Let Sleeping Services Be

AKA, latest scam attempted on me, with most of the caller's fumbles of his script left out.

A call claiming to be my ISP (never used it for home internet, but the phone number had been with them at one point, so others may have a match claiming your ISP based on who your phone has been with), that they had a failure on their server and that there 70% services stopped, and we need to fix them. 

Caller: How many devices do you have using the internet?  

Me: (quickly count the list) I have 15 IPs active today as seen on WhoIsConnectedSniffer (software I have running on my computer most of the time), but some of them should never get to the internet.   

Caller:  Then I need you to get in front of your computer.

Me:  OK, since that is where you caught me, where did you think I had WhoIsConnectedSniffer running?  yes I am there.

Caller: confused sounding

(a bit of back and forth with this drone in a call centre, to get him back on track of the scam to see where it is going)

Caller:  Do you see the Windows key?  Hold it down and press R

Me:  Ah, you want the Run prompt, OK, I am there.

Caller:  type in msconfig   and then press the OK button

Me: (I know this first bit is safe, so I proceed) Oh, it looks a bit different since I last looked this way, I see the Tabs: General, Boot, Services, ...

Caller:  OK, need you to click on Services, now see how many are stopped. 

Me:  Yes, I see many of  them stopped and that is the normal amount I expect there.

Caller: Then we need to remote into your computer to fix these stopped services as part of the service you paid for.

Me: But those services aren't needed, in fact some of them really shouldn't be running most of the time, rather like one doesn't leave their car running in the garage when they aren't driving it.

Caller:  But you paid for this service, so we need to restart them for you.

Note: This goes on back and forth for nearly 5 minutes until a meeting reminder gets me to wrapping up.  I could have so dragged him along for ages if I had the free time.

Me:  I have several ways to prove you are a scammer. 

• I'm not with the ISP you claim to be, though I have worked with them.
• It is normal for Windows to have stopped services as many are use only occasionally and the system knows how to trigger them on when needed, or are only on when the applicable hardware is turned on, example: the Bluetooth support service is stopped because I don't currently have Bluetooth turned on. 
• Clearly, as someone who mainly works on Linux servers, I still know way more about Windows than you do. 

Caller:    Ahh..ahh....ahhh..........

The line goes dead.  He was clearly very new at this, or was just following the script in front of him. 

Summary:

If you ask a question and they immediately re-ask their question, it is almost certainly a scam. 

Stopped Services on your computer is a normal thing, just like your microwave or shower are not running much of the time.  A server failure at your ISP is not going to impact the services on your computer, as, if necessary, a reboot of your system is all you should need.  Never let one of those callers remote into your system, as that is a disaster waiting to happen.  What exactly they will do varies, bit it won't be in your interest. 

Billing and working with clients

As a bookkeeper and an office manager, people have asked me some questions about managing getting paid by clients. I have put together my recommendation of both billing and receiving payments from clients. This may not work for everyone, but I have seen it work, and it means you aren’t working for free.

How often should I bill a client?

• I recommend that if you are a consultant and working with clients, it is a good idea to bill them monthly. Billing at the end or the first of the month means it is easier to track when bills have been issued. If you have a standard flat rate for the clients, it is recommended to bill that at the beginning of the month. I also have a recommendation of either doing net 15 or net 30 days. I normally go with net 30 days for existing clients.

Client hasn’t paid the invoice, what do I do?

• When the invoice is close to the 30 days since issuing it, I recommend sending a reminder email letting the client know that the invoice is still outstanding. The working I normally use is “can you let me know the status of the invoice?” This gives the client the chance to look into it without you saying it’s due. If you don’t receive a reply, you start slowing down the response time for emails.
• At 45 days, another email is sent, but this time you do mention that the invoice is overdue and would like to know when you can expect payment. This lets the client know that payment hasn’t been received and maybe there is an issue on their end or some communication with you is required. At this point, if you are not getting a reply to emails, a phone call is required to talk to the client about payment. If you don’t get any answers, this is when work really starts to slow down.
• At 60 days from the billing date, this is when another email will be sent and requested payment. Also, letting the client know that work will need to be slowed down or discontinued until payment is received. If a client says, "I promise to pay the bill, trust me", be careful because this could be a sign of other issues. Try and set up a meeting with the client to discuss the situation.

Handling new clients

• When you are approached by a new client, there are a couple of different ways to handle payment.
• You can request a deposit via credit card for the work, as this ensures that you will receive some money for work being done.
• You can let the client know that a bill will be sent immediately after the work has been completed, with net 15 days. This is the one time that billing monthly is not applied.

Can I do a credit check on a potential or existing client?

• The simple answer to this question is yes. If you are going to be doing major work with a client that you have got out of the blue, it might be a good idea to do a credit check on them. Also, the biggest piece of advice I give is if you don’t get the first payment, and you just get a “trust me”, it’s time to do that credit check.
• You can also do a credit check on an existing client if you are going to be doing major work with them.  Remember, you are the one that will be providing your services, and you need to make sure that you will be receiving payment for it as we have seen this happen in the past.
  

 

Summary

It is difficult when you don’t receive payments from clients, but if you make sure that you are fair with them, there should be open communication. When clients start not answering your emails or phone calls, it’s time to start looking at how you can let them know that work is going to have to be reduced until some payments are received. Remember, do not spend the money that is owed to you until it’s in your bank account. Using the money before it’s in your bank account can result in a big financial challenge for your own business.

Billing and working with clients can be a challenge, but if you establish a standard way of billing and communicating with a client, it does help a lot. Don’t be afraid to ask for advice from other small businesses because it helps to hear what other people do as well. Asking a client for payment can be a challenge, but it’s better than just sitting back and hoping, that one day you will receive payment for what they owe you.

 

 

Wired is Better

The debate is not wired vs wireless, but wired vs Less power|bandwidth|security

Cables can be a frustration at times for many people, so being without them feels so freeing, . . to a point.

To go without wires/cables for signal still requires power, and if you don't have a wire to provide that, you certainly have batteries involved that have their own frustrations to deal with.

The Batteries.  

Replaceable or built in rechargeable?

How fast are they drained?

•  Fast enough, you get the replace or recharge process down pat?   They last long enough that you might not recognize the odd symptoms of the system for a bit before it clicks that it is time to do something with the batteries. (mouse in the middle of an epic gaming session, or keyboard in the middle of trying to write down that perfect award-winning idea)
• And for built-in rechargeable, at least until they can not hold a charge anymore.

Yes, there is wireless power transmission tech being developed, but:

•  Extra cost to have and to power
• extra energy inefficiently spread in the form of non-ionizing radiation through you. We are many years away from any chance of proving them safe. Are you volunteering your body as a test bed?

The bandwidth you can put through radio (wireless communications) is about the same as a few strands of wire or fibre in a cable. And the space of radio waves is shared.  So if you try and pack a room full of active Wi-Fi sharing systems, you generally will get less bandwidth to each than if they were wired connections. Especially if there are many other nearby users of those radio frequencies. How many Wi-Fi Access Points do you see near you? You are sharing bandwidth with them and anything else that might be using those particular frequencies that you can't see, such as Bluetooth on 2.4GHz and microwaves that are really noisy in that space.

Security is typically less with wireLess.  There are so many more ways of intercepting wireless(radio) traffic, most without any indications of such an interception. Encryption can be defeated, it is anything but perfect. The end points of any wireless system can be readily attacked from a distance in a whole range of tactics in addition to any possible wired attack vectors. 

Example:  With some USB dongles they can be used to take over the computers they were plugged in to.  When did you last update your dongle's firmware? 
Is your dongle subject to MouseJack or KeyJack attacks?

Personal health, a potential issue with adding more radio waves going through your body and those you may care about nearby.  Radio waves are a form of Radiation. While not the really nasty ionizing radiation of fission of big atoms like Uranium, it is still energy that we didn't evolve with. We are already seeing evidence of harm from cellphone radio waves.

So where ever you can, a wired/cabled/fibred connection is generally more reliable, secure, energy efficient, lower cost (especially over product lifetime), less resources used to make and operate, less impact on the surrounding environment. While there are always exceptions, they are just exceptions to a rule, not an invalidation of this point.

Wireless things have their place, but like everything in life, there are trade-offs along the way.  Make them deliberately rather than letting marketing brainwash you down any particular path as they won't tell you the hidden costs or risks. 

Glossary: 

Wire - single strand of an electrical conducting metal. One is almost never enough

Fibre/Fiber - a single strand of optical fibre, usually plastic, that carries light as the signal medium.

Cable - a bundle of wires or fibres in a protective bundle. i.e what we usually see.

Paying it forward

For a lot of people, graduating from college can be a time when they say that they are done with education, and they aren't going to think about college ever again.

Well Darlene has proved that yes you can graduate from college but education never stops. She has also shown that paying it forward to the next generation of business students is also important. Darlene has over the last couple of years been mentoring students through the Ten Thousand Coffee program at Centennial College. She enjoys getting to know the students and new graduates and is always willing to share her knowledge and experience with them.

Recently, Darlene was interviewed for the blog "It Started at Centennial" for her journey from being a student at Centennial College to now being a Mentor.

Security Awareness Training Issues

Issues we've seen of some Security Awareness Training that limit its effectiveness, and ideas on how to improve them.

Does your solution suffer from these issues?

Training notifications resemble spam in a few ways (sense of urgency, a link) in addition to being overly annoying, and that is likely why we have seen them blocked, labelled Junk/spam, and otherwise ignored.  
   

* The notifications don't give the assignee an idea of how long the training will take.  For busy staff, especially those who have to track every hour (or less, as is the case for many professional service people) as billable,  this makes it very hard to schedule in to their plans.  Therefore, making it more likely for them to defer until they have a larger block of time and ability to listen to content to make sure they can complete in one go.   
      To Fix:  List the estimated time to complete, can it be paused or must it be completed in one go,  if Video, with or without Audio, just a slide-deck, or something else.
   

* Training is presented very piecemeal. Each element/training has its own mail stream, such that a busy person, in crunch time, can build up several queued training assignments and end-up with multiple nagging messages a day.  Junk mail handling is the easiest way to get them out of the way, cluttering up the key production communication tool of email.
      To Fix:  Consolidate those nag messages in some fashion.  A default should be One a day, with options both administratively and end user to set preferred time and timings to better reflect the local conditions of The Work (the reason the business exists, the training is a secondary support function that won't be allowed to wag the dog).

 

* Training alerts are currently oblivious to work schedules, even the most standard one of Monday to Friday.  The alert nag is based on X calendar days, not even X business days, so that trainees are getting alerts on off business hours. 

 

* If an assignee has been able to disconnect from email (weekends, vacations, collapse from overdoing a crunch, etc..), then they get a flood of those nags mixed in with all the other built up demands on their time leading to the nags being added to the rest of junk mail handling.

 

* If an assignee is trying to use a weekend to get The Work done during a normally quiet time, it's an interruption during a normally quiet time, again off to junk mail handling or similar in favour of The Work.

 * If an assignee is only paying attention to email on a weekend for emergencies (because normally a quiet time, vendors who send their marketing on weekends get down voted!)  Then any training alerts will only add up to frustration at the training and be invited to junk mail handling process.
      To Fix:  Default to X Business Days, not X Calendar Days for the training reminders, with those as clearly separate options.  And the Business Days needs to reflect the local Statutory and common Holidays, configurable would be nice to add business specific days that are reserved for things other than such secondary functions.   Bonus would be for a way to include(sync?) people vacation schedules to pause the training timers over peoples' scheduled time off.  Perhaps this could be the way to include Business and/or regional specific off days.
      
Related to the off hours notifications the system currently does, is that these notifications do trip up against a new legislative trend to protect employees personal time (that whole work/life balance thing).  Ontario is the first of the pack to have such legislation and off hours notifications put organizations based here in a rough spot, and we may well be forced to find other training providers that respect the Right to Disconnect.  
https://www.ontario.ca/document/your-guide-employment-standards-act-0/written-policy-disconnecting-from-work 

Why SSL(TLS) is a must for all websites.

What is SSL/TLS?

They are the evolving encryption tools that are the difference between a web page (via HTTP) that can be clearly Intercepted and ALTERED, and a page (via HTTPS) that is both encrypted with a chain of trust that makes it extremely difficult to view and even more difficult to alter in any way.  If you want to know more, you can read more here. 

To answer the questions of:

 - Why are some browsers making so much noise about why your unSSLized site is so untrustworthy?

 - Why your unsecured site is so low on the search engines?

Reason #1, the big one.

If your website doesn't have a proper TLS/SSL encryption in place, then if someone can intercept a person's browsing, it is easy to inject whatever hostile code is desired. It could be to just change what is showing on the page (this site hacked!), to silently injecting the latest ransomware or worse. 

You want your readers to get the message you so carefully crafted, not something else. You don't want them to equate you with putting malware on their system.

Reason #2
There is a pile of constant malicious scanning going on all the time, and just forcing your site to HTTPS causes a good portion of it hitting your site, to just go away.  One of my sites was getting many dozens a month of links from very dubious sites before I forced a switch to SSL, then they just went away.

There is then the whole Cyberwar part it of, where you could be caught in the middle of the big boys playing, as what was clearly happening as a part of a real hot war with the Russian Invasion of Ukraine as written up at the Internet Storm Center   where an entire block of IP addresses are redirected to another set of servers away from Twitter for a portion of the world.  Just too many ways for Man-In-The-Middle attacks.

So assuming you:

 - Don't want your readers scared away by the browser warnings

 - Don't want your readers to get used to a bad security practice because you taught them to

 - Don't want your readers' devices to become part of a hostile bot-net and/or worse.  

 - Would like (love?) your content to be more readily found by having a higher position in the search engines.

To get there

 This is done on the web-server itself, where you either pay for a certificate or use a free certificate service such as Let's Encrypt.  First you want to make sure your site works with the certificate so that you can get that lock in front of your URL (aka address) in the browser, and then you want to set it so that all attempts to come in unencrypted (port 80) get flipped/redirected to encrypted (port 443)

If you built your server, it is time to go RTFM for this as it is well documented for all Web-servers, as well as many others have written about the process. Your favourite search engine can also point you to resources.

If you are using a more typical hosted service, there is a very good chance the ability is sitting there in your control panel, just waiting to be turned on. Automatic free encryption has been a part of CPanel for a couple of years now (my hosters turned it on automatically for me), and a quick search shows that many of the others have a similar feature.  So take a look at your control panel, use the knowledge base most hosters setup, or even contact your support to see how good they are. 

There will be attempts to up-sell you to a higher grade of certificate.  If you just have a basic, low volume static site, then there is no real value in the "enhanced protections".  If you are gathering anything beyond comments and email addresses, such as e-commerce orders, then an actual purchased certificate makes some sense.  If you do go with a purchased certificate, make sure your hoster manages it and the update/renewal process, that they should have, is automated as certificates only last a year or less.

Do you require any assistance in securing your systems? Perhaps we can help.