Studio711.com – Ben Martens

The general media has picked up on a huge bug that rocked the tech world this week. I’m sure it’s partially because it has such a great name and logo. But what is Heartbleed and how does it affect you?

This isn’t a virus or malware that affects your computer. It’s a bug in some very critical code that is run by a lot of web servers. Basically, it gives out somewhat random chunks of computer memory to anyone who asks for it. That memory usually contains gibberish but sometimes it will contain things like user passwords or keys to the encryption of all the traffic going in and out of the server. The webcomic xkcd has a very simple explanation of the bug.

There are a bunch of things that need to happen to fix the hole. First the server admins need to patch their systems, get new encryption keys, and replace their SSL certificate. Once that happens, you can complete the final piece of the puzzle by changing your password. Some websites are being proactive and telling you when they’re ready for you to change your passwords. Others are being more quiet about it.

This whole thing has been *gasp* overhyped by the media. Yes, it’s a potentially big vulnerability but the odds of someone exploiting you are low, the patch is relatively quick and easy, and there’s evidence that nobody launched a widespread attack using this vulnerability before it was announced. That being said, updating your passwords is still a good idea. There are various lists around the internet that tell you which sites were affected, but this is one a pretty good resource. They are updating it regularly and telling you when it’s time to change your password (if you need to change your password at all.)

If you’re changing all these passwords but you aren’t using a password manager, consider getting started with something like LastPass.com. It’s free and easy. If you’re already a LastPass member, run their security checker tool. They’ll tell you which of your passwords need to be changed. LastPass was affected by Heartbleed too, but because they encrypt all of their traffic even underneath the SSL encryption, there’s no chance that any of the LastPass data was exploited.

So don’t fret about this too much, but do make sure you’re changing passwords as needed.

I know I’ve been making a lot of Power Query posts lately, but once you get into it, you start seeing data everywhere! The latest example is a movie draft that I participate in with some friends. I won’t explain what a movie draft is except to say that it’s like fantasy football for movies. We participate in a huge league run by Brian Brushwood and friends. They post a spreadsheet with all the data here: http://draft.diamondclub.tv/

I pulled those spreadsheets into Power Query, cleaned up the data, and voila, now we have an easy way to track just the people in our little group! You can see it at http://bit.ly/excelmovies We get interesting views like a leaderboard just for our group, and a list of the movies left for each one of us. I might add some more data views later, but these are the basics.

So if you’re in our movie group, how can you use it? You can use it passively by just visiting that bitly link every once in a while. I’ll update the data periodically for your enjoyment.

If you want to update the data yourself, add your own friends to the list of names to watch, and/or learn how the workbook was built, then you’ll need to do a little extra work.

1. Install Office 2010 or 2013
2. Install Power Query. If it fails then you don’t have the the right version of Excel. Sorry, you’ll have to stop here. (I continue to tell management that I think this is a bad decision.)
3. Go to the bitly link and click Edit Workbook > Edit in Excel
4. Save the file as a local copy.
5. Click Data > Refresh All and wait a bit. When the status bar along the bottom of Excel completes then you should be seeing new data.
6. You can see the Power Query queries that make up the workbook by clicking the Power Query ribbon and then clicking Workbook. You’ll see a side pane appear and you can double click any of those queries to start digging in.

Unfortunately I think Step 2 is going to stop a lot of you, but at least you can view the online link. And if Power Query doesn’t work with your version of Office, please feel free to complain in our forums!

If you’re running Windows 8, you probably got a pretty big update this week. The Windows team has been listening to the feedback and has made some pretty key tweaks to improve your user experience. PCWorld says “This digital love letter should woo over all but the most obstinate of the PC faithful.” So what’s included?

The user experience is tailored depending on the type of device you’re using. If it’s a traditional mouse and keyboard desktop computer, you’ll boot to the desktop and media files get opened in the desktop version of the apps instead of the full screen Modern App experience. Additionally, you can right click on tiles on the start screen and there’s a bar at the top of the screen for full screen apps with common controls like minimize, close, etc. Those full screen Modern Apps will now show up in your taskbar on the desktop just like any other app.

There are a couple other tweaks, but those are probably the biggest things you’ll notice after you apply the update. Go forth and enjoy! And keep giving feedback not just on Windows but on all your favorite Microsoft products. They listen!

A while back I wrote a post talking about the cameras we’ve set up around the house and the software that manages it all (BlueIris.) There’s nothing terribly new in this post except to give a long term test update and say that I’m LOVING this setup. The garage cam lets me easily check to make sure that I remembered to put the garage door home or see if my family is home so I can ask Tyla to defrost some meat for dinner. And since we don’t regularly use our front door, the camera there is a great way to know that we have a package waiting or that someone left a flyer in our door. I even get an email showing a couple images and a 5-second video of whoever was at our door. All of the cameras are great but those are the two that I use the most regularly and I’m eager to add some more coverage.

If you ever want help with a similar setup for your house, let me know. I’m happy to share info. You can get going with one camera and the software for around $100-$125 and then each additional camera after that is about $65. You technically can skip the software but it makes life a lot easier.

In yesterday’s post about all my Amazon orders, JonathanC posted an interesting comment: “How about this one as a Power BI challenge: current value of the portfolio if you had purchased stock of Amazon instead of the product.” … Challenge accepted!

I already had a list of all my Amazon orders. I think headed to Yahoo Finance and downloaded a daily history of Amazon stock stretching back to 2001 when I made my first product purchase. That came as a CSV file too. Both files got loaded into Power Query. I did a merge on the date column, removed the columns that I didn’t need, and added a custom column that was the money spent divided by the closing share price that day. That told me how many shares I could have purchased. A quick sum over that column divided by a sum of the money spent revealed that I would have made an 81% return on my money! But wait a minute, transactions aren’t free. If I was pay $8 per transaction then I would have only made a 37% return. But that’s silly since I probably wouldn’t have bought $10 of stock at a time like I do with Amazon orders.

So now you’ve failed Part 1 or Part 2 of this security series and you have a virus. What should you do? The best thing is to stop everything. Turn off the machine and call your favorite geek. Offer them cookies and ask nicely. Remember that the virus warning might be fake and there’s nothing wrong with your computer.

If it’s legit and your computer is actually infected, your favorite geek is going to ask two things:

1. Do you have all your data backed up? Good grief people, the answer better be a resounding yes. I’ve blogged about this so much. Here’s the test to see how good your backups are: if I walk into your house, throw your computer out into the street and drive over it, what is your reaction? If you’re only mad because of the money loss then you have good backups. If you start crying because of all the pictures and memories that you’ve lost, then YOU NEED TO BACK UP NOW. There’s no excuse for it. Go to http://www.crashplan.com and sign up. It’s stupid simple, nearly free and it will protect your precious memories without you having to think about it.
2. Do you have the discs to reinstall all your software? Take all those discs that came with your computer and throw them in a bag for safe keeping. If you buy physical software, add the discs to that bag. If you buy software on the Internet, save a copy of it somewhere (not on your computer) to be reused later. Don’t forget to keep all the product keys with the discs too. If you’ve lost the product keys to Windows or Office, check out Magic Jelly Bean (or this open source version). It’s a nifty tool that helped me out recently.

They want to know these answers because the best way to remove a virus is to wipe the computer and start over. The time it takes to do that will almost certainly be less than the time it takes to try to surgically remove the virus. And when it’s all over, wiping the computer is the only way to make sure the virus is really gone.

Part 1 covered attacks through your browser. Part is is about attacks via email. We just had a mandatory training for all employees at work because somebody had this happen to them on a work machine and it created a ton of trouble. You really have to be on the lookout.

The first rule is to never click any link that you get in an email. If you always follow that rule, you are extremely unlikely to have any problems.

Ok, we both know that rule will be broken. So what should you think about before clicking on a link in an email?

1. Assume it’s a scam, a virus, or both.
2. Are you expecting to receive a link from the sender? Did your buddy call up and say “hey I have this hilarious YouTube video, I’ll send you a link”? If so then you’re probably good to go.
3. Does it look like something the sender would normally send you? Did your relative who normally writes you long text-only emails suddenly send you an email that only has a single link in it? Just leave it alone. Wait until you know that it’s something they really sent you before you click it.
4. Is some entity like PayPal or your bank telling you that you need to view something on their website? I NEVER click links like this even if I’m completely convinced they are fake. The penalties for being wrong are too great. If my bank says I have an important message about my account security or PayPal says I need to adjust my account settings, I don’t click on the link. Instead, I open up a browser and manually type in the address for my bank. If it’s a legit message, it will also show up somewhere in my account on their site. This is an important guideline to follow with phone calls too. If I ever get someone asking for any personal information, red flags go off. For example, when my credit card company called and said my card had been stolen, they started asking for my social security number, etc to verify some things. I politely asked for the caller’s name and extension, hung up, called the number on the back of my credit card and got back to talking to that same person. That convinced me he was legit and I continued. It’s too easy to scam people this way! I’ve caught people in the act like this too. Just the other day I had someone calling to collect money for the “King County Police” (which is an imaginary org) so I asked for his name and badge number so I could call him back to verify he was legit. It was a scam and it was funny to hear him squirm. (I later reported it to the sheriff’s office though it probably doesn’t do much good.)

When in doubt, don’t open a link. If you have to open a link, assume it’s a scam or virus and don’t open the link. If you REALLY have to open the link, see if you can get to that site without clicking on the link. And if you REALLY REALLY have to click the link, make sure that the sender actually intended to send it to you.

Only the paranoid survive. Everyone else gets a virus.

A laptop recently landed on my desk full of some lovely viruses. I won’t say who it was, but really, you shouldn’t be too embarrassed. These virus writers are good at what they do and it’s easy to be tricked. As I fixed up the laptop, I thought about a short series of blog posts that might be of interest to many of you readers, not just the household that got hacked. I’ll cover how virus writers try to get you through your browser, how they attack via email, and then what to do after you suspect you’ve been hacked.

The most common viruses get onto your machine because you clicked something. It’s pretty difficult to have a computer sitting idle with no human in front of it and get a virus. We are the weakest link. So when hackers try to attack you via websites, they’re going to present you with something that is out of the ordinary, but just plausible enough that you’ll click on it. These popups might seem fairly legit. Here’s an example:

A geek will look at this and know it’s fake, but to the general populace, this seems like something serious that should be fixed by clicking Accept and Install. How can you tell it’s fake? That’s tricky but some basic ways are that this installation box is inside of a browser window. That’s your first red flag. What video player is it trying to update? If it’s going to install something, it should be pretty specific. If you have questions you could take that product name and search for it.

But really the best way to defend against this type of thing is to know the legitimate ways you’ll be warned about this type of thing and then be incredibly suspicious of anything that tells you to install something or “click here to fix your computer.” These days, nearly everything that is needed to fix your computer happens automatically in the background via Windows Update. You might see some notifications from Microsoft Security Essentials when you haven’t run a scan in a while but that’s about it.

You should also have Windows User Account Control enabled. Whenever a program tries to install on your machine or access protected areas of the operating system, it will pop up a warning dialog that asks if you’re sure you know what’s going on. Unfortunately if you believed something like the image above then this probably won’t stop you, but it’s a good backstop to really think about what you’re doing.

So if you get a popup that says you have a virus or that is asking you to install something unexpected, just stop. It’s probably a lie, but just in case it’s legitimate and Microsoft Security Essentials is trying to save you, snap a photo with your phone and email it to your favorite geek. Ask them if it’s legit and what you should click. You might save yourself a lot of trouble.

My project at work is called Power Query for Excel. We released our first version last summer and now our second version is available as part of a larger offering called “Power BI for Office 365.” BI stands for Business Intelligence. The offering includes a bunch of tools that help you make sense of your data, create nice reports and then share them out with your colleagues. This marks the first time that something I’ve worked on at Microsoft is available for purchase!

But never fear home users, while the collaboration and sharing features require payment but you can use some of the pieces for free. For example, you can download the latest version of Power Query from the Microsoft download center.

It’s exciting to see all our hard work available for public use and we love getting feedback! Please use the smile/frown buttons on the Power Query tab in Excel or leave feedback in the Power Query forum (or one of the other Power BI component forums.)

The marketing department put together a nice Power BI overview video. The Power Query specific part is in the “Discover” section around the 36 second mark.