location data to Google’s servers and render Location History a moot point, almost. Alternatively, you can leave location reporting enabled (recommended) and turn off Location History (preferred).
At this point, if you want to wipe your location history, you should do that by clicking on the button “Delete Location History.’
Learning to Love or Leave the Google Map Location History Database
If you’re using an Apple iOS device such as an iPhone, then you can turn off Google’s Location Reporting, but you cannot wipe your history from the device. You’ll have to do so from theGoogle Map location history page we discussed earlier. Even if you’re not using an iPhone, you may have multiple Android devices, which could all be recording a history.
Remember, you can wipe all your history, a certain period, a single day, or you can delete single individual point on the map.
Note also, you can add all points on the map (yes, there are many more than what you initially see) by clicking the link at the bottom “Show All Points.”
Attending to your Location history, regardless of the device you use, is pretty important and should be a wildly flapping red flag alerting you to just how important good account passwords and device security (locking it) really are. In any event, you owe it to yourself to scrutinize your history and get to know its features and options.
The Problem isn’t Existence, it’s Execution
The problem with the Google Location history isn’t that it exists because, to be honest, it’s kind of neat to be able to look back on your day-to-day meanderings. Further, it’s useful. Parents can use it to keep tabs on their kids, and you can track your work mileage in case you forget to check the odometer, or retrace your steps from your vacation to New York or DC.
The point is that there’s no clear indication by Google when you set up your device that it’s compiling all this history, and it doesn’t let you specifically opt-out of it, so users who don’t know otherwise are potentially storing a lot of personally (read: not exactly anonymous) sensitive data with Google.
To that end, perhaps Google should provide more transparency during setup such as adding an option to disable Location history, or simply a disclaimer informing the user as to its existence. It’s also troubling that Location history is specific to an account versus device, or at least the device’s primary account, i.e. the one you used to set it up.
The ramifications are that anyone with access to your device can add another account, turn off syncing and other apparent indications of that account, and quietly track your device from any computer with Internet access. It would a great deal more reassuring if Google would add an extra layer of security, such as an admin password or PIN, when setting up a new account, or at the very least to manipulate Location settings.
Sadly, until such a time that Location history is better advertised (more obvious) and harder to enable, it is liable to continue to elicit reactions such as “creepy” and “scary” whether deserved or not.