Category Archives: google

IBM Domino, Google, and SHA-1

There is a lot of talk these days about Google’s decision to accelerate the deprecation of SHA-1, and IBM Domino’s lack of support for SHA-2 .  Right off lets get this straight IBM absolutely should have plans to add SHA-2 support in Domino and an implementation date should be communicated ASAP.  At the same time the pressure should really be on Google to back down from what is an arbitrary deadline they announced out of the blue, and to support the previously announced 2017 date for the deprecation of SHA-1.

While it is easy to blame IBM here (and again IBM needs to communicate a date they will support SHA-2 in Domino) the immediate deprecation by Google is an arbitrary move that does not have a lot of support.

Some facts

  • Microsoft previously announced their plans to deprecate SHA-1 in 2017
  • Currently 92% of certificates on the Internet are SHA-1 signed
  • Google then decided to begin deprecating SHA-1 in November of this year
  • SHA-1 has not been compromised or hacked
  • Google as an Intermediate CA is issuing them with SHA-1 (but their deprecation policy exempts their own certificates)

 

Here is a statement from the CA Security Council 

Although the CA Security Council (CASC), comprised of the seven largest Certificate Authorities, supports migration to SHA-2, members are concerned about the impact on website users and administrators alike. Considering many users may still use software lacking SHA-2 support, primarily Windows XP SP2, and the still unknown impact on a complete SHA-1 migration, this 12 week timeline is aggressive. In addition, many devices still lack SHA-2 support, making necessary possibly unplanned and expensive upgrades.

With fall shopping season nearly here, this policy may be particularly concerning for small internet stores, which could be impacted just before the holiday rush. Because many large sites have lockdown periods leading up to the end of the year, companies that have not transitioned may find themselves restricted from making the move until January, or beyond, due to lack of SHA-2 support. Although a migration to SHA-2 is necessary as computing power increases, because of the significant impact in migration and the lack of a practical attack until 2018, the CASC members recommends thetimelines announced by Microsoft in November 2013, which deprecate SHA-1 in code signing certificates by January 1, 2016 and in SSL certificates by January 1, 2017.

If you want a clear explanation on all this, listen to what Steve Gibson has to say about it on Security Now (If it does not begin there automatically pick up the podcast at 48:37 for the SHA-1 discussion)

Making Two Factor Authentication (a little) easier

I am a big fan of Two Factor Authentication.  If you are not familiar with two factor authentication, there is a good explanation here.  I have enabled  Two Factor authentication pretty much on any account I have that supports it.

Many Two Factor implementations use the Google Authenticator app to provide the authentication code.   Setting up  the authenticator is easy, you generally scan a QR code, and then enter the code to confirm the setup.

One of the difficulties when using Two Factor authentication is setting up the Authenticator app on a new or additional device.  When you initially set up Two Factor authentication you are presented with a QR Code that is scanned by the app to automatically configure the account.   Typically to set up another device you have to invalidate the original configuration, and sometimes even disable and then re-enable Two Factor Authentication altogether.

Recently listening to an episode of This Week in Google they shared a tip so simple I don’t know why I never thought of it.  When you first enable Two Factor authentication for a given account download the QR Code image and save it somewhere securely.   Since I use Lastpass as a password manager I create a secure note which allows me to securely upload and save the QR code image.   Configuring the Authenticator App on an additional or new device is as simple as opening up the secure note and scanning the bar code.

Google Chromecast – The Good, The Bad, and the Wishlist

I have had a Google Chromecast for a couple of months now, and until recently was disappointed with it. That all changed this week when Google announced support for 10 news apps including Plex.   Previously I had used Netflix a little over Chromecast and it worked well, but I have quite a bit of content on my Plex server to watch as well.  With Plex on Chromecast it comes closer to taking over for the Roku box.   So here is my good, bad and wishlist for Chromecast

Good

  • Very easy to set up using a browser, or the app on iOS or Android
  • Works as advertised, you control the player from your device but can close the app and use other apps while the content is playing
  • App support – this was on the Bad list until this week, now it moves to the Good list for me with the new apps being supported

Bad

  • Sending display from a Chrome Tab to Chromecast – while it is labeled beta it clearly is beta does not always work as advertised and sometimes the tab just decides to leave the Chromecast

The Wishlist

  • Support for multiple networks – every time you move the Chromecast you have to set it up again, while a simple process I would love to be able to save 2 or 3 network configurations and let it just connect to what it sees at a given location
  • Ability to play content direct from a device to the Chromecast. For example be able to use locally stored content on my iPad or Android phone and send it to the Chromecast, even locally stored Plex content will not do this as Chromecast expects to connect back to the server and stream the content.  While that is how it is designed to work, being able to create just a wifi connection from device to Chromecase and stream local content would be nice especially when traveling)
  • Ability to cast anything – full PC screen, iPad or Android screen (I suspect some of this will come in a future update)

 

Overall I like the idea behind the Chromecast, and hopefully Google will continue to add support for apps (Hint: support for Amazon would be nice), and some of the other items on my wishlist, might even free up my Roku box to be used on another TV down the road.

My Google Reader Replacement(s)

After Google announced the shutdown of Google Reader in March I went through a period of denial, surely Google would change their mind.  By mid May I realized I better start looking for alternatives, and with less than a week to go until Google Reader shuts down I think I have settled on my replacements.

I check my RSS feeds on my PC, Android Phone (Samsung Galaxy SIII), and on my iPad.  Having them all in sync is probably the most important feature to me.  After trying a few alternatives here is where I landed.

PC

Feedly  – it has been around for a while working with Google Reader, but never worked for me in the past. The folks at Feedly have done an incredible amount of work in the last 100 days, and with a little time spent tweaking the preferences it is working well for me.   Some features I am missing

  • Search (for when I can’t remember where I read something)
  • Ability to display read and unread items
  • Drag and Drop sorting of feeds and categories (they can be sorted just not via drag and drop)

Given the amount of work Feedly has done so far to fill the Google Reader void I am optimistic that things like search will be addressed sooner rather than later.

Android

A while back I ditched the Google Reader app on my phone and replaced it with Press.  I was very happy when Press and Feedly announced they would work together and support Feedly in Press.  I am happily continuing to use Press on my phone, it should all be this easy.

iPad

I had been using Feedler on my iPad, but they are yet to announce any definitive plans to support Feedly so that is history, after trying a few options I settled on Newsify for the iPad.

I am aware that Feedly has native apps for iOS and Android neither of which worked for me and the way I like to read.

I may have to check out the reader that the folks at Digg have been working on, but right now it seems to be missing a large number of features in its early stages.

If you were a Google Reader where have you moved? What mobile apps are you using?

Hacked? Google Wants to Help

Here was my experience a few months ago

Oxford University Blocks Google Docs

This story caught e eye this morning, Oxford University made a decision to block Google Docs on the campus network at least temporarily for security reasons.  You can read the article for why Oxford made this decision, the key though is how they see Google’s response (or lack thereof) to Phishing attacks running in Google Docs

Unfortunately, you then need to wait for them to take action. Of late that seems typically to take a day or two; in the past it’s been much longer, sometimes on a scale of weeks. Most users are likely to visit the phishing form when they first see the email. After all it generally requires “urgent” action to avoid their account being shut down. So the responses will be within a few hours of the mails being sent, or perhaps the next working day. If the form is still up, they lose. As do you – within the next few days, you’re likely to find another spam run being dispatched from your email system.

I personally use Google docs (personally not professionally) but the lack of response, or knowing when they will respond to a security incident is pretty scary.

Google Blocks

 

Curious George and the Nexus 7

Nice Nexus 7 ad from Google featuring Curious George

Using WhatsApp Messenger with a Google Voice Number

 

whatsapp I am a big fan of WhatsApp messenger , a BBM like messengers application, which works on Android, iPhone, Blackberry, and Nokia.

WhatsApp uses your phone number as your identity, although aside from an SMS message during initial setup, no messages are actually sent via SMS. One of the only complaints I had with WhatsApp was I could not complete the setup using my Google Voice number, you know the only phone number I actually use or give out. This dramatically limited the usefulness of WhatsApp as no one could find me, and if I started a conversation I first had to identify myself.

I contacted WhatsApp support recently, and while they state that using a Google Voice number is not officially supported there is an easy way to make it work.

I successfully configured WhatsApp for Android to work with my Google Voice number, I suspect it should work the same on iOS and Blackberry.

Here are the steps

1. Install WhatsApp
2. When prompted for a phone number enter your Google Voice number
3. Allow the automatic confirmation process to fail (5 minutes on Android), while that is happening you will receive a text with a 3 digit code in your Google Voice account hang on to that
4. On the manual confirmation screen use the code received in your Google Voice account (if that does not work use the "call me" option to receive a call on your Google Voice number with a code.

That’s it, you should now have WhatsApp configured to use with your Google Voice number.

If you are already using WhatsApp here are their instructions for changing your phone number

20111031-210803.jpg

If you are using WhatsApp feel free to chat with me there.

What’s in Your Wallet?

Time will tell if Google Wallet gains widespread adoption and changes the way we pay for things, but they certainly have the right spokesman and theme for their ad campaign.

The ad is a spoof from the Seinfeld episode “The Reverse Peephole

Google Wallet

Changes to Google App Engine Pricing Shuts Down Services

Once again Google is changing their pricing.  A few months ago it was reducing the number of accounts available in the free version of Google Apps, this week Google announced significant changes to their pricing model for their App Engine.

Looks like the pricing changes are resulting in people shutting down services they are currently paying to use.  I was using PlusFeed but this just came across in my feed.

image

Maybe the time is right for IBM to release the XWorks server hinted at during AusLUG earlier this week.

IBM XWorks server announced at #AusLUG!!!less than a minute ago via web Favorite Retweet Reply