Tag: security

HTTPS Update: Google Chrome Displays “Not secure” Warning on More Websites

Posted by Ken Moire & filed under Security.

In January we talked about Google displaying a “Not secure” warning to Chrome users who visit any non-HTTPS web pages that accept passwords or credit card information. Soon, Chrome will display this warning in additional cases, affecting website visitors and site owners.

What To Expect

Coming in October, visitors to any non-encrypted (or non-HTTPS) web page that includes a form or to any non-HTTPS website while browsing in “incognito mode” will receive this warning. This will affect even more sites where search, contact and lead generation forms are prevalent.

Google HTTP Not Secure Warning

Chrome’s HTTP Not Secure Warning

This warning does not necessarily mean the website has been compromised. It is a precautionary move by Google to inform website visitors their browsing and communications are not encrypted.

Why Encrypt

The responsibility for web security belongs to all of us: web developers, website owners, network administrators, hardware and software manufacturers, and of course, users. In this chain, web security is only as good as the weakest link. This latest maneuver by Google, in an effort to make the web a more secure place, highlights the responsibility of site owners to provide safe, secure browsing and online communication for their visitors. For users, it educates them on the risk of using non-HTTPS websites, particularly when collecting personal information.

In light of the recent Equifax hack, it is important for users to know their online communications and personal data are secure. And site owners should take measures to obtain a secure socket layer (SSL) certification and move to HTTPS.

SSL certificates are now more affordable than ever. There are three main methods for securing your site. Domain Validated SSL certificates provide a basic level of encryption, and are relatively easy to implement. Organization Validated (OV) and Extended Validation (EV) SSL certificates require more validation, making them costlier and more complicated to set up.

Talk to your web hosting provider to see what your options are and which solution makes the most sense for your website or application.  

What Happens If You Do Nothing

Having HTTPS is a factor in improving your site’s search rank in Google. Displaying this message to your visitors can have a negative long-term impact on your brand’s trust, and worse, keeps you and your visitors open to potential malicious attacks.

While this change currently only impacts users on Google Chrome, other browsers have historically followed Google’s lead on security issues. Firefox to Microsoft Edge will likely follow suit.

Chrome HTTP “Not Secure” Warning Fixed with SSL

Posted by Ken Moire & filed under Security.

Google, in their latest effort to ramp up security, has begun rolling out changes in its Chrome browser that will alert users when they are visiting any non-encrypted HTTP website. Formerly considered neutral, HTTP websites are now deemed not secure by the browser. If you’re a site owner or developer, this can impact your site’s traffic and trustworthiness.

HTTPS is not the plural of HTTP

When checking your bank account or shopping online, you probably already know to look for the lock icon in your web browser’s address bar. This indicates your client (browser) is passing data to the site with encryption.

By default, a web page is served to the browser using the non-encrypted HTTP protocol. The protocol is the bit found at the beginning of a URL, or web address.

Web address protocol

HTTP is the web protocol

When a site is secure, the protocol changes to HTTPS, which stands for “HTTP over SSL”.  An HTTPS site means that the website operator has secured an SSL (or secure socket layer) certification, and any web traffic passed to that website is encrypted. When using HTTPS, this protocol is often highlighted in the address bar, along with lock icon, to tell users that the connection is encrypted and thus secure.

Until recently, purchasing SSL certificates was expensive and difficult to install, so unless the website provided a login or shopping cart, website operators typically opted not to buy a SSL certificate and relied on HTTP for general web traffic.

Encryption for all!

A lot has changed in the last couple of years, driven in part by high-profile data breaches. In response to the current threat environment, organizations like Let’s Encrypt now provide SSL certificates for free. Furthermore, if your hosting provider uses CPANEL, you are able to use HTTPS instead of HTTP, so there are no reasons to not encrypt your site. Google even rewards HTTPS in search rank – secured sites are deemed more trustworthy by the search giant.

Google is not waiting for developers

Initially, only pages that accept a login or provide a shopping cart will show the alert, but eventually this alert will be displayed site-wide across all HTTP pages.

Chrome-HTTP-warning

The Not secure warning in Chrome

Receiving this alert may be alarming to site visitors who are already skittish about web security, so if you own or operate a website you should get to work implementing a SSL certificate for your website. In web security, we’re only as strong as our weakest link, so this push by Google to encourage all websites to go HTTPS is a step in the right direction.

How To Fix It

Site owners and developers should take immediate steps to implement a SSL certificate to avoid the not secure warning in Chrome. Instructions how to do so can be found here.

How Cybersecurity Fails Created The Panama Papers

Posted by Ken Moire & filed under Security.

The Panama Papers leak reveals the shadowy workings of the Panamanian law firm, Mossack Fonseca, in establishing offshore corporations for businesses, politicians, heads of state, athletes and celebrities for the sake of providing tax shelters and channels for arms and human trafficking. Illegal activities aside, what is particularly shocking is the lack of cybersecurity that may have contributed to over 2.6 terabytes of emails and documents (totalling over 11.5 million in all) being nabbed by hackers and landing at the feet of the Consortium of Investigative Journalists (ICIJ), who broke the story a year after obtaining them.

Security experts have analyzed the methods by which the attackers were able to obtain the data, and what’s come to light is an astonishing lack of basic web security practices on the part of Mossack Fonseca and their web administrators. Data breaches occur every day to government, business, and personal websites with varying degrees of damage. Although the Panama Papers sheds light on secretive and largely illegal activities, security vulnerabilities like these can affect legitimate companies who want to protect their customer data.

Panama Papers, Süddeutsche Zeitung

Image courtesy of Panama Papers, Süddeutsche Zeitung

To understand the level of the security shortfalls, it helps to understand the software that Mossack Fonseca uses to power their multiple web properties. The firm uses two of the more popular content management systems (CMS) around, WordPress and Drupal, to power their public and client-facing websites, respectively. The client portal was used to share sensitive documents between the law firm and its clients. Both are written in PHP and are open source, meaning that their code base is free, accessible, and developed and maintained by community developers. While these systems can be secure environments for storing important data, the manner in which these systems were maintained, or not maintained, by Mossack Fonseca has been attributed as the cause for how attackers were able to steal the damaging documents used in the reports.

WordPress security company Wordfence analyzed the law firm’s web hosting environment following the leaks to determine how attackers may have obtained all of this data. Wordfence determined that the WordPress site was over three months out of date while their Drupal site was almost two years out of date. Furthermore, the company was using outdated third party plugins for WordPress which may have opened the doors for hackers to access other systems and passwords.

Website owners can learn from the mistakes made by Mossack Fonseca. Here are some of the main takeaways from the Panama Papers:

Protecting the Core

Both WordPress and Drupal have a large community of web developers contributing code to various aspects of the platform, also known as “the core”. Because they are open source, the code is able to be viewed by a larger user base, which can lend a hand at exposing potential security risks in the code base. When this happens, those vulnerabilities are typically brought to the core development teams who then fix the issue, release an update, and publish bulletins to notify web developers and users of the risk and the fix.

Mossack Fonseca’s client portal on Drupal was vulnerable to hacking due to running a version of Drupal that was over two years old. In that time, Drupal security teams had brought to light major vulnerabilities and urged website administrators to patch the software. Because these security bulletins were ignored by Mossack Fonseca, it was entirely possible for hackers to access sensitive files and data from their client portal.

In WordPress, security updates are typically announced at WordPress.org, while Drupal has their own security team and security bulletins are announced via news lists. WordPress by default will automatically update itself when security updates are released, which makes it painless to keep core WordPress up-to-date. Drupal updates need to be manually applied, which means that it’s vital for website admins to pay attention to update notifications and apply security updates immediately.

Leaving The Door Open With Plugins and Modules

Third party code that extends the functionality of the core CMS platform are known as plugins and modules (for WordPress and Drupal, respectively). Besides using an outdated version of WordPress, Mossack Fonseca was using the Revolution Slider plugin, a plugin that is “one of the most common WordPress vulnerabilities” when not updated. In an update to the original report provided by Wordfence, because Mossack Fonseca’s email server was hosted on the same server as their websites, it is likely that their email was hacked via a vulnerability in Revolution Slider.

Plugins and modules have varying degrees of scrutiny and oversight by security teams based on the platform, the popularity and the method by which they are distributed. In general, Drupal has wider and more stringent security review of community-developed modules for its platform than WordPress, however, plugins that are distributed via the WordPress Plugins directory must pass a security review and are typically maintained and supported. Revolution Slider, which has had known vulnerabilities going back to 2014, is not available at WordPress and is instead sold and downloaded directly from the company website and also from the popular software storefront Code Canyon

When you obtain code directly from plugin developers (or via sites like Code Canyon) you are on your own to determine whether the plugin is maintained and to find out if there are security updates. In these cases you will rely on the individual developer or development team to assure that the plugin is maintained and patched as new and potential vulnerabilities are exposed, so look for plugins that are frequently maintained and actively supported. If they are not, avoid using them lest risk your site and data being exposed to attackers.

Separation of Concerns

The reports reveal other shoddy practices that likely led to stealing of of the 11.5M+ documents that would be known as the Panama Papers. In web security, the practice of “separation of concerns” means that you mitigate the risk to any one system by decentralizing where your data lives and how it is accessed. Mossack Fonseca hosted their email server on the same server as on their web server, and had passwords for their email stored visibly in the WordPress database. With a compromised WordPress installation, it would have been easy to obtain email passwords and retrieve email. If emails had been on a separate server, it would have made it harder for hackers to obtain the emails even if the website was hacked.

Ask The Right Questions

The largest data breach in Internet history was likely caused by a lack of security best practices. Companies should understand how their website is hosted and information stored. Demand to understand from your developers or web hosting team how data is secured and risks to hacks and attacks are mitigated. It could save your business, as well as your client’s business.

Dispatches from the Spry Hive 2015: Week 43

Posted by Ken Moire & filed under Tips.

We’re only a week away from Halloween. While we’ve been stocking our candy jars and preparing for a litany of kid jokes this week, we also celebrated Back To The Future Day and were teased with more Star Wars goodness. Even with all of that, we’ve had time to curate some choice selections from around the Internet, so sit back and enjoy this week’s Spry Hive!

Around the Web

Back To The Future Day has passed, and expectedly, we were inundated with Marty and Doc references to where it seemed nothing else mattered on the Web. We still enjoyed this effort that reminded us of BTTFII’s predictions for the year 2015.

Instagram thinks that you’re going to want to capture special moments with a new app called Boomerang. Not a video. Not a gif. Boomerang takes photo bursts from your camera and stitches and loops them to create an entirely new content type.

YouTube is overhauling their revenue model and customer experience with the announcement this week of a $10 premium plan that will eliminate ads from the platform. Would you pay for an ad-free YouTube?

Mashable has turned blogging into a science. Check out how they predict the virality of any given blog post.

There’s no doubt that Stanford and Wharton are considered a couple of the finest learning institutions in the world. Learn how they also rule Twitter as top business schools.

Advertising

A PepsiCo Exec got the attention of ad agencies with this shot heard round the world.

Fitbits malware

Source = Wired

Security

Wearable health technology is booming. A hacker now claims that your Fitbit may be spewing malware to other connected devices (Fitbit denies the claim). We’ll keep watching to see how this plays out.

Web Design and Development

Let’s face it, today’s design tools were not conceived to design for fluid canvases like the Web. Josh Puckett has been thinking about this problem and demonstrates how a design tool could work for adaptive designs.

If you’ve been itching to learn how to build interfaces with the React JavaScript library, this tutorial may strike your fancy.

There’s already a post-CSS movement… so naturally there should be PostHTML. Consider us intrigued.

Tired of looking at Bootstrap site after Bootstrap site? With this Chrome extension you can turn off Bootstrap styles and JavaScript, but be warned: the results may be less than flattering.

Misc

NES, perhaps the most iconic gaming console ever, turned 30 this week! Thanks for continuing to bring out the kids in us!

This Ft. Worth prosecuting attorney goes by the name Law Hawk. We think he needs to pair up with Walker, Texas Ranger, stat.

No denying our Gen X side… We love Star Wars and we love the Beastie Boys (RIP Adam Yauch). Director J.J. Abrams clearly shares our affinity for both with the new A Force Awakens character, aptly named Ello Asty.

Disney Prosthetics

Source = The Verge

We expect that Marvel and Star Wars costumes will be popular with the trick-or-treat crowd next week. Disney is helping to make the dreams of being a superhero a reality for some kids with missing limbs with these prosthetics.


We hope that your week brings you all of the excitement that the season has to offer. Make sure that you get outside to enjoy some stunning Fall foliage, and join us for next week’s Halloween edition of the Spry Hive!

DrupalCamp St. Louis Is Right Around the Corner

Posted by Ken Moire & filed under Drupal.

Spry Digital is excited to announce the second inaugural DrupalCamp St. Louis. DrupalCamp STL.15 promises to be even bigger with a larger facility and an extended schedule. This year’s camp will span two days, June 20th through June 21st (with that Sunday hosting a code sprint for Drupal developers) and will be held downtown at Saint Louis University School of Law.

As Drupal developers, organizers (along with others in the St. Louis Drupal Users Group) and platinum sponsors of DrupalCamp STL.15, Spry Digital welcomes people of all skill levels wanting to learn about the Drupal content management system to attend this year’s DrupalCamp and be a part of the growing Drupal community in St. Louis.

St. Louis Drupal Users Group

St. Louis Drupal Users Group

With the increased space and time, The STLDUG was able to schedule more speakers than ever before while making room for code sprints on Sunday. Additionally, for the first time DrupalCamp will feature The Learning Lounge where new and intermediate Drupal users can brush up on their Drupal skills by spending one-on-one time with Drupal professionals.

The St. Louis Drupal Users Group has pulled together a great list of sessions to fill their two separate rooms. The Advanced Concepts Room has been set up for intermediate level Drupal developers looking to sharpen their skills on topics like securing your Drupal site and expanding your Drupal search. The Site Building Room will feature a mixture of beginner and intermediate topics like the basics of Git, the challenges of designing for a CMS, and successful content strategies.

DrupalCamp St. Louis Keynote Speaker Alina Mackenzie (alimac)

Keynote Speaker Alina Mackenzie (alimac)

This year’s keynote address, presented by Alina Mackenzie, will focus on why and how to become a part of the Drupal community. Based in Chicago, IL, she works as a developer and system administrator. Within the Drupal community, she is a camp organizer, speaker, and communications leader for DrupalCon mentored sprints. We are confident that her passion for organizing will make a lasting impression on attendees and we’re excited to host Alina for her first DrupalCamp St. Louis.

Help us keep Drupal thriving in St. Louis and the Midwest! Register today – $25 includes the price of admission for both days, lunch and a t-shirt. We hope to see you there!

5 Questions To Ask Your Web Partner About Security

Posted by Sheila Burkett & filed under Security, Tips.

Has your website ever been hacked? If it has, you know how difficult it can be to get it back up and working. As a business owner, you pay thousands of dollars to have your website built, but how do you make sure the website and server are being maintained to prevent it from getting compromised?

Here are five questions you should ask your web partner about the security of your website.

What content management system (CMS) will my website be built on?

CMS’ such as WordPress and Drupal, are open source platforms that interactive agencies use to build websites. There are programmers around the world dedicating their time and effort to the maintenance, enhancement, and expansion of each CMS. This results in the frequent release of new updates that fix problems within the code base, plugins or modules that provide website functionality. What does that mean to you? Each month, the company or individual who maintains your website should review the code that was released, apply the updates to your website platform and test to make sure everything is still working.

What development and testing processes will be taken to ensure my website is secure?

Your website isn’t just pretty pictures and content. Most websites today allow users to log in, make purchases, submit applications for jobs, or monitor service requests. The website code that makes this possible should be written with security in mind and tested to make sure the “bad guys” can’t get through easily. Hire a company who understands these issues and can talk to you about the procedures they take to develop secure websites.

What hosting service will my website be using?

Source = AustinSEOguy.com

Websites run on a computer called a server and the websites are “hosted” or run on these servers. It is important to understand the following about the environment:

  • Where are these servers are located?
  • Which security measures does the company take?
  • What monitoring procedures are in place to identify a threat?

Websites are often hosted by specialized companies that utilize different forms & levels of security. Some hosting companies limit web teams’ access to server level software, which may limit their ability to keep the web server and website secure.

Who will manage the security and software on the hosting server?

When you purchase hosting services from companies such as WIX or GoDaddy, they typically are maintaining the servers and monitoring for security issues at the server level. Some hosting services do not maintain the server security or software, however. It is important to understand what level of security support the hosting company actually provides at the web server level and/or with your website content management system.

Will you make sure my CMS is updated and secure?

A monthly review of the CMS and any plugin updates that are regularly released is highly recommended, as well as implementing a monitoring process that includes alerts when security patches are made available. Security patches should be applied within 24 hours of the announcement.

An area where we frequently see security issues arise is with plugins and modules that have been installed on the CMS that are no longer supported or maintained by the original developer.. When code isn’t maintained, it creates a security hole that makes your website vulnerable to being compromised. Here at Spry Digital, when the technical team identifies plugins or modules that are no longer maintained, we immediately look for a replacement of that code to minimize the security risk. Once your website is built, you should expect additional support costs for your website team to address these issues.


Your website is the digital front door to your company. Not only do you make sure that all of the doors to your building have a lock, but most of us have security alarms, cameras and security codes to ensure our buildings are safe from intruders. It is important to make sure your web partner is employing the same level of security and maintenance for your website.

Dispatches from the SpryHive 2014: Week 32

Posted by spry & filed under Tips.

In case you missed our app recommendations from last week, we’re still really digging them. Added to the pile this week is Personal Blocklist – a Chrome extension that lets you block annoying sites from your Google search results. This week, various members of the Spry team had their own special geek-out moments. LEGO finally released the promised women scientists minifig set. We marveled over the aesthetic beauty and practical implications of this coffee alarm clock. And our Apple fan contingent squealed at the official release date for the iPhone 6 (Spoiler: September 9). Some of us even got to see Monty Python Live when it (finally) came through our fair city.

So, yeah, it’s been a pretty good week.

Startups

According to the Global Leadership Forecast, gender and generational gaps are more than just corporate buzzwords. Successful companies tend to have more women and Millennials in leadership. Arguments of causation and correlation aside, perhaps the strongest argument in favor of more workplace diversity is a broader variety of ideas and opinions. When you’re in a creative or dynamic field like a startup, that’s a crucial factor that separates the successes from the flops.

Design

Copyright. Fair use. Creative Commons. Public domain. If you’ve ever wondered if it was ok to just right click and “save as” that cute photo of a kitty cat to use on your own blog, check this infographic first.

We’re halfway through 2014 and what better time for an analysis of the emerging trends in logo design. If you’ve seen a lot of hand drawn type, hexagons, and crests, you’re already noticing a few of the hot design motifs (but there’s so much more).

Bridging the gap between design and development, this slick website examines UX using Google Venture’s HEART framework to measure success on your own project. Who doesn’t want to build a site that truly answers what your audience wants from your design?

Developers

We’ve said it again and again, but learning to code not only benefits your brain, it could also benefit your wallet. Coding School graduates can boost their yearly salaries by 44%. Not too shabby.

“Off with their heads!” isn’t just for the Queen of Hearts. Drupal is quivering a little, too. Headless Drupal is totally a thing and some are arguing it’s going to be even better than Twig.

Security

It’s been a bad week for internet security. This week, we learned that 1.2 billion passwords were stolen by Russian hackers. An Australian teenager (with an admittedly impressive history) showed us that PayPal’s security features aren’t *quite* what they’ve led us to believe. Change your passwords, people! You know the drill.

Social Media

We got a sneak peek of Twitter’s new easier-to-use hashtags. No more wondering what #omgwtfbbq means.  (Seriously, though. BBQ.)

Every generation has its hero. Ours has the Twitter vigilante. Distressed by the sub-par promoted corporate tweets, SocialLandlord calls out crap corporate tweets for the bad marketing that they are.

And if you ever wanted to make Twitter easier (say, for a story lead or market research?) you need to know about belong.io.  It pulls the best links and stories from Twitter to give you a leg up on tomorrow’s hottest thing.

Whiskey Tango Foxtrot

You probably caught wind of the weirdest Kickstarter yet. We love potato salad as much as the next person, but $55k is a bit much. Lucky for us, Kickstarter broke down the numbers for us. There’s probably some marketing analysis in that, but you don’t have to take our word for it.

Classic reddit prank, Cat Facts, now has its very own app. Troll your (former) friends. Call it a great exercise in how to lose friends and alienate people.

A couple with way too much time on their hands has figured out a way to let their fish play Pokemon. It already has a Charmander, so it’s doing better than we ever could.

And in a mashup that warms the cockles of our dark little hearts, something that we didn’t know we were waiting our whole lives to see. Joy Division meets Star Trek. It is majestic.worf2

If you’re the type of person who loves to jailbreak or root your phone the second you buy a new one, take heart. President Obama signed a bill that made jailbreaking your phone no longer a crime.

Finally, because we HAVE to get at least one Monty Python reference in this week: The Monty Python guide to running a business (for entrepreneurs).


That’s all, folks! Enjoy your weekend.

Dispatches from the SpryHive 2014: Week 31

Posted by spry & filed under Tips.

Happy Friday and welcome to SpryHive. Hope you’re ready for a heavy hitting weekly roundup. We’ve got something for everyone – developers, marketers, and designers. Plus, a bunch of shiny distractions to appease even the pickiest of internet connoisseurs.

Plus, goats.

They’re so hot right now. Goats.

Quick Hits of Shiny Things

Get Point is a Chrome extension that lets you annotate websites in real time and share your notes with collaborators. Highlight sections and make notes much more conveniently than emailing an article.

Seamlessly integrate your phone or tablet with your desktop with AirDroid.  Send text messages from your computer (full keyboard, natch) and access all your photos and files from your mobile device on your desktop with a couple clicks. Easy, peasy. Obviously, this is only for Android mobile devices.

If you’re on the market for a new survey tool, we checked out Wedgies and it did not disappoint. Sleeker than competitors, it has complete social media integration and allows you to easily integrate polls in to your existing content to increase audience engagement.

Most of the office at Spry Digital consists of NPR junkies, so this next app got us a bit excited. Completely personalize your NPR fixation with the NPR One app. You get to curate the content from national or local stations, all in one custom playlist on your phone. Never miss your shows again.

Finally, we’re already drooling over the TouchPico projector. A pocket-sized projector is cool in and of itself. If that same teeny projector can turn any presentation into an interactive, touchscreen multimedia event? Count us in. It turns any Android app into a 80″ projected image and makes it a touchscreen with the infrared stylus. Think of it as a smart board at a fraction of the cost. We promise we won’t just use it for Fruit Ninja. Probably.

Developers

Speaking of neat apps, projects, and tools, the theme for July’s DevOps meet-up was The Great Tool Swap. No, we didn’t trade a trowel for a rake (kinda surprised there wasn’t at least one smartass who tried that), we swapped our favorite tools and tricks to make DevOps life easier for everyone. Check out the compiled list in the Google Group.

Don’t miss out on next month’s festivities. Follow DevOps STL on Twitter and sign up for the Meetups.

Need more awesome tools? Check out IDEO Labs’ most recent dish on the best tech. There’s a little something for every Dev in here, so you’re sure to find at least one thing you’ll dig.

Social Media

Another day, another new social media site that promises to be the next big thing. Check out Mashable’s list of the most likely top ten contenders in the continually crowded market.

Facebook

Poor Facebook can’t catch a break. Can’t you hear us playing the tiny violin of pity? No? Yeah, neither can we.

This week, Facebook faced some backlash for their announcement that they’re forcing all users to “upgrade” to and install the Facebook Messenger app to get their messages on the go. So what’s the catch (because Facebook always has a catch)? The Messenger app asks for a lot more permissions than most users feel is appropriate. The social media giant is under a lot more scrutiny in recent months and it appears their users are actually reading those terms and conditions before blindly hitting “install”. The distrust, while vocal, is far from universal. You can make a logical case for nearly all of the expanded permissions. The real question is how comfortable are you with a faceless Facebook owning that much of your personal information?

And anyone remember the hullaballoo a couple weeks ago over Facebook’s psychology experiments on users?  OKCupid, an internet dating site, caught some flak this week for a nearly identical tests. Their “Sorry, not sorry” mea culpa really took the cake. Hey, they admit it. They’re just “OK Cupid”. No one said they were “Amazing Cupid”.

LinkedIn

LinkedIn announced this week that we’ll be seeing some changes to user profiles soon. The improvements will focus on making the site more of a relationship builder rather than just the digital equivalent of handing out business cards. We’re just waiting for them to make their API a little friendlier and maybe, just maybe, make the site as a whole a little more… productive.

Design

Into typography AND politics? We’ve got the perfect font for you.

We’re thrilled to participate in AIGA St. Louis Design Week this year. Be sure to check out Spry Digital’s profile where we were able to showcase some of our best work. Then sneak a peek at the other featured agencies. See you all September 22-28!

Miscellaneous

goats, goats, goats!

Did you ever come up with a clever ditty but think, “You know, this needs more goat”? We’ve got you covered.

Kittehs iiiiiin spaaaaaaaaace! Cosmic Kitty Pop, a pretty fun new mobile game app from a local women-run game shop.

Better living through math: the perfect way to slice a bagel.

Even the most frustrating day is improved with a PhotoShop adventure with Leo and a water gun. We know how happy Nerf guns make us around the office, so this is pretty brilliant.


PHEW! That’s a SpryHive that oughtta tide you over until next week. Until then, have a great weekend and we’ll catch you on the flip side.

 

Personal Security: Password Management

Posted by Ken Moire & filed under Security.

Every year, companies spend billions of dollars on IT security infrastructure. Despite that, hackers continue to adapt and find new ways to exploit vulnerabilities and expose sensitive user data. Many go unnoticed, but in the last year alone, several high profile hacks were reported, most notably Target and more recently, eBay. In the case of the notorious Heartbleed Bug, a back door was left open with a vulnerability in OpenSSL, used by most of the Internet for encrypted, secure connections.

Given these large-scale security breaches, it can feel like there’s very little one person can do compared to the scale and severity of these exploits. But in fact, there are measures we can take to help protect our online information and minimize the impact of these breaches. In this Personal Security series, I’ll share ideas, tools and steps to keep your online activities more secure.

Password Managers

In many cases, the first thing that users are asked to do following a known breach on a website or application is to change their password. But if you’re using the same password across multiple sites, that means you need to update your password everywhere it was used. Do you remember all of the places you’ve used it? Probably not. And the risk for you is even worse if you’re using a weak password because they can easily be cracked. If your password is ‘admin’, ‘12345’ or your kid’s birthday, it’s time to upgrade your passwords and start using a password manager.

In a nutshell, password managers allow you to create unique, complex passwords for each website or application that you visit and store them in a central secure system. The best ones use AES 256-bit encryption and other strong security measure like one-way salted hashes. The passwords are not stored locally (like in your browser) — rather, when you visit a website, your password manager passes an encrypted token between your machine and your password service’s server, assuring a secure connection before a password is retrieved. Once the secure “handshake” is made, the password manager can auto-complete the login form, so in essence you will never need to remember the password stored for any particular website (trust me, it’s better this way).

There are several popular password managers on the market. Dashlane and LastPass are two of our favorites, but there are many more, each with their own price models and feature sets. You should explore all of the options and pick the best password management system for the way you use passwords.

Benefits of Using A Password Manager

Besides generating and storing complex passwords, there are other benefits of using a password manager:

  • They keep track of all accounts you’ve created across the internet. Without a password manager, it’s easy to forget your account history.
  • Many password managers provide helpful security reports, like a list of accounts that are compromised by known exploits. When Heartbleed was announced, LastPass provided a report for all of the sites that could be affected so you knew immediately which passwords needed updating.
  • Most password managers alert you if you’re using the same password across multiple websites. It’s a habit that most of us fall into if we’re not paying attention. Password managers help pay attention for us.
  • Some password managers include a mobile app that lets you retrieve passwords while on your mobile device.

There are several other best practices for using passwords, however, using a password manager can make the job of managing your accounts and passwords easy. Do yourself a favor and use a password manager service and get peace of mind.

Dispatches from the SpryHive 2014: Week 24

Posted by spry & filed under Tips.

As we close out week 24 out of 52, the calendar also treats us to Friday the 13th alongside a full moon. Don’t get all friggatriskaidekaphobic on us. After all, it’s just a coincidence and not the freakishly rare celestial event that some have led us to believe. Besides, June’s full moon is more commonly called the “Strawberry Moon” or “Honey Moon” because of the agricultural season. We think that sounds a lot tastier.

Let’s take your mind off the lunacy and deliver a quick hit of news from the week in today’s edition of SpryHive. Onward!

Getting Social (Media, that is)

Facebook

Changes to Facebook’s company pages are forced live starting today. If you’re a digital marketer who was caught unprepared, that alone might be a good reason to hate this particular Friday the 13th. Lucky for you we’ve already taken the sting out of designing a banner image that fits the new dimensions. Bookmark our Facebook company pages banner image blueprint.

A startup that analyzes your Facebook posts and compares your personality to your friends’? It’s a thing now. We have a quibble a little with their metrics, but overall, everyone in the Spry office had fun with this one.

The Onion made good on their promise to create a parody site for Upworthy and its ilk of clickbait headlines. Couldn’t have happened to a more worthy candidate. Lose yourself in the ClickHole. Now spam everyone in your Facebook feed with some snark. Turnabout is fair play.

Twitter

Tweetdeck, a popular Twitter app for desktops, went on lockdown Wednesday fearing it had been hacked – all because a teenage boy wanted to use tiny hearts in his tweets. A couple days ago, some Tweetdeck users noticed strange popups showing up within the client interface. Turns out, the bit of code the 19 year old added to his tweet (to display a heart icon) acted like a worm, telling other Tweetdeck accounts to share the message. Tweetdeck has been patched but you should probably log out and log back in to be safe. No news on if the teen will just switch to emojis.

Developer Goodies

DevOps STL

Remember our DevOps project? It has an official, recurring date. Join us! Get your DevOp on.

Learn to Code, Learn to Think

It’s no secret that learning to code is a great investment in your employment future. However, recent research is showing that learning to code also benefits general logic and reasoning ability.  Even if you aren’t into computer science, critical thinking will always be a marketable skill.

Get the Gist of things

Our Devs think Gists are great. For those not hip to Gist, it’s basically a way to save and share snippets of code on Github. All gists are Git repositories, and enjoy all the features of a repo, including forking, versioning and viewing diffs. But they are not easily organized, either for yourself or as part of a code library for your team. So we were pretty excited to come across the GistBox app. GistBox creates a sharable code library for your whole team that boasts a really sleek UI. We’ve definitely got the gist of things.

 

Cool things that we can’t reasonably squeeze in elsewhere

All Hail our Robot Overlords?

For the first time, a machine passed the Turing Test and Sci Fi geeks everywhere started having to breathe into paper bags. Well, sort of. It’s success is debatable, but we’ll get to that in the second paragraph. In short, the Turing Test measures a machine’s ability to exhibit intellient behavior equal to, or indistinguishable from, a person’s. This week, a chatbot in London convinced judges it was a 13 year old boy. It probably didn’t ask for Doritos and the latest Call of Duty game, though.

However, for many the Turing Test isn’t the be all end all of artificial intelligence. Considering that it was theorized at a time when computer technology was just beginning, the test only measures intelligence without cognition. AND it conflates intelligence with sentience. With the acceleration of our technology, we’ve been able to utilize more and more pattern recognition in our programming (resulting in more intelligence) but we haven’t been able to create self-awareness within our programs (indicating true sentience). So while we’re not quite veering into Philip K. Dick territory yet, we do have to appreciate how far we’ve come.

Goooooooooooooooooooooaaaaaaal!

If you’re not a soccer (or futbol) fan, the next three weeks are going to sound something like this for you:

sportsball

For everyone else, the World Cup started yesterday and people are losing their minds. What a ludicrous display.

Don’t worry, we can even make this about the tech to justify including it in the weekly SpryHive roundup (because the IT Crowd alone can’t carry it). This year’s tournament is using a new technology that aims to prevent “ghost goals”. Germany’s fans are pleased.

Getting into the global spirit, Twitter has brought back Hashflags, which are exactly what they sound like. Hashtag + flag. Whenever you use the three-letter country code of your favorite team after a hashtag, Twitter will include a tiny national flag within your tweet (and no, the tiny flag doesn’t count against your character count).

Wherever you are and whichever team you’re pulling for, kick back with the most popular beer in that country. We can’t say we’re thrilled with team USA’s, but thankfully, we have a delightful selection of microbrews locally to distract us. Or drown our sorrows depending on how the Cup goes.


And that’s about it for this week’s SpryHive! Have a great weekend, watch some soccer, and we’ll catch you Monday to start it all over again!