Is there a market for the Microsoft Surface – if so, where?

Microsoft Surface Pro 3 with keyboard/coverThe first version of Microsoft’s Surface Pro was launched in February 2013. Since then, I’ve mentioned it occasionally, en passant, but have often wondered where its market lies and whether that market is large enough to sustain the product. Well, we’re now into the third version, called Windows Surface Pro 3 (natch), so either it’s starting to sell or Microsoft’s pride is as big as its pockets are deep.

The pitch from Microsoft is that it’s a tablet that does everything that your laptop will do. Hasn’t that market been snaffled by iPads and Android tablets? Up to a point, it has. You can get all the internet connectivity you like with a “normal” tablet, but there is one major function that most tablets lack and that is USB connectivity.

You can’t just plug in a USB flash drive and copy stuff between machines without engaging brain. Instead, you have to think about what facilities you have and what’s the easiest way of moving stuff. This is quite likely to be via a cloud service such as Dropbox. Life’s often less complicated if you can just connect a USB drive and do a “file copy”. Well, the Surface Pro does offer a USB port (just the one, notice) so that could be a clear advantage. A USB port also means, of course, that you can use a mouse. It also offers a micro SD card port – handy for data storage expansion, backups, and data transfer. I advise checking this out, though, as some places I looked said that the micro SD port is only present on the top-end versions.

The other major boast of Microsoft is that the Surface Pro lets you run any program that will run on a Windows 8 laptop or desktop. Now this may not arouse more than a “so what?” shrug in most people, but it could be very important to others. It means, for instance that Photoshop, Microsoft Access and Microsoft Outlook should all happily run on it – and you won’t get all those programs running on any other tablet as far as I know.

Microsoft Surface Pro 3 with screen penThe nearest competition for the Surface in this respect will probably be the Mac Air. The Mac Air, though, is – of course – a Mac machine running OSX and not Windows. I have no doubt that it would run Photoshop and the Mac version of Outlook, but there’s no version of Microsoft Access that will run on a Mac. I would love someone to point out that I’m wrong on this (excluding running Windows under “Parallels” or other virtualization software). Also, I am aware that some versions of Office 365 now include a version of Word, Excel, and PowerPoint for the iPad. This is very useful, but you still can’t run Outlook or Access on an iPad.

So why am I bringing the subject up now? Well, a computer support client of mine found a good deal on buying the previous version of a Microsoft Surface RT and we were having fun playing with it. It’s worth repeating here that the RT version of Surface will only run the installed applications and then added “apps”. It won’t run ordinary “desktop/laptop programs”. That might sound like a fatal flaw until you learn that Microsoft Word, Excel, and Powerpoint are exceptions to this and that they are included free of charge on RT machines. That’s as much as a lot of people need as far as “serious” stuff is concerned (you can also browse the net and do email, of course).

Getting up close to a Surface for the first time, I was very impressed with the quality of the finish. It just about feels as if it’s gained something of that mysterious quality that only products from Apple usually have. The 12 inch screen might be slightly on the small side for anyone who gets tired reading small stuff and, for my money, that would be one thing that would stop me from being able to use it all day as a replacement for a laptop. You can, however, plug in a larger monitor (but that wouldn’t slide into your backpack with the slimline Surface (weighing only about 800 gms)).

I don’t want to start nit-picking, but I do think Microsoft’s boast that it’s a replacement for a laptop is a bit OTT as a laptop with only a single USB port would probably drive you mad if the Surface Pro was your only machine. USB hubs aren’t a perfect solution for this problem.

Microsoft Surface Pro 3 in profileThat aside, the only real gripe that I have is to do with marketing. The beautiful, thin, keyboard/cover is not included in the box (or price). You have to buy it extra and it runs into three figures. OK, so this gives the buyer the option to restrict him/herself to using the Surface just like a tablet (with the on-screen keyboard), but I can’t help feeling that the main reason for splitting the tablet from the keyboard/cover is to do with price perception.

The Surface Pro 3 is expensive. You can see the full price range of the Microsoft Surface Pro 3 here, but remember that those prices exclude £100 worth of keyboard/cover. In short, the price (without keyboard/cover) ranges from £639 to £1649 (including VAT).

At those prices, I’m having a very tough time convincing myself that I can’t live without one. Convincing myself, that is, that there’s a gap somewhere between my laptop, netbook, iPad, and smartphone that can only be filled by a Surface Pro. I think I’m just going to have to keep working on myself as there’s little doubt that it’s a very nice piece of kit that I would definitely like to own. If you are thinking of buying one, I would strongly recommend seeing it in the flesh first so that you can weigh up the quality of the finish against the possible usability drawback of the small screen. As usual, I would recommend that the obvious place to go and see one is John Lewis.

I’ve (virtually) moved…

Boris Johnson Celebrates Dot London

Boris Johnson celebrates the launch of .london

The new “.london” domain suffix (also known as a TLD – top level domain) is now in full operation and I’ve spent a good part of the last week or so moving davidleonard.net to davidleonard.london.

I didn’t need a man with a van, but my domain host’s help was invaluable. His name is Lopez Shackleford and he’s been hosting my site since 2005. He also hosts the domains of some of my clients. If you are looking for someone to do any designing, building, or hosting of your website then do check him out at www.lopezshackleford.co.uk.

Why make the move?

When I first accepted that I needed a website at the end of 1999, I rejected most of the domain suffixes (eg .com, .org, .co.uk) as being inappropriate for me as a self-employed computer consultant. I registered davidleonard.net because the “.net” suffix didn’t seem to have any connotations as far as the general public was concerned. As Wikipedia says,

The name is derived from network, indicating its originally intended purpose was for organizations involved in networking technologies, such as Internet service providers and other infrastructure companies. However, restrictions were never enforced and the domain is now a general purpose name space.

There never was a domain suffix that perfectly suited self-employed people (as distinct from “companies”, “organisations” etc). The “.london” suffix is, of course, very different in that it doesn’t describe the type of entity that owns the domain. Instead it suggests some kind of geographical association. There are several reasons why I’m very happy to have made this move, including:

  • I live in London and my market is London.
  • It can’t do any harm for potential clients to see that I’m claiming an association with London.
  • London is, of course, the centre of the known universe.

Would I advise you to register a “.london” domain?

If you don’t already have a domain and are thinking of getting one, then my advice would be “why not?”

If you’ve already got a domain and wonder whether to switch, would it be worth the effort?

This is a lot harder to answer. I’ll list some of the things that I have come across in my own case. You’d need to make up your own mind whether it’s worth putting yourself through these hassles (and/or others that I have not encountered):

    Our City Our Domain Ad

  • It’s going to irritate some people that I will now be sending emails from a different address.
  • The main aspects of my website transferred to the new domain without much difficulty (thanks to Lopez), but there were (and still are!) lots of links in my website that are “hard-wired” to look at the old domain. It’s a lot of manual work searching for, and changing, all these.
  • Business cards, letterheads, invoice headers, and email signatures all need changing.
  • Some things can’t be changed, so life is becoming a bit messy. For instance, I can’t change the address from which my weekly blog email newsletters are sent. This is because (a) the Google Feedburner software refused to accept the amendment I tried to make and (b) my research tells me that if I had managed to change it then my subscriber list would have been wiped out! That, I think, is what is known as throwing out the baby with the bathwater. So the email version of this blog will continue to be sent from “noreply+feedproxy@google.com; on behalf of; David Leonard – Computer Support in London (email@davidleonard.net)”
  • Other things that can’t be changed include many online accounts where the username is the old email address. In lots of cases, it is not possible to change the username.
  • Since a complete move of all emails from .net to .london is not possible, I will have to keep incurring a lot of the costs of maintaining two domains (although the website itself only exists as a single entity, accessible via both domain names. Confused?).

We’re not the first city to get its own domain suffix. I think “.paris” and “.berlin” have beaten us to it, but we’re ahead of New York (.nyc). I admit that the whole thing does have a slight whiff of naffness about it – like personalised car number plates. Still, Fortnum & Mason, KPMG, Metro Bank, West Ham FC and Harlequins rugby club have all gone for it. Apparently, GoDaddy alone lodged 40,000 registrations for .london domains up to some time before 23rd September (source: The Drum).

I Love Dot London sloganConclusion: you have to make your own mind up whether it’s worth changing from an existing domain. This applies to any change from any domain to another, of course, not just because we’ve now got our own swanky domain suffix here in London. For my own part, I decided before I started this move that it would probably be the one and only domain change that I would ever undertake. I’m glad I’ve done it, but I’d need a very good reason to want to do it again.

Do PC’s still have a place in a world of laptops and tablets?

Over the last few years, a lot of people have replaced PCs (consisting of system unit, monitor, keyboard, and mouse) with laptops. The reasons aren’t hard to find:

  • Laptops are much neater and take up less room than PCs.
  • The price differential has disappeared.
  • Laptops are more versatile. Would you rather watch a film on a PC at your desk or on a laptop wherever you wish to place it?
  • We don’t often need to open up computers any more to add the latest gizmo.

A lot of my computer support clients ask whether the desktop PC is disappearing. They would probably be surprised to learn that, although PC sales have been falling in recent years, the figures may have bottomed out. Worldwide shipments of PCs in the second quarter of 2014 were actually 0.1% up on the the same period last year (source: Gartner).

One theory to explain this mini-revival is that a lot of people have probably replaced desktop computers running Windows XP during the second quarter of this year (as Microsoft stopped support for XP in April). I suspect that a high proportion of such replacements will have been in the business sector. I’m certainly surprised at the number of home users that I encounter who are sticking with XP machines (at least for the time being). It’s true that I haven’t yet heard of any “killer malware” that is frightening people out of using their XP machines. Nevertheless, it could happen any day and that would probably boost Windows 8 desktop sales for another few months.

Another theory that reconciles falling PC sales (over the last couple of years) with optimism about their future is that, generally speaking, we are replacing PCs less often than we used to simply because they are now good enough to run whatever is thrown at them for longer. As computers get older we notice them slowing down. Many people can’t help anthropomorphising about this: they think that computers “slow down in their old age” just as we do.

Sony All-In-One

Sony All-in-One. Less visible hardware, more visible screen.

That’s not the case. It is true that Windows computers do tend to accrete a load of rubbish over time that doesn’t help performance (eg temporary internet files, any number of different fonts, redundant programs), but a bit of housekeeping can help in this respect (I recommend CCleaner but avoid registry cleaners unless there’s a known problem). The main thing that makes a computer seem slower over time has been that software gets ever more bloated. We are forever installing newer versions of browsers and other programs that are written with modern hardware capabilities in mind. Therefore, as time goes on, your hardware starts to struggle a bit with newer programs. However, Windows 7 and Windows 8 have bucked that trend by being designed to run on hardware that would run Vista. So, there’s reason to think that we need to replace computers less often because they are not being outpaced by software demands in the same way as they used to be. We’re still buying PCs – just not as often. Have a look at this link for more on this.

Another thing that may be helping desktops sales (and laptop sales as well) is that people don’t seem to be upgrading their tablets. It seems as if developments and improvements to tablets are just not sufficient to make users think they are missing something. That being the case, funds are probably more likely to be available to replace the ageing workhorse PC in the office or home. If you’d like some overkill on figures about Tablets, have a look at this link.

HP Hybrid Laptop

Devices like this HP Hybrid are blurring the distinctions. Is it a laptop? Is it a tablet?

It is true that tablets may have taken a big chunk of users’ budgets in the last couple of years, but that doesn’t mean that tablets are displacing PCs. Despite improvements in tablet software (eg Word, Excel, and Powerpoint are now available on the iPad and other tablets – see this recent blog on Office 365), it seems that most people prefer to use their tablets and smartphones for data CONSUMPTION – eg watching films, checking Facebook and Twitter, listening to music, viewing photos and so on. However, when it comes to data PRODUCTION (eg report writing, PowerPoint creation, database work, photo editing) most people head back to their laptops and desktops.

OK, so tablets haven’t knocked desktop PCs out of the game, but why haven’t laptops finished the job off?

I’m not really sure. In an office situation, I can see that a desktop PC still has certain advantages:

  • There are usually more ports (eg USB ports) than on a laptop.
  • A desktop PC can actually take up less desk space as the monitor can be permanently fixed above the desk, the system unit placed beneath the desk, and a wireless keyboard can easily be moved aside if you need all your deskspace.
  • Despite the need to get inside a computer’s case being less obvious than it used to be, a desktop PC is still more versatile in this respect.

So, there may be clear reasons why desktop PCs are holding on against laptops in an office situation, but I’m not really sure that those reasons aren’t outweighted by the flexibility of laptops in the home.

It’s clear, though, that there are plenty of reasons why “laptops/desktops” considered together should be holding their own against tablets. When my computer support clients ask me whether they should replace ageing desktops with another desktop or with a laptop, there’s no “one size fits all” answer. In giving computer advice on this, I usually stress the flexibility of the laptop over the PC. I also point out that my own experience and that of others is that tablets are probably not versatile enough to replace their bigger siblings but the choice between laptop and desktop is much less clearcut.

In conclusion, I would say that – as far as functionality is concerned – a laptop is probably as good as a desktop PC and also the “all-in-ones” that are becoming increasingly popular (possibly because they take up less space than a desktop but offer the screen size of a desktop). Don’t worry that desktops are disappearing and that you may be the last person ever to buy one! There’s no real sign that that’s going to happen any time soon. Buy whatever you prefer: the basic functionality and power is comparable between all three formats. And by all means have a tablet: they have lots of uses but they are not replacing “proper” computers.

Why would you upgrade to Office 365?

A while ago, I blogged about Office 365, pointing out that in this version you no longer purchase the software outright, but license the use of it via a monthly or annual subscription.

Office 365I have no doubt that this change is intended to increase Microsoft’s sales. Let’s face it, Microsoft Office probably does pretty well everything that you want it to do by now. My experience with my own computer support clients suggests strongly that individual users (as opposed to medium-sized or large corporations) probably don’t use more than a small fraction of the functionality already built into Office. Why buy the product again with even more bells and whistles that you don’t care about? By persuading users to take out a subscription instead of buying the software outright, Microsoft don’t need to make another sale to get more money out of you. They know that once you’ve set up a direct debit or agreed to let them charge your credit/debit card when the time comes, then you will keep paying them money. It’s much, much easier to get money out of you this way as they don’t have to sell you anything again or persuade you to take any action at all. As Del Boy used to say, “lovely jubbly”.

And, since the version of Office that you currently receive when you opt for Office 365 is, in fact, Office 2013, then why would you make the switch?

Well, I’ve looked into it again and I have now signed up for Office 365. It may or may not be a good decision for you, but here are the advantages that make it worthwhile for me – an IT Support Consultant – to make the change:

  • It’s the only way to install the latest Office on several machines with one licence. Up to, and including, Office 2010 you could buy a three-user licence of Office Home and Student for only about £10 more than a single-user version. Microsoft have removed this option from Office 2013. With Office 365 Home you can install on five different machines and can even split that between Mac and PC machines. Previously, you had to buy separate versions to install on different operating systems. There is also a version that is less expensive that includes a licence for just one computer and one tablet.
  • There are now tablet versions (iPad, Android, Windows) of Office and you can install on up to five devices as part of the same licence if you opt for the Office 365 Home version of the product. Only Word, Excel and PowerPoint are available for tablets, but this is still a very welcome enhancement.
  • There is now no distinction between “Home and Student”, “Small Business” and “Professional” versions. With Office 365 you get all the modules (including Outlook, Access, and Publisher) automatically. Lots of users might never want these modules but for those who do (including me), then the monthly (or annual) subscription suddenly becomes a much more appealing deal than if we were just talking about the “Home and Student” version.
  • Updates to the software are automatic. This is a bit of a two-edged sword. It’s nice to know you won’t have to fork out anything extra for newer versions, but it can be very disconcerting for software to suddenly change without either asking for it or wanting it.
  • CashCowThe prices are quite good. Office Professional 2013 currently costs £389.99 for a single user. A subscription to Office 365 Personal (one user plus one tablet) costs £5.99 per month (about £72 per annum) or £59.99 for a single annual subscription. So, it would actually take 6.5 years of use for an outright purchase of 2013 to be a better bet than Office 365 Personal. And, if you really want to be pedantic, there are cashflow benefits to paying for it by an ongoing subscription and you are even reducing the risk of making the purchase as you could always choose not to renew an annual subscription. The best value is probably to be found in the Office 365 Home version. This includes a licence to install on five Macs and/or PCs and five tablets.It costs £7.99 per month or £79.99 for an annual subscription.
  • Depending on which version you choose, you can also receive up to 1tb (one terabyte – ie 1000 gigabytes) of Cloud storage with an Office 365 subscription. My computer support clients currently seem to be split about 50:50 on whether they think cloud storage is a good idea. The two main benefits it holds are that you have a remote backup of your data (so if your entire house and belongings suffered devastation by fire, theft, or flood, you would still have a copy of your data) and data created on one computer or device is immediately available to your other computers or devices (iPads etc).

Filing cabinet in the clouds

I seem to be gradually migrating all of my data to the Cloud

I only installed 365 this week, but so far I’ve not found any reason to regret the decision. The installation even seamlessly transferred my Outlook to the 365 version – including email accounts, contacts, calendar, email messages, email signatures, email rules, and add-ins.

If you only use Word, Excel and PowerPoint (of the available modules in Microsoft Office) and only use a single computer, then my previous advice still stands – you are probably better off with Office 2013. If your needs are greater than that then it may pay to investigate Office 365 the next time you want or need to change the software.

By the way, in my earlier blog entitled Buying Office 2013 I originally said that you use the software online rather than installing it on your own computer. That was wrong and I apologise. In fact, the software installs in the normal way onto your own computer.

Do you log out of web pages or just close the window?

Log out icon #4I notice that many of my computer support clients just close the window (or tab) when they have finished with web pages – even when the page is important and carries implications for security (such as banking sites, Amazon, PayPal, and so forth).

Is this a security risk?

It might be. If you have signed into the web page then there is definitely an implication that there’s something “private” going on, so it would probably be a good idea to get into the habit of at least considering “signing out” or “logging out” before closing the page. When you sign into a web page, that page places a cookie on your computer. When you sign out properly that cookie is invalidated. If you close the page without signing out then the cookie remains on your computer and it is just possible that it could be stolen so that someone else could log into your account.

Log out icon #1Is it a realistic security risk?

I don’t know. I’ve been looking for some evidence that login information is actually stolen this way but can’t find any. As far as I am concerned, though, that is largely beside the point. The way that I look at it is that the potential cost of having, say, my online bank account or PayPal, or Amazon compromised is huge. Apart from the financial loss, there’s also the massive inconvenience that be could caused in cleaning the mess up (cancelling credit/debit cards, getting replacements, seeking reimbursement for fraud losses etc). It’s never happened to me, but I expect that there would also be a horrible feeling of violation – like being burgled (and I do know how horrible that feels).

How do you sign out?

It seems to have become standard practice that the “sign out” (or “log off”) button or text link is located somewhere near the top righthand corner of all web pages of the site you are signed into. If you can’t find one then click the “Home” button and look there. It’s also just possible that it’s located at the bottom of the screen amongst a lot of other links that are likely to be found there.

Logout icon #3All of the above advice is given on the assumption that you are using your own computer or device. If you are on a public computer then it is even more important that you completely log off any sensitive site. Apart from session cookies being stolen, there is always the possibility that a public computer is infected with a “key logger” that records every single keystroke you make (including your usernames and passwords). Personally, I wouldn’t dream of logging onto my bank or even Amazon from a public computer. I can’t imagine anything being urgent enough that I would need to take the risk.

Finally, you might (rightly) think that most sensitive sites will log you out automatically if you do not use them for a period of time (ten minutes, say). Do you want to take the risk that this actually works and that no-one is going to sneak in during the ten minutes before you are logged out? Your call. As so often with computers, it’s a (largely subjective) cost/benefit analysis.

Summary

Log out icon #2Once the habit is established, it doesn’t really seem an inconvenience to log out of a website. It becomes the natural step to finish off whatever business you had with the site. I have always said that it is impossible to completely eliminate the risks of using the internet without staying away from it altogether. It’s a bit like getting run over by a bus. The only way to prevent getting run over by a bus is to stay indoors. You wouldn’t think it an “inconvenience” to look both ways before you cross a road – you just do it and, thereby, reduce the risk to an acceptable level. As far as I am concerned, the same applies to the basic, sensible steps we can take to remain reasonably safe on the internet. Signing out of websites is one of those steps.

Other pieces of advice that fall into the category of online security that I’ve mentioned before include –

Is that website genuine and safe?
Is it safe to download a file?
Reducing online shopping risks

Other links you may find interesting:

Do I really need to log out of webapps
Logging out of work computers

If you can’t find a text link that says “log out” or “sign out” or something similar, then look for an icon that is similar to the examples in this post.

Ever had email messages bounce back to you when you didn’t sent them in the first place?

Spoofing - pretending to be someone elseFrom time to time you may receive emails that appear to be notifications that an email you have sent could not be delivered. You may quite possibly receive several of these in a short space of time. This is a rather puzzling and disturbing phenomenon. Your first reaction is, quite possibly, to think that your email has been hacked and that someone is sending messages from your account. It is definitely worth changing your email password just to make sure that the account is still secure. If you can’t get into it because the password has been changed then you are in a spot of bother and you will need to contact your email provider (Gmail, or Hotmail, for instance, or your own internet provider if you use their mail servers).

Another possibility, though, is that your account is still intact and that what has happened is that someone is sending out emails from somewhere else and pretending that they came from you by changing the “from” details in the header of the email. This is called “spoofing”. They have “spoofed” your email address.

How can this happen? It could be that someone that you know has had their email hacked. Your email address has been stolen from that person’s email. The hacker then sends out emails to the email addresses found in the account, spoofing the sender’s name by taking one of the addresses found in the account (in this case, yours).

If the hacker steals, say, 50 addresses, and sends out emails to all of them then 10 may bounce. Those bounces will come to you and you will wonder what’s happening. The phenomenon of receiving bounces in this way is known as “backscatter“. So, “backscatter” is a by-product of someone “spoofing” your email address.

This is not the only way that it can occur. You will send your email address to many people over time. If you’ve created an account on a website, for instance, and given your email address (possibly as the username for that website) then your email address can be stolen if that website is hacked.

What can you do about it? There’s no way that you can actually prevent it from happening. After all, you don’t have any control over the many individuals and organisations that have your email address – legitimately or otherwise.

No SpamThere are some things you can do, however, to mitigate the problem. To begin with, register a “disposable” email account with someone (Gmail or Hotmail, for instance) and use that email address for unimportant logins that you could afford to lose. Then, if that account starts getting overwhelmed with backscatter (or, indeed, other forms of spam), you can just stop using it.

If you have your own website, it is a good idea to publish a contact email address on the website that is disposable. The email address I publish on my website is only used on the website. If I start getting inundated with spam to that address (including backscatter), I’ll simply change it for another one and not check for email addressed to the older one any more.

Abine - Masking Email AddressAnother thing you can do is to use the services of a site such as DoNotTrackMe. Using the email aspect of that service you can use a unique, disposable, email address when signing up for an online account. Email to that address is forwarded to you and the sender never knows your real address. If you start getting spammed or get backscatter you simply stop the emails to that address from being forwarded to your real address. I’ve been testing this for a month or two and it seems to work. I must confess, though, that I feel a bit queasy about it as I’m depending on the service provider always being there and continuing to forward masked email to my real address.

In practice – although I can’t understand why this should be the case – it seems to be usual for backscatter to happen only occasionally. You would think that the problem would get worse and worse as the bad guys keep re-using your email address, but it doesn’t seem to happen that way.

It could be that just understanding what is happening when you get backscatter will be enough for you to accept the minimal nuisance of it happening to you, without getting too paranoid about your cyberlife. In other words, just doing nothing except deleting backscatter as it arrives may be the best policy.

A follow-up to a recent post and some repeated advice

Maybe sleep a little better….

f.lux.logoA while ago, I passed on a tip about a piece of software called f.lux (for PCs, Macs, iPhones and iPads) that makes a computer screen more “sleep-friendly” when using it after dark. It does this by keeping an eye on the time and then, at night, it surpresses a lot of the light normally emitted by the screen at the blue end of the spectrum.

I don’t know whether it’s a coincidence, but I’ve definitely been going through a phase of sleeping quite well since I’ve been using f.lux on my main laptop. The BBC picked up on this subject recently. Research shows that, on average, we are getting an hour’s sleep less per night than 60 years ago. This is partly because of the “24 hour society” in which we now live – and computers can probably take a large share of the credit/blame for that phenomenon alone. However, this is exacerbated by the amount of light that gets into our eyes in the time before going to bed. One of the researchers said

“..efficient light bulbs as well as smartphones, tablets and computers had high levels of light in the blue end of the spectrum which is “right in the sweet spot” for disrupting the body clock.”

Do give f.lux a try if you use your computer late in the evening and have trouble sleeping.

Downloading Problems

ToolboxI’ve been coming across a lot of computer support clients recently who have called me in to rid their computers of “crapware” – programs that may not be out-and-out malicious, but which cause un-necessary pop-ups and warnings about “out of date drivers” and “registry errors that need fixing”. Unless you intentionally installed a program to perform these functions then ignore what they tell you and, if possible, uninstall the programs causing the alerts. The chances are that they won’t even attempt to do what they promise unless you pay for them, but you don’t find this out until you after you’ve installed them (together, quite probably, with other rubbish programs and browser toolbars that they’ve slipped past you). More seriously, some of these programs can break your computer rather than fix it.

One of the most common ways that these programs get onto your computer is that you may search Google for something from a particular organisation and are then mis-led into thinking that a website that you visit belongs to that company. It’s easy to fool users into doing this by creating a “sub-domain” on a completely unrelated site, So, for instance, if I own a domain called “www.latestsoftwaredrivers.com” then it is easy for me to create a sub-domain called “www.canon.latestsoftwaredrivers.com”. This has nothing to do with Canon, but If you are looking for drivers for a Canon device, it is very easy to click onto this site as it looks like a perfectly reasonable and accurate result for Google to have returned if you searched for “Canon drivers”.

cartoon of PC Repair Man

Only use a “registry fixer” if you have a known problem

The key is to look for the name of the site that immediately precedes the final full stop (dot) in the website name. In this case, that is “latestsoftwaredrivers”.

I know I’ve written about this before (in a blog post called “Is that website genuine and safe“) , but observing clients clicking on links offered by Google shows me just how easy it is to be mis-led in this way. Quite often, when you click on a dodgy link that offers driver updates etc, you are then offered several confusing links to things that promise to “make your computer faster” or “fix registry errors” or “scan for system problems”. I recommend steering well clear of all such blandishments. You are more likely to invite trouble onto your computer than to resolve problems.

Recent publicity seems to have woken people up to the dangers of Cryptolocker

I’m still seeing lots of references to the security measures we should take to protect ourselves against Cryptolocker and a lot of my computer support clients are also asking for my advice as to whether they are adequately protected. If you don’t know what I’m referring to, have a look at these two blogs:

GameOver Zeus and Cryptolocker
Cryptolocker

The main area of inadequate protection that I am finding amongst my computer support clients is the lack of an “offline” backup.

What is an offline backup? We refer to stuff being “online” if it is connected to your main system – ie directly connected to your laptop or desktop computer or connected to your local network via your router. Stuff that is “offline” is likely to be either:

  • A USB thumb drive (also known as a “memory stick” but that is actually a proprietory name of a Sony device) that is not plugged into your computer at the moment
  • A DVD or CD
  • An external hard drive that is not connected to your computer at the moment
  • In “the cloud” (eg on Skydrive, or iCloud).

CryptoLocker WindowThe point here is that Cryptolocker is capable of detecting drives that are currently connected (“online”), so this would include a currently connected USB drive or external hard disc. Your backup needs to be detached from your computer at the time of an attack by Cryptolocker to ensure that it remains safe (ie it must be “offline”). The only exception that I can think of is that anything you have burned to a CD or DVD is safe even if the disc is in the CD/DVD drive, provided that the media is of the “read” type rather than “read/write”. This is because, by definition, data can only be burned once onto a DVDR or CDR disc, so Cryptolocker won’t be able to replace your data with an encrypted version.

Backups that are “in the cloud” are probably not directly accessible by Cryptolocker.
I am not certain about this, but I can’t find any reference to cloud backups being vulnerable by virtue of them being “online”. However, there is a very big “but” here in that if your backups to the cloud are managed by a programmed schedule (as opposed to backups only being created manually on an ad hoc basis) then your backups could be at risk as a result of the schedule deleting your previously good backup and replacing it with files that have been encrypted by Cryptolocker.

Lifebelt in the SkyOne way to get over the problem of cloud backups being overwritten with encrypted files would be to establish another cloud account and then to periodically copy the backup data from the first cloud account to the second cloud account. If this backup is not created by a schedule then files encrypted by Cryptolocker will not over-write a good backup with an encrypted one.

Another step that can be taken to add a layer of security to your backups is to take a backup onto an external drive (hard drive, USB “memory stick”, or even CD or DVD) and then ask someone to keep this safe for you in their premises rather than your own. I advise doing this. It has always been a good practice, but, in reality, I’ve only ever been able to persuade a very few of my computer support clients that it is a practice worth adopting. This “off-premises” backup becomes, in effect, an “archive”. An archive is a backup that is not over-written with a later backup. So, for instance, you may archive your annual accounts. This means that whatever happens in the future you should always be able to access that particular year’s accounts because the backup never gets overwritten with a later one.

Locked Laptop

How safe is your data?

These “archives” don’t get updated (that’s what distinguishes them from backups), so they probably won’t include the very latest data if you suffer an attack from Cryptolocker. Nevertheless, they do provide you with a “worst case scenario” of the very least that you can expect to be able to recover if you should have a disaster such as a Cryptolocker attack. The other main reason for taking an “offsite backup” is that it also provides a layer of security against something disastrous happening to the location of your main system and backups – eg fire, theft, or flood.

However many levels of backup you introduce, you will only be absolutely sure that a usable backup exists if it’s there and it works when you need it. I’m afraid there are no absolute guarantees in this area. I think it’s one of those areas of computing where you have to make up your own mind how much time and effort you put into safeguarding your data. My own impression, though, is that – on average – my computer support clients probably do not pay enough attention to creating adequate backups and I suspect that it would be quite reasonable to extrapolate from that to say that most people, generally, are probably more vulnerable to losing data to the likes of Cryptolocker than they would like to be. As they say up North – think on!

It is essential to remove your private data from the hard drive before disposing of a computer, as there are programs that can bring deleted data back from the dead

Scrubbing brush and hard discFollowing on from last week’s blog, that looked at protecting your data by retaining the drive, how do you clean your data off a drive so that the machine is still usable by someone else but without them being able to access your data?

If you always store your data in the locations recommended by Windows and by your programs, then all of your data will be in folders (or sub-folders of those folders) that belong to the signed-in user. Deleting the data for that user is simply a matter of removing that user.

Since there must always be at least one user this means that you need to create a new user (with administrative rights), log into that new user, and then delete the user(s) whose data you wish to remove. The precise method of doing this varies by operating system, but in Windows you need to go into the “Control Panel” and then “User Accounts”. For goodness sake, please ensure that you are satisfied that you have backup copies of anything important before doing this.

If you do not always store your data in the recommended places then there may be other data dotted around the drive that will not be removed by this process. There is no automatic process whereby you can click a button to remove all of this: you just have to hunt around the drive for it and delete it manually using Windows Explorer (or “File Explorer” as it is now known). This can be made a bit easier by using the “search” option in Windows to look for the most common types of data that may be present. Some of these are:

doc – Word documents before Office 2007
docx – Word documents from Ofice 2007 onwards
xls – Excel spreadsheets before Office 2007
xlsx – Excel spreadsheets from Office 2007 onwards
pst – Outlook data file
jpg – image files
tif – image files
pdf – Adobe protable document files
mp3 – compressed music files

However, even when you have deleted the files they are still physically present on the drive.

Eraser logoThe only thing that “deleting” does is to inform Windows that it can re-use the space occupied by the file. So, to obliterate the files, we need to run a special program that over-writes deleted files with random (or, at least, pseudo-random) data. Just in case you are even more pedantic than I am, I should just mention here that a simple, one-pass, over-write could just possibly be reversed. In other words, it’s possible in theory that a single pass will not completely obliterate your data. However, let’s assume that you’re not so paranoid that you think that the CIA or someone is after your data. In that case, a single pass of the simplest form of over-write will probably do.

There are many programs out there that will “scrub” your drive in this way, such as:

  • Eraser
  • Ccleaner – this is an excellent program for removing lots of the temporary files and rubbish that accumulate on a Windows computer. It includes an option for wiping free space clean

Note that it can take quite a long time for these programs to work their way right through a drive. If you were to ask me to ensure that your drive is clean before disposing of your computer I would carry out the above steps, probably leaving you (or ending the remote control session) after starting the “wipe” process as it’s very reliable and wouldn’t need any overseeing by me (or by you, for that matter).

Quite often, my computer support clients are a bit nonplussed as to why “deleting” files doesn’t just do what it says.

Ccleaner logoThe answer is “efficiency”. I like to explain it by using an analogy. Remember VHS recorders and tapes? When you have finished watching the contents of a tape you might very well strike out the contents of the label. This tells you that you have watched the tape and can re-use it. In your mind, you would think of that tape as “having nothing on it”. However, you haven’t actually deleted the contents: you’ve just given yourself a reminder (by striking through the label) that the tape is available for re-use.

Imagine how tedious it would be if you had to go through a lengthy “delete” process that wipes the tape clean before you could record something else onto it. This is exactly how digital computer files are over-written and that is why lots of your old “deleted” stuff might still be on your drive long after you thought you’d sent it to data heaven. This way of doing things is far more efficient during your ownership, and only becomes a consideration when it’s time to dispose of the computer.

By the way, exactly the same situation exists when disposing of mobile phones. I seem to to remember a bit of a fuss fairly recently when it transpired that some mobiles’ options to “restore to factory condition” don’t actually over-write existing data – they just re-install the operating system so that the phone looks as if it’s brand new. In case of doubt when disposing of a mobile phone, I would recommend taking it to your telecomms provider’s shop and asking them for advice.

There has been much publicity in the last few days about the Heartbleed Bug

Heartbleed logoWhat is it?

It’s not a virus or malware that can affect your computer. Rather, it is a vulnerability in the coding used by many websites that are meant to be secure as they encrypt the data passing in and out (the web page address of supposedly secure web pages begins with https and not just http. Also, depending on your browser, you will probably see a padlock somewhere on the browser indicating that you are accessing a secure page).

The Result

The result of this vulnerability is that hackers can learn the usernames and passwords of people logging into the site as well as the content of the data passing between that user and the compromised website.

The Implications

The biggest implication that seems (rightly) to be getting most coverage is not the fact that you should change your password on sites that are known to have been hacked (such as Mumsnet), but that you should also change the password on any other logins that you have that use the same combination of username and password.

Think about it

If someone has just learned that you use a particular combination of username (that is probably also your email address) and password on one website, then they might try the same combination on other sites that you might use. They might try your bank, but I don’t think that your username and password will be enough credentials to do your online banking any harm. They could try your username and password on Amazon or they could see if you use those combinations for webmail (Gmail or Hotmail, for instance). If they can get into your email then they can try the old trick of sending emails to all your contacts, saying you’re in Spain and have been mugged and please send some money. If they’ve got into your email then that could give them access to goodness knows how much other information about you. They can then change the password on your account, locking you out.

PadlockSo, it’s not just a case of changing your password on one website when that website has been compromised by Heartbleed. To protect yourself as much as you can, you need to change that password on every account that uses it with that username. This is one very good reason why you shouldn’t use the same password on different websites. Some websites and blogs are advising that you change ALL of your online passwords, irrespective of whether you have been advised that the site may have been hacked and irrespective of whether you use the same password on many sites. Personally, I think it unrealistic to think that anyone’s going to follow that advice, but I would definitely advise my computer support clients to change all instances of any password that has been used on a site known to have been compromised by Heartbleed.

Since this bug was discovered, vulnerable sites have of course, been applying the necessary patches to close the vulnerability so, by the time you read this, it’s not likely that very many major websites will still be vulnerable. That does not mean we are all safe and can forget about it! How many sites have been attacked but the owners haven’t advised their members? How many sites have been attacked but the owners haven’t yet realised? How long before the bad guys find another, similar, vulnerability?

Like anyone else who writes – or talks – about the subject of passwords, I have always warned people not to use the same password wherever they go. I’m not going to repeat what I’ve said in previous blogs on the subject, but here are the links:

Personally, I manage passwords with a program called eWallet Go. It is available for Android, IOS, Windows, and Mac. This solution won’t suit everyone as not everyone is prepared to use The Cloud to store a datafile of passwords (encrypted, of course).

Lastpass logoAnother program that’s been around for a long time is Last Pass. This is so-called because the publishers say that your password for accessing your password data will be the “last password” that you’ll ever need. This program does other things as well – including generating strong, safe passwords for you.

If you really don’t want to commit your password information to a digital file (whether held in the cloud or not), then I do urge you to write down your passwords manually – all in the same place and where you can find them. Apart from anything else, that will make it easier to go through your passwords systematically, changing any repetitions so as to minimise the vulnerability to the Heartbleed bug and anything similar that might crop up in the future.

Here is everything you need to know about Heartbleed from the BBC and from Codenomicon (who discovered the bug).

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha