Monthly Archives: June 2015

security

DON’T CALL ME—I’LL CALL YOU

1 Comment

Write the following on the blackboard of your life, right underneath “There’s no such thing as a free lunch”:

Neither Microsoft nor Apple will ever phone you to fix your computer–at least not unless you have phoned them first.

Today, one of my senior clients got a call “from Microsoft.” Since she had been having problems with her DSL recently, she made the mistake of believing the caller. She complied with all his instructions and let him log into her Windows machine remotely, whereupon he showed her several screensful of “critical problems” that he said he would fix right away… as soon as she paid him $400 for the work.

“I don’t have that kind of money to throw around. You never said anything about a charge when you called me, and I’m not paying you anything.”

“You’d better pay me now, because if you hang up on me, you can’t call me back, I won’t call you back, and if I don’t get paid, you’ll never use Windows on your computer again.”

Refusing to be extorted, she hung up on him anyway, and then phoned me to see if there was anything I could do about her situation. When I showed up, I tried booting her system in Safe Mode, whereupon I was met with the demand, “This computer is configured to require a password in order to start up.” She had been victimized by a “ransomware” scammer.

A little time spent with a search engine revealed that my client had been saddled with a “SysKey password.” Establishing such a password encrypts a Windows data area called the”SAM registry hive,” so simply removing the password by force won’t fix this situation, and could result in the destruction of any number of other files. The same search showed many instances of other scammed users being victimized by this same exact trick.

I had to take the machine down to the shop, safestore the user files for insurance, then reset to a restore point from about a week ago. The backup process took longer than I would have liked, but my client was back to happily using her machine quicker than our scam caller could give his mother her next STD.

Unfortunately, these scams are on the rise. This is the second senior in my (admittedly small-town) client base who has been hit with a similar scam in the past quarter. The other was called by the fraudsters at Kavish, and had paid them $149, which (at my urging) she recovered by disputing the charge with her credit card company.

The lesson here is not to trust unknown callers who phone you with official-sounding requests, whether they say they are calling from Microsoft, your bank, a store, a law enforcement agency, or anywhere else. If you didn’t initiate the call and you don’t personally know the caller, treat him just as you would treat Peggy from Siberia: tell him nothing, and allow him no access to your stuff.

If you’ve called Microsoft, or Apple, or any other company for technical service, they will give you a ticket number. Write it down. When you receive a genuine return call, the caller will have that ticket number. If they don’t, hang up, and call the main number back.

hints, Macintosh

Bad Apple Mail—No Password!

Leave a comment

This bug really burns me, because it’s been around forever, and Apple just isn’t doing anything about it.

Anyone who has used Apple Mail for more than a week has seen the following dialog box:

mailcantconnect

Of course, the natural response is to obey and type your password.

Don’t do it. 

Here’s why:

There are a half-dozen or so reasons why a mail transaction will fail. The mail server may be busy, hung, or dead. Your Wi-Fi may be down or your ethernet cable may be loose. There could be a network interruption in the greater internet somewhere between you and your mail server. Or, you could actually have supplied the wrong password for the account.

Unless your mail account is brand new, or you recently changed your mail password, the probability that this last choice is really your problem is vanishingly small.

However, that’s not Apple Mail’s opinion. “Couldn’t contact the server? Oh no, it has to be a bad password!” So Mail puts up this dialog box, inveigling you to type in your password again.

There is no upside to complying with this request. 

There are two probabilities here that absolutely dwarf all others: you will type in your password correctly, which won’t solve anything because your password was never the problem; or you will type in your password incorrectly, at which point you have now compounded your original problem by layering a worse one on top of it.

The real joker in the woodpile here is that one of the biggest reasons for typing in your password incorrectly is because you have actually forgotten your correct password. Now, a lost mail password can be retrieved using Keychain Access on your Mac… unless of course you have just overwritten it with a bad password because you responded to this idiotic query from Mail.  😡

The good news is that if you avoid thrashing at this juncture, you can still recover. Mail stores the POP/IMAP (incoming) account password separately from the SMTP (outgoing) account password, and in almost all cases known to man, they are the same password. Use Keychain Access to view the one you haven’t yet damaged, and beat this particular reaper.