For example, if you were surfing a number of sites in Safari before you quit, those windows will return when you reopen the program. Some windows we may not want to share with others. I’m not talking just “adult” items, but, for example, a job search or dating site. Most Mac OS customers are used to having the more obvious digital debris of their life excised upon quitting an app. Unfortunately, in Lion, any application that supports resume (including most system apps, iWork and many more on the way) could unearth some embarrassing secrets.

There are a few quick solutions. When possible, close the Safari window or tab you’d rather keep private before you quit the application. Additionally, if you hold down the option key while choosing Quit from the application menu, or hold down Command+Option+Q, that will “Quit and Discard Windows” for this particular session.

If you forgot to do that and find yourself needing to close those open windows without launching the app, you can remove this information manually. To do this, first choose “Go to Folder” from the Go menu. Type ~/Library/Saved Application State/ and that will take you to the folder that contains your saved windows. If you want Lion to forget the last windows left open in Safari, look for com.apple.Safari.savedState and then delete that folder. That will remove the last session’s windows and tabs.

If you decide you really don’t like applications automatically remembering previously open windows and tabs, you can turn this feature off system-wide by opening the System Preferences application, and under “General” making sure “Restore windows when quitting and re-opening apps” is unchecked.

So the next time you go shopping for that wedding ring, remember that the next person who opens Safari might see the window and ruin the surprise. These tips should keep you out of hot water. And if you’re surfing for something else on your computer, the next person who has to use or repair it will thank you for keeping your private info private.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• How cloud computing plus Facebook might mean the end of personal privacy
• Building a better paywall: strategies for monetizing news content

1. Create a service-only account

Often repair work involves administrator-level access to your Mac’s operating system. While I’ve never heard about privacy violations at Apple Authorized Service Providers, I like putting an extra barrier to protect my personal data, since I’ll sheepishly admit my account password is used in a few other places, and I’d rather nobody know it.

For added protection, I have another administrator account prior to sending my Mac in for service. An extra administrator account is good for testing purposes, so I already have one. If you don’t, then go to System Preferences, and then to Accounts and click the plus button and under “New Account.” choose “Administrator.” Create a full name and unique password and then click “Create Account.”

When checking in your computer at the repair shop, give them this password. Yes, your original account’s password could be reset and your data read, but at least this makes it a bit more difficult to do so. Even if your primary account’s password is reset, they still won’t have easy access to your keychain or be able to find out where else you use that admin password.

Now that your Mac is safely backed up and ready for service, here are two tips for an often overlooked part of the job — physically transporting your Mac.

2. Dress your iMac in a t-shirt

The iMac’s screen in particular can be easily scratched when lifting it in and out of the car. Shirt buttons and jewelry are common items that could cause scratches on your person, too. A large towel is a common protector for transport, but it’s difficult to keep that in place. My solution is an old t-shirt. If your screen size exceeds your shirt size, go to a thrift store and pick up an XL. Old shirts tend to be extremely soft and stretch easily, thereby protecting your iMac screen and keeping that protection in place during transit. The bonus is that your computer looks absolutely adorable.

Once you’ve got the T-shirt wrapped around the iMac, lift it carefully, making sure to grasp it firmly with two hands at the bottom and press the protected screen against your body. Don’t try to carry it by the stand. Unless you’re a weightlifter with unusually long arms, avoid carrying an iMac under one arm.

3. Keep it in the backseat

Just like people do with their other most precious cargo (ie., children and pets), keep the Mac in the backseat. Have the screen face backwards and strap it in with the shoulder and waist restraints. I typically place the shoulder strap over the back of the iMac and then use the waist restraint close to the base. This will not keep it in place as well as it will a child in case of an accident, but it serves to slow the Mac down, and if it does hit the back of the passenger seat, the screen is less likely to crack and the hard drive is less likely to get jostled. For an extra ounce of prevention, I push the passenger seat as far back as I can and brace it with a pillow if needed. This will also help if you have to make a sudden stop, or if you hit a few potholes long the way.

Any other tips for getting your injured Mac to and from service-related visits?

Photo courtesy of Flickr user kaikajus.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Building a better paywall: strategies for monetizing news content
• Flash analysis: Steve Jobs

Kickstarter-backed iPhone, iPod and iPad accessories

The PadPivot is a versatile iPad (or any other tablet or e-reader) stand that folds up for easy storage, and works both on hard surfaces like a table or desk, or on your thigh for holding your iPad steady while browsing or watching video on the couch. In my review, I wasn’t shy about calling the PadPivot the most practical stand I’d ever come across, and that remains true after a couple more weeks of usage.

PadPivot easily exceeded its funding goal of $10,000, raising $190,352 on Kickstarter, where anyone can pledge small amounts to see the project become a reality. Another project that blew past its initial funding target, the iPod nano watchbands called LunaTik and TikTok, also went on to pick up a prize retail distribution deal, and are now available on Apple retail store shelves.

Kickstarter’s advantage is its ability to act as a focus group (designers will change their product based on feedback during the funding period), test market (pledges act as pre-orders, so retailers have a ready-made sample of prospective buyer interest) and funding round. Thanks to that triple-pronged approach, consumers get to select from some unique accessories that might not have made it through the design-by-committee process that churns out relatively interchangeable designs at established accessory-makers.

When the PadPivot arrives on Best Buy and Future Shop (which is owned by Best Buy) shelves, it’ll bear in-house RocketFish branding. The device will still retain the same design that makes it so handy, and the PadPivot name, however, and should retail for around $39.99. Check it out in action below.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• How to Market Your iPhone App: A Developer’s Guide

The Blackbox Bamboo was originally designed based on creator Lance Atkins’ experiences travelling with a MacBook Pro on an African backpack safari, during which time the neoprene sleeve he was using provided inadequate protection, resulting in a broken Mac. He created the first Blackbox Case out of oak in 2010 to provide a heartier alternative to traditional soft sleeves. Now, the company wants to expand their business and provide an entire, new line of cases made out of the more sustainable bamboo.

The Blackbox Bamboo will come in a choice of two colors, either with a carbonized brown stain or in natural bamboo finish. It will also come in a variety of sizes, including one that fits the iPad 2 with or without the official Apple Smart Cover attached, one for both the 11 and 13-inch MacBook Air, and one each for 13, 15 and 17-inch MacBook Pro models. All varieties come with a leather strap with a snap closure for securing your device in the Blackbox Bamboo.

Kickstarter backers qualify for pre-orders starting at $79, which gets you the iPad 2 version, and range up from there depending on which model you’re interested in. It’s a pretty cool product that appeals to the outdoor adventurer in me, though I’m not sure I wear that mantle often enough to qualify. Anyone else’s fancy tickled by the Blackbox Bamboo? Be sure to check out the video below before you answer.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• How to Market Your iPhone App: A Developer’s Guide

There isn’t a specific timeline for when the update will be released, but when it does arrive, it’ll also shut down the ability to jailbreak iOS devices using the most recent JailbreakMe browser-based method. The jailbreak takes advantage of the same exploit which poses a potential security threat and involves the way in which Safari and Mail manage PDF file downloads.

Apple will likely be quick with an update, considering the nature of the German IT agency’s warning. The organization called the flaw a “critical weakness,” and one which is “sufficient to infect the mobile device with malware without the user’s knowledge.” It affects users running iOS 4.3.3, and possibly older versions as well, according to the German agency.

While users await a software update to patch the hole, the best way to avoid any potential security threats is to avoid downloading PDF files from any untrusted sources, either via email or mobile Safari. As mobile web access becomes more popular, it’s generally a good idea for users to practice the same kind of safe browsing that helps avoid malicious attacks on desktop computers as well, part of which means not downloading content when its origin is at all suspect or hazy.

A similar flaw was discovered in August 2010 that also allowed for web-based jailbreak, and also caught the attention of the German government. Apple took about a week to issue an iOS update to patch the problem at that time, so it’s reasonable to expect a similar timeline for release with a 4.3.4 update.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q1: All Eyes on Tablets, T-Mobile and AT&T
• A Media Tablet Forecast, 2011 – 2015
• A Global Mobile Handset Platform Forecast, 2011 – 2015

Here are the eight apps contained in the bundle, which is available for just $50 for another 9 days:

• 1Password. One possible cure for all the rampant hacking of major sites and services going around is keeping incredibly complex, different passwords for each of your online accounts. But that’s almost impossible to remember. So use 1Password, which lets you store hundreds of distinct logins in one place. Just make sure the master password and PIN you choose to keep all that info safe is solid. 1Password is also great because it plugs into iOS apps to sync your login data across devices.
• Billings. Time-based billing is a chore that no freelancer enjoys, but apps like Billings at least make it easier than if you’re doing it using templates in Word, for instance. Billings has awesome time tracking tools that integrate into your Mac menu bar or can be operated with hot keys, and an iPhone app that syncs info with the Mac version.
• TextExpander. Thanks to keystroke shortcuts, customizable abbreviations and one-click coding shortcuts, this is the text editing tool that becomes the default mail composer, form-filler and report preparation tool for many a Mac freelancer.
• LittleSnapper. Take screenshots, send clients design samples, and save website effects that you want to recreate yourself. If you’re building a design inspiration scrapbook, you no longer have to depend on scissors and magazines. Annotations and tags make keeping your screenshot connection organized and highly searchable.
• WriteRoom. Distraction-free writing is a bit of a trend, and freelancers who do a lot of writing appreciate the benefit of being able to shut out the many demands for attention that a computer brings with it. WriteRoom is a solid distraction-free writing client that’s been around for a while, and you can sync with an iPhone client, too.
• Radium. Some people can work without a background soundtrack, but I am not one of those people. You might have jumped to something like Pandora, or the hot new kid on the block, turntable.fm, but if you prefer the set-it-and-forget-it ease of Internet radio, Radium is a good OS X front-end with a huge database of available stations.
• Arq. Backing up your data is key when you’re a freelancer, because no one but you will be responsible for preserving your documents in most cases. Arq is an OS X client that plugs into Amazon S3 cloud storage (which you have to sign up for separately) to keep your offsite backup needs taken care of.
• Alarms. This is a small utility that mostly resides in the OS X menu bar, syncs with iCal and can remind you about just about anything you need to do during the day. It offers drag-and-drop simplicity, so drag URLs from your browser or a file you need to work on from the finder, or just about anything else to bring up the reminder creation screen.

The total cost of all these apps taken alone is somewhere around $300, so if you’re a new (or experienced) freelancer looking to pick up a complete toolbox without straining your gray matter or your wallet, this is definitely a no-brainer.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q1: All Eyes on Tablets, T-Mobile and AT&T
• The Future of Workplaces
• The Future of Work Platforms: An Overview

iPad passcode configuration

Even though it isn’t 100 percent foolproof, securing your iPad with a passcode is a good first step for security. On my iPad 2, I configured security to use the longer alphanumeric passcode, and I make sure that it will lock the iPad immediately when the cover is closed by doing the following:

1. Open Preferences and navigate to the General settings.
2. Set Auto-Lock to 2 minutes.
3. Turn the Passcode on and set Require Passcode to “Immediately.”
4. Turn the Simple Passcode off.
5. Turn Erase Data On to wipe the iPad after 10 failed logon attempts.

After you sync your passcode protected iPad with your Mac, you should notice that any user account on that Mac can still access the data on your iPad using any of the following methods. Attach that same iPad to any other Mac that has not accessed any data on that iPad in the past, and you will get an error indicating that the device is protected with a passcode.

Protecting your data in the real world

You may be surprised at how easy it is to access your iPad’s information even after you’ve set up a passcode when it’s connected to a Mac.  If you really don’t want others to have access to your information, there isn’t much you can do short of setting a hands-off policy. You may want to sync your iPad to a dedicated Mac which only you have access to. Anyone with access to both your iPad and the Mac it syncs with can see all of your data. You can avoid potential theft worries by keeping the iPad and Mac in separate cases, and by disabling the guest account on your Mac so that a user has to know your passcode to login.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q1: All Eyes on Tablets, T-Mobile and AT&T
• A Media Tablet Forecast, 2011 – 2015

Before the release of the support note yesterday, it was reported by ZDNet’s Ed Bott that Apple support staff on the phone were indicating that they couldn’t provide instructions for dealing with specific instances of malware. The fix is not overly complicated, but explaining it individually over the phone to every affected customer would tie up a lot of customer service agents, and it could set a dangerous precedent for the future treatment of such situations.

The article promises that “Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” and that the update will arrive “in the coming days.” Users will also receive an explicit warning notification if they happen to download this malware once the update is installed.

The step-by-step instructions for removing the Mac Defender malware involve using Activity Monitor to kill all running instances of the program and its equivalents (MacProtector, MacSecurity), then dragging the applications to the Trash, and finally, emptying the Trash. Apple also provides instructions for removing the malware’s login item, though the login item is no longer a threat once the application is removed from your system.

Glad to see Apple responding to the valid security concerns of its users. Let’s hope this isn’t the just beginning of the Mac’s serious malware woes.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Structure 50: The Top 50 Cloud Innovators
• Connected Consumer Q1: The Over-the-Top vs. Pay TV Battle Heats Up
• Smart Grid Apps: Six Trends That Will Shape Grid Evolution

A partial screen from Mac Defender: Not something you want to see on your Mac.

Although there has been scattered mac malware in the past, most malware to date have been proofs of concept or have piggybacked on illegal downloads. New malware program Mac Defender is a brilliant piece of social engineering that plays on fear of viruses and convinces the owner to pay money for removal of non-existent problems. Although Microsoft and PC manufacturers will help owners with malware problems (sometimes for an additional charge), AppleCare techs and Geniuses are currently refusing to assist or even acknowledge the problem according to reports. There’s actually a very logical justification for this.

It’s not about denying that Mac malware exists altogether. Apple has never actually denied that Macs get malware, but it hasn’t ever really sounded the alarm bell, either. Apple did include a copy of the anti-virus app Virex with .Mac subscriptions up until June of 2005, however. Apple in the past has also suggested anti-malware software, but now touts the Mac’s immunity to PC-based malware thanks to Snow Leopard’s robust security, stating only that “antivirus software may offer additional protection.” They do include some protection each time an OS update comes out, by patching any exploits previous malware took advantage of.

Mac Defender’s (a.k.a. MacProtector, but not to be confused with MacKeeper, which is a legitimate program) attack vector is unique on the Mac platform. While Windows users are familiar with fake programs that claim your computer is infected and then offer to remove said infection, Mac Defender’s reach will grow exponentially because Mac users aren’t as used to that strategy. While Apple can build in protection against this in the next software update, the success of MacDefender will serve as an example for the next slew of threats on the Mac.

Yes, the technically savvy are unlikely to fall for such threats. However, a large number of Mac users aren’t always technically savvy enough to read blogs and support forums. These are the customers more likely to call AppleCare and Apple Geniuses when they have technical problems rather than solve it themselves. Since Mac Defender is extremely easy to remove, reps are spending more time explaining why they can’t help users with malware rather than just explaining how to remove it.

Apple’s blind eye in this case is less about resource allocation in the short-term, and more about promoting the App Store as a safe software distribution channel so as to avoid a compounding of the time cost problem in the future. There’s some evidence that in a few cases, the Mac App Store can actually make Macs more vulnerable to attack, but so far that only applies with Opera, which is a web browser, and therefore susceptible to unique vectors of attack.

If consumers fear the threat of rogue software infecting their Macs, they can either buy the line of anti-virus makers and install protection that they then have to manage and invest in themselves, or they can take refuge behind the protective walls of Apple’s Mac App Store. Independent developers who’d rather deal directly with customers than go through Apple’s marketplace may not like the idea, but customers who to take Mac security for granted will increasingly use the App Store to avoid headaches like those provided by Mac Defender.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• The Structure 50: The Top 50 Cloud Innovators
• California’s New Energy Data Privacy Rules: Some Answers, Many Questions
• Players and Strategies for Real-Time In-Stream Advertising

Set a Passcode

If a thief can’t unlock your device, they can’t access your data, so setting a passcode lock is a good idea. Once set, the passcode will need to be entered each time in order to unlock the device. To set one, tap Settings, General, then Passcode Lock. At the top is a button labeled Turn Passcode On.

Tap that, and you’ll be prompted to enter a four-digit passcode. Type the passcode in twice, and some additional settings will become available.

You can change how long the device has to be inactive before the passcode is required again. By default, this is set to require the code immediately, but you can set it to a range of durations such as after 1 minute, 5 minutes or 15 minutes. Shorter times are more secure, since it gives someone else less time to pick up your device before they’ll need to enter the passcode.

If you don’t think a four-digit code is secure enough, you can also use a more complex password with numbers, letters and symbols. To do so, turn off the setting called Simple Passcode. After turning that off, you’ll be asked to enter your current passcode, if you have one set, then your new password twice. Once you have done that, in order to unlock your device, the password you set will be required, which is more secure than a four-digit number.

One final security measure you can add is the option to erase all the data on the device if the passcode is entered incorrectly 10 times. This ensures someone can’t methodically try every number until they hit upon the correct code, since chances are the data will be wiped before they get there.

Be Sensible With Your Data

Obviously you can’t just rely on passcodes to keep information secure. You have to make sure you aren’t careless; leaving addresses or phone numbers in the Notes app means they’re available for anyone using your iPhone to see. Similarly, don’t store important information such as credit card numbers or pin numbers on the device at all, unless you are 100 percent sure the data is encrypted and secured using a password. The best way of storing extremely sensitive data like that is in your memory, rather than keeping it stored somewhere accessible.

Also be wary of using password managers designed for iOS. Some of them don’t encrypt your data at all, and only hide it behind an insecure passcode. Other services store your information on their own server rather than on your device, which means it’s susceptible to data theft if the service gets hacked, which is what just happened to LastPass, for example.

Wipe the Data Remotely

If your iOS device does happen to fall into the wrong hands, you can use Apple’s free Find My iPhone service to locate the device and wipe any data on it. Find My iPhone is available to all MobileMe subscribers, and is also available to non-subscribers with an iPhone 4 or an iPad. To set up Find My iPhone on your device, go to Settings > Mail, Contacts, Calendars and choose Add Account. Then enter either your MobileMe credentials or your Apple ID (the same one you use for the iTunes store) and choose to turn on Find My iPhone.

Now if your device gets lost or stolen, you can find where it is, and if necessary, wipe everything on it. To do so, open the MobileMe website, me.com, in your browser, log in and go to the Find My iPhone tab. You’ll see a list of the devices that you have set up with Find My iPhone, and you can click on a device’s name to show its location on a map.

You can then click the blue triangle icon next to the name on the map to see more options. To completely wipe the selected device, choose Wipe. Everything on the device will be erased, and it’ll be as if it were new — nothing is left behind. Don’t worry, if you then get your device back, you can restore from a backup using iTunes.

Got any other tips for securing data on your iOS devices? Share them in the comments.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A Media Tablet Forecast, 2011 – 2015
• The Future of Workplaces
• Report: A Mobile Video Market Overview

As Bobbie reported earlier, the iPhone’s location data logging actually isn’t a new thing. Law enforcement has been using the data for quite a while, according to researcher Alex Levinson, who told GigaOM that the iPhone’s location tracking file isn’t new to iOS 4 (it just changed file locations) and it has been public knowledge in security circles for quite some time now.

That law enforcement knows how and where to access this info may provide partial answers to some of Sen. Franken’s questions. For example, he asks first “Why does Apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?” Well, first we now know that this isn’t new to iOS 4 thanks to Levinson. And second, if legal authorities are making use of the data for forensic investigation purposes, isn’t it possible that might be one of the reasons behind its inclusion?

While it’s possible, I doubt actually Apple intended the location data log as a breadcrumb trail for use by the authorities, but the fact that it can be used in that capacity will no doubt be troubling to many, especially since the data is relatively easy to access without a court order, which is required when canvassing carriers for similar information.

Even though there’s no evidence to suggest that the location data is being transmitted to or used by any other party, including Apple itself, Franken clearly isn’t content to just let that assumption lie. Citing the fact that “[i]t is … entirely conceivable that malicious persons may create viruses to access this data from customers’ iPhones, iPads, and desktop and laptop computers,” he presses Jobs for more info about the nature and purpose behind the preservation of this sensitive information. Here’s the full list of all nine questions, in the order presented by Franken:

1. Why does Apple collect and compile this location data? Why did Apple choose to initiate tracking this data in its iOS 4 operating system?
2. Does Apple collect and compile this location data for laptops?
3. How is this data generated? (GPS, cell tower triangulation, Wi-Fi triangulation, etc.)
4. How frequently is a user’s location recorded? What triggers the creation of a record of someone’s location?
5. How precise is this location data? Can it track the user’s location to 50 m, 100 m, etc.?
6. Why is this data not encrypted? What steps will Apple take to encrypt the data?
7. Why were Apple consumers never affirmatively informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?
8. Does Apple believe that this conduct is permissible under the terms of its privacy policy?
9. To whom, if anyone, including Apple, has this data been disclosed? When and why were these disclosures made?

Apple has yet to make any statement regarding the iPhone and iPad’s location tracking practice. And there are, as of yet, no definite answers to the questions above, beyond the one provided by Levinson regarding the file’s presence prior to iOS 4 mentioned above. I’m curious as to the answers, and I’m sure many others are, too.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Privacy Legislation’s Potential Impact on Online Media
• Why the Mobile App Industry Needs to Address Privacy — Now
• 5 NewNet Milestones That Won’t Happen in 2011

The file that does the tracking is called “consolidated.db,” which contains latitude and longitude coordinates attached to a timestamp. It’s not clear exactly what triggers your device to record a location, since the recording appears to vary considerably in terms of frequency. Allan and Warden suspect that the logging may be triggered by travelling between cell towers, which aid in location determination, or by activity on the phone, like using apps. It isn’t clear why Apple began storing this info in iOS 4, but Allan and Warden are convinced the effort is intentional.

Back in March, a German politician working with German newspaper Die Zeit sued Deutsche Telekom to get access to his own location data from his mobile phone, and put together a visualization of where he’d been for six months. Carriers do have this data, but it requires a court order to get it from them. Using the iOS 4 location tracking file (which is stored on any computer where you’ve synced your device) and a free, open source application developed by Allan and Warden, anyone can now do the same in about two minutes with virtually no technical expertise.

Allen and Warden warn that the info can be easily accessed on the device itself, in addition being in backups on computers you’ve synced with. Users who want to protect themselves can encrypt their backups through iTunes, but that doesn’t stop information on the device itself from being accessible. We’ve reached out to Apple about the issue and will let you know if they provide any additional info about how to ensure your data remains private.

As you can tell from the screenshot of my location data included in this article, I’m not particularly concerned about this data being out there, but I tend to lean towards the open and trusting end of the scale when it comes to information sharing. Then again, that probably makes me a prime candidate for things like Please Rob Me, and many others will likely not be so comfortable knowing their iPhone or iPad has a relatively accurate record of their whereabouts over the past year or so. Is this disturbing to you, or just a neat visualization trick you can show your friends?

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• A Media Tablet Forecast, 2011 – 2015
• The Future of Workplaces
• Why the Mobile App Industry Needs to Address Privacy — Now

Apply Software and Firmware Updates

While many check for iOS releases and Mac OS X updates, it is a little less common to remember to update your AirPort products.  In addition to the security updates that you get with OSX and iOS releases, there are actually two additional components that you need to track of, the AirPort Utility application, and your AirPort products’ firmware.  To determine if your AirPort devices are all up to date, launch the AirPort Utility and select “Check for Updates…” from the AirPort Utility menu.

Setting Up Your Wireless Network

There are five basic things to keep in mind when setting up your wireless network. Once a device is on the network, these settings will not make any devices themselves secure from an attack.  These particular settings will just make it a little harder for rogue devices to find and connect to your wireless network.  To access these settings, launch the AirPort Utility, select your AirPort device from the left and click on “Manual Setup.”

1. Disable WAN Setup — This feature of AirPort allows one to configure their network from the internet.  By disabling this feature, you will be limited to applying updates from inside your network.  This setting is located on the AirPort configurations under Time Capsule or Base Sation (depending on which product you are configuring):
2. Set a Hidden Network Name — While many network client access software packages seem to do a pretty good job of locating hidden networks, it is still a good idea not to broadcast your networks name.  This setting can be found under the AirPort configurations under Wireless, by clicking on the Wireless Network Options button:
   
3. Use WPA2 Encryption — Wi-Fi Protected Access II (WPA2) is now mandatory on all Wi-Fi devices.  It is based on the IEEE 802.11i standard which includes “government-grade” data encryption. It’s much more effective than either WEP or WPA protection.  This setting is located on the AirPort configurations under Wireless:
4. Choose a Strong Password — Apple provides a password assistant to help you establish a strong password for your network.  Be sure to use a mixture of uppercase, lowercase, numbers and characters when choosing your password.  It is also a good idea to use at least twenty characters.  When setting your WPA2 security settings, click on the Key icon to display a password helper:
5. Establish MAC Address Filter — This configuration when used properly can be thought of as a managed list of exactly which devices will be permitted on the wireless network.  If your device’s MAC address is not on the list, it will not be alb e to joint the network.  This is only manageable when working with a finite number of devices on a network that has the same users day in and day out, which is often the case in a home.  This setting is located on the AirPort configurations under Wireless.  Click on the “plus” sign to add a new device. See the next section for advice on finding your device’s MAC address.

Determining your MAC Address

A Media Access Control (MAC) address is a series of six groups of two hexadecimal digits separated by a colon.  On a Mac, you MAC address can be found by clicking on the Apple in the upper left corner of your menu and selecting “About This Mac.”  From there, click on the “More Info…” button and navigate to the “AirPort” section under “Networking.” Be sure that your AirPort is turned on in order to see the settings.  On your iOS device, launch the Settings App and navigate to “General” then select “About.”  Here you will be able to locate the Wi-Fi address.

Securing Your Devices

This gets a little more complex as it depends on how functional you want your devices to be on your local network.  As soon as you start sharing printers, files, and screens, you open up each device a little more and make it less secure.  Enabling Bonjour services, allowing remote login, and configuring services like Back to My Mac over the internet also compromise security.  If you want maximum protection, the only option is to disable all of those services, block all incoming connections, turn on your firewall and enable stealth mode. For most users, of course, this is probably overkill, so pick and choose these options based on how you use your network.

Conclusion

With all of the new Apple products and other connected devices available, it is quite a hassle to register each devices MAC address as well as configure your hidden network settings with a strong password.  But once set up and configured properly, you will have about as secure a network as is possible for consumer-based, off-the-shelf wireless security.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• 3 Trends Defining the Future of the Digital Home

In his open letter regarding the exploit, VeriFone CEO Douglas G. Bergeron explained how it works:

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

VeriFone even went so far as to release the version of the fake Square app it created to the public as an .ipa/provisioning file combo for installation on your iPhone or iPad. The company is sending that same app to Visa, MasterCard, Discover, American Express and JP Morgan Chase for their consideration.

There’s no denying that Square presents a risk to consumers in the manner indicated by VeriFone. The app does indeed do what it says on the tin, providing a way for motivated criminals to acquire and potentially abuse the sensitive personal info of duped credit card holders. But there’s also no denying that VeriFone has a considerable vested interest in seeing Square fail.

VeriFone is in the business of securing digital transactions. It entered the mobile payment game shortly after Square, going head-to-head with Square using its own PayWARE mobile payment hardware and app for iPhone, and just this month last year it announced Apple Store availability for that PayWARE product. VeriFone obviously wouldn’t include this in its open letter, but it’s at war with Square.

Exposing Square’s security vulnerabilities in this manner is an act of outright hostility on VeriFone’s part, and a sign that it’s unnerved by Square’s growth. Not only did the company create an app that specifically targeted Square’s payment system, it publicly released the finished product of that effort for public distribution. I contacted VeriFone and Square to see if the company made this info available to Square privately before going public, but I’ve yet to hear back. If this move is coming at Square out of the blue, it’s a severely murky ethical move on VeriFone’s part, since normally, white-hat hackers (those who don’t intend to use exploits for malicious purposes) privately approach companies to get them to address vulnerabilities without going public. Technology and intellectual property lawyer Evan Brown of Internet Cases had this to say about the ethics of VeriFone’s actions:

In my mind this isn’t so much of a legal issue as it is an ethical one. And in all this we’ve got to stay aware of VeriFone’s motives. Naturally it views Square as a competitive threat, or at least as a threat to the integrity of that industry. The question refines itself into an inquiry of whether VeriFone has gone too far by doing this, or in other words, whether the benefit created by releasing this application  into the wild (awareness raising) outweighs the real potential for the technology to be used for harm. Was it really necessary to put the skimming technology into the marketplace, thereby placing real consumer money at risk to make the point? It’s a great question for utilitarian philosophers to ponder. Personally, I’m hard-pressed to find a good philosophical justification for actually releasing a technology that has stealing money as its main purpose.

The exploit’s release could even be legally questionable, since if the code released is used for illegal purposes, VeriFone could even be subject to prosecution, as happened with PS3 hacker Geohot. Brown shared his thoughts with me about whether VeriFone could potentially be subject to any legal recourse on the part of Square or users who might be affected by malicious use of this tool:

It’s interesting to consider whether a victim of theft committed by this tool could sue VeriFone for what one might call “contributory” theft. The victim could borrow from copyright law on this: remember Grokster.  The courts shut down Grokster because it marketed that tool as an instrument to commit copyright infringement. But a claim like this would definitely have its difficulties — Grokster lost because of the way it marketed the product, i.e., “go use this to infringe.” VeriFone has cloaked its communications in the name of public service — “we’re releasing this to show how bad Square is.” There’s an important difference there, one that would likely protect VeriFone if a victim were to take it to task.

Another angle involves copyright again — it would be interesting to know whether and to what extent VeriFone had to use any code proprietary to Square to develop the skimming application. That might give it some copyright infringement problems. I have no idea whether it had to or not. Similarly, did VeriFone have to circumvent any of Square’s DRM to create the application? That could give VeriFone problems under the anticircumvention provisions of the DMCA.

In short, VeriFone looks to have mostly covered its back with regard to any serious legal implications, but that doesn’t mean this isn’t still a very aggressive and ethically questionable move. This is an ugly turn in an already steeped battle, and we’ll keep you updated if and when hear back from both sides.

UPDATE: Edelman PR VP Victoria Brown got back to us with official comment from Verifone. In response to the question of whether or not Square was notified in advance that this vulnerability existed, she had this to say:

The devices are already in the market, so we felt there was a compelling need to alert the public. Square has known about its security flaws for months now (and we were not the first to point it out), but has chosen to ignore the issue and focus on doing whatever it can to boost the numbers of those systems out there.

UPDATE 2: Brown also shared this comment regarding the legality of the app released by VeriFone to demonstrate the Square vulnerability:

The app VeriFone published is a demo version and does not contain source code so it cannot be used for skimming.

This means that the VeriFone demo app then probably can’t lead to any legal action on the part of users or Square.

UPDATE 3: VeriFone has taken down the demo app it created, and the video of the app in action since this post was originally published, so neither are available in the updated version of VeriFone CEO Douglas Bergeron’s open letter linked above.

We have yet to hear from Square, but we’ll update again as needed.

Related content from GigaOM Pro (sub req’d):

• Mobile 2011: Trends Not to Expect
• Platform Makers Placing Big Bets on In-App Payments
• Near Field Communication: More Than Just a Mobile Wallet

If you’re getting or giving a new MacBook during the next couple of days, then grab Mac app Hidden, which provides a number of theft prevention services. Now until January 2011, the app is free. All you need to do is register, download and install.

What does Hidden do? It’s a little bit like Find My iPhone for your Mac computer, in that it lets you track where your computer goes, so long as whoever stole or bought your stolen computer from the original thief turns it on and connects to a wireless network. The app then connects to the Skyhook network of Wi-Fi signal towers (the same one the iPhone and iPod touch originally used for geo-location services) and reports back with the approximate location of your Mac.

Hidden also offers more than just location tracking, though. It launches a three-pronged attack agains thieves, by also attempting to identify them and keeping track of what they do with your computer. It accomplishes the first by taking pictures periodically using your built-in iSight camera, and the second by taking screenshots of your computer when it’s in use, which should help you know whether or not a thief attempted to access and abuse your private data.

The Hidden app doesn’t display an icon in the Applications folder, or a menu bar item, or even a preference pane in the Settings app. That way, no one will know that your Mac is being tracked. Once you’ve registered, you can sign in to the Hidden website from any computer and track computers on which you’ve installed the Hidden app right from a web-based dashboard. All you need to do is change the status of the machine to “Stolen” and Hidden will start gathering data. You can also set it to “Test Mode” if you want to see what kind of info you’ll receive in case of theft.

You can uninstall the app by following instructions found on Hidden’s FAQ, but it requires an administrator password, so as long as you’ve set a strong one, thieves shouldn’t be able to do the same.

For the great price of free, this is a great way to give some piece of mind this holiday to Mac-using friends and family.

Related content from GigaOM Pro (sub req’d):

• Motives and Possibilities for a Big Apple Acquisition
• Why Browsers Don’t Matter Anymore
• Why Humans are the Biggest Threat to Cloud Adoption

Securing your Mac can be both simple and complicated, depending on your usage and expertise, but the best place to start is with the access privileges granted to each user account created.

Create a Separate Administrator Account

Preferences > System > Accounts. The first thing that should be done is to disable administrative privileges for all active users.  There really is no good reason that any regularly used user account should have administrator privileges.  That isn’t the to say that no one needs to do administrative work on Macs.  Create a special Administrator account and keep its password a secret.  Change the Administrator’s password frequently and don’t forget it. Apple allows you to create a reminder question, so that helps.

Now, whenever you need to do something like modify a preference, or install software, you’ll be prompted to enter an admin ID and password, but so will remote users trying to take control of your system to install malware.

Disable Automatic Login

Preferences > System > Accounts (Login Options): Turn off automatic login. About the only time that it makes sense to turn on automatic login is on a publicly accessible Mac where a locked down guest account has been created.  This will prevent people from accessing your information when they gain physical access to the Mac.

Require Password Lock when Sleeping

Preferences > Security > General. Require a password lock no more than five seconds after the computer goes to sleep or the screen saver is enabled.  This will lock things down when you leave your Mac unattended for an extended period.  I also like to set a hot corner to enable the screen saver for when I need to make a quick getaway.

I have mixed feelings on forcing a log out after so many minutes of inactivity.  I’ve found that if I leave applications running, and documents aren’t saved, this particular security setting is basically useless.  My Macs are running for weeks, if not months, and I like to leave applications running for just about as long. Depending on how you use your computer, you might want to enable automatic logout after a set amount of time.

Require Password to Modify Preferences

Preferences > Security > General. Here, you can opt to require a password to unlock each System Preference pane.  This will ensure that settings will not be changed by just anyone.  This setting only makes sense when you are also carefully managing access to your administrator ID and password.

Block All Incoming Connections

Preferences > Security > Firewall (Advanced). First, turn the firewall on if it isn’t already.  If possible, block all incoming connections as well.  This may not be possible if you’re sharing files, or using applications that require inbound connections like Dropbox, or even certain Mac apps that sync with their iOS counterparts.  I would also recommend enabling stealth mode.  This will help prevent unexpected requests, such as ICMP (ping), from getting a response from the system.

Do Allow Safari to Open Safe Files

Safari > Preferences > General. By default, Safari will open all files that it decides are safe to open.  This is meant to be a convenience feature when downloading files from the Internet, or opening attachments using web-based email programs.  Be warned; there’s no such thing as a “safe” file.  Disable the open “safe” files after downloading feature in Safari.

Update Your Mac’s Software Daily

Preferences > Software Update. Be good about applying updates, especially security updates. It is a good idea to have the Mac check for updates daily, and then download them automatically.  That way, the software will likely be ready to install the moment you realize an update has been issued.

Don’t be fooled; Macs can be just as insecure and vulnerable as any other technology out there.  Mastering the seven security related features outlined above will go a long way to help keep your Mac as safe and secure as possible.  Remember: You are the biggest security risk to your Mac, so watch where you click.

Related content from GigaOM Pro (sub req’d):

• Privacy: How to Avoid the Third Rail of Online Services
• Social and Online Media Need Privacy Plan Now
• Strategies for the Future of Digital Content Storage