Apple’s OS X “El Capitan” first impressions

TL;DR: Faster, more secure, better looking, and the latest thing.
I upgraded last night.  NOTE:  it’s BIG (6 GB).  For those of you still have data caps, this can be a problem.  Start the process, and then go to bed.
What’s great so far:
1) You can see the new usability features from website, which is the first specific item in the Help menu in Finder:
The El Capitan Finder help menuThe El Capitan Finder help menu
In my case, upgrading from Yosemite (10.10), this points to:
2) The new font.  You will hardly notice it, except that the user interface looks…clearer.  Apple has chosen a font that will look great on Retina and non-Retina displays.  I am typing this on my trusty workhorse of a 2009 iMac, and it looks very clean and clear.
3) Faster graphics (including text rendering).  Much of the old OS X was built on top of OpenGL.  OpenGL is still in place, but now the library graphics calls in use by all apps are going straight to the Metal…which is Apple’s new “more direct to the hardware” API for rendering graphics, first debuted on iOS, where it made rich 3D games possible with lower CPU and therefore power use.  Think of it as DirectX for the Mac.
This means it will be faster for you, including on old machines, and it doesn’t break anything.  Note to business folks:  when developers tell you “we need a layer of abstraction” this is why.  These changes are invisible under the layer of abstraction which is the Mac programming API.  The developers are free to make things work faster and better, without breaking existing programs.
4) Application Transport Security.  A huge number of applications (all platforms, sadly) either don’t use modern encrypting transports when talking to web applications and/or web services.  Even worse, in some ways, they use the secure transports badly, giving the impression of security without the full benefit.  This enables things like “man in the middle” attacks, where your information that should be secure can be intercepted by an untrusted third party.  ATS enforces “works or breaks” in using application transport security by:
     a) requiring applications in OS X and iOS to use the latest secure transport, TLS 1.2.  Previous versions are known to be broken from a security standpoint.
     b) Except:  exceptions for particular domains may be made, but must be explicitly listed. (This is a small lie; you can tell ATS to allow unsecured.  BUT DON’T DO THAT.)
     c) Only ciphers which support forward security are supported.  This obsoletes a number of cyphers which permit men in the middle attacks, as above.
NOTE: 4. breaks a number of applications.  THIS IS A GOOD THING, THEY NEEDED TO BE FIXED.  IF the development companies decide NOT to fix them, there’s a work-around…but don’t do it, *you are betraying your customers by doing so*.  Take the (minimal) time and DO IT RIGHT.  (Sorry for the CAPS).
Remember, these are just first impressions.  I will post a follow-up later. Looking forwards to trying out some of the new features (full screen split screen!).
Have an excellent day,

DO Encrypt, DON’T Panic

Or, What the ‘strong encryption’ requirement means to Psychologists (regarding Fact Sheet #16 issued by the Information Privacy Commissioner of Ontario).

Why I’m writing this: I have a number of friends and associates who are Certified Psychologists in Ontario, and have been asked, casually, what exactly this fact sheet means.

Bottom line:  If you are a Psychologist providing health information to a health network provider, or a user of health information in the sense of PHIPA and its regulations, you need to secure all portable healthcare data as below. If you are NOT, you DO NOT have to.  If you do, or if you aren’t sure, please keep reading…

Continue reading “DO Encrypt, DON’T Panic”

The Elements of Security: Omit Needless Software

[Inspired by a mail virus that’s going around, and the classic Strunk and White text, The Elements of Style]

DO NOT install random software from friends, links you get in email, ‘free’ screen savers, and the like. Less is better. Your systems will be faster and more secure, and you don’t need them.  Even if they work, they are a waste of your time and system resources.

Here’s a longer aside for those of you who are thinking “But surely you don’t mean avoid installing anything?”

If  you DO need something, do the research and get what you need for the time and money price you are willing to pay.  (Free isn’t necessarily what’s best for you;  the ‘more expensive’ package can easily be better for you in the long run.)

Here are a couple of relevant examples:

1) Web browsers:  Firefox, Safari, and Chrome.  Great web browsers, all free, and worth the minor work to keep them up to date. They all have their strengths; I use Firefox most often, but both Safari and Chrome for some other tasks.  (Comments are more than welcome!)  Sorry, I’ve been burned too many times by Internet Explorer to want to use it, and the other browsers support a wider range of machines, since Microsoft has dropped upgrade support for older Windows versions, and doesn’t support other operating systems.  Your mileage may vary.

2) EVault data protection software.  Yes, there are free alternatives, but for your business servers where you really, really have to be able to recover, these folks are really good.  I’m no longer with the company, but I did run the engineering team for a year and a half, and I still happily recommend the products and services.  The free/’freemium‘ alternatives are good as far as they go, but system restoration is tricky, and EVault gets it right.  EVault software is owned, and the service operated, by i365, a Seagate company, so you know they’ll be around.  Highly recommended.

I’d love to have comments on other ‘elements of security,’ so please feel free to chime in.


Getting cranky about “IT Policy,” and improving your password practices

I just read a helpful article about tuning organizational password policy but I’m afraid it rubbed me the wrong way.

What it says is helpful and mostly good practice, but it fails to address the problem from the perspective of the users, and does the usual “well, this will be a pain for the users, but it’s good policy, so we’re recommending it,” which is one of many reasons why people hate IT departments. (I say this as a seasoned IT professional, and I hate us, too. 😉

IF you notice that YOUR passwords violate any of these rules, chances are that they are already broken. Change them now.

To all password users, everywhere: Make your passwords unguessable as best you can. If someone guesses your password, change it. Corollary 1: Since you can’t know if someone might have guessed your password, change it from time to time. If you feel that you have to make a list of passwords, make a list of reminders, not the actual passwords, and keep it safe (not where someone can look at it without you knowing about it). More detail below.

HOW: Continue reading “Getting cranky about “IT Policy,” and improving your password practices”