The Joys of Having an Expired SSL Certificate

A frustrating waste of time.

A few months ago, when it became clear that the Republican led congress was going to allow ISPs to sell our browsing history to the highest bidders, I got a bit more concerned about security. In my research, I came across an article that recommended that users never visit a website without an SSL certificate.

If you don’t know how to tell whether a site has an SSL certificate, the easiest way is to look at the full URL. If it starts with https:// instead of http:// it has an SSL certificate. Think of that extra character, the s, as standing for secure.

Also, some web browsers display a special icon — such as a lock — near the URL or possibly in the status bar at the bottom of the page.

One thing is for sure: You should only enter personal data in pages that are SSL-protected. So if you don’t know how to check for a secure page in your browser, learn.

Of course, at the time, this blog did not have an SSL certificate. I’d done some research in the past and decided it wasn’t worth the cost. After all, although I do get a few donations — thank you generous supporters! — it isn’t as if this site earns any money for me. Hosting costs enough money; buying a certificate wasn’t in the budget.

Still that article made me wonder if I were losing visitors because I didn’t have that certificate. So I did some more research and discovered that my WordPress host, Bluehost, offered a free SSL certificate for subscribers. I made a few calls, clicked a few links, installed a WordPress plugin, and voila! I had a coveted https:// URL.

And then I pretty much forgot about it. After all, typing in the old URL (without the s) still pointed people to the new one. And who types in the whole thing anyway? If you put in any combination of URLs to get to this site — or if you clicked a link that took you here — some sort of behind-the-scenes magic put you on a secure page.

Yesterday changed that. I went to check the site and was faced with the following message:

Page is Not Secure

WTF?

Of course, I discovered this about 30 minutes before a friend was due to arrive to detail my helicopter and I had about a half dozen other things I wanted/needed to do before he arrived — like get dressed? (It was 5:30 AM.) So I did the easy thing: I called Bluehost and asked them what the hell was going on.

The support guy I got was very fond of the hold button. I don’t know if it’s because he really needed help or if he was working on more than one call at a time. I was on hold for most of the 45 minutes our call lasted. While I waited, my friend came, I greeted him in my pajamas, I made him coffee, and I put a bowl of cherries in front of him, occasionally interrupting our conversation to speak with the Bluehost support guy when he came back on the phone.

My big concern was this: people would be scared away by that message. They’d click a link, get to my site, and leave, thinking they’d get a virus or something. I needed the problem resolved quickly.

I was told that Comodo, the organization that provided the SSL certificates, had sent me some sort of verification email that I needed to click a link in. I told him I’d never gotten a message, although it could have been sorted into spam and automatically deleted. He asked me to check a specific email address. I told him I didn’t have that email address. “Well, that’s where the message was sent.”

This made no sense. It was not the email address I had on file with Bluehost. It was an email address on my domain that I had never set up. I checked and verified that it didn’t exist. Comodo had sent an email message to an address that I’d never created or used.

Seriously: WTF?

Mr Hold Button told me to create the address, which I did while he waited. Then, after putting me on hold for a while longer, he told me they’d send a new message and that I should follow the instruction in it.

By this time, I was tired of dealing with the problem. I needed to get dressed. I needed to pull the helicopter out so my friend could get started on it. I needed to do the other things I needed to do. So I told him I’d check in a while and hung up.

And then I forgot about it.

You see, I have a life and that life does not revolve around dealing with computer issues. That was my old life. My new life is far more interesting.

Besides, I had no intention of adding that new email address to any of my email clients on any of my devices. That meant I had to sit at a computer and go to the Webmail feature on Bluehost to check the message. Not exactly something I’m likely to remember.

But I got reminded again this morning when it still didn’t work right. One of my readers emailed me. I also noticed when I attempted to approve two comments.

I checked that stupid email inbox. Empty.

I got on the phone with Bluehost.

This time I got a guy who didn’t like touching the hold button. He stuck with me while we worked through the problem. There was a lot of silent time. He was texting with Comodo. I was starting to write this blog post. Occasionally, he would update me. Occasionally I’d whine to him about how ridiculous the whole thing was. He was suitably sympathetic. I was as apologetic as I could be. After all, it wasn’t his fault.

In the end, the email message finally came. I clicked the link — but not after lecturing him about how we’re not supposed to click links in email messages. I entered the secret code. He confirmed some stuff on his end. I snacked on some cherries. When he said, “Try now,” I did.

The problem was fixed. It had taken 22 minutes.

We wished each other a nice day. When I got the survey at the end of the call, I gave him a good score.

So it looks like this site is secure again — at least until the next time Comodo decides it needs to verify me.

And yes, this did impact site traffic. I had less than half my usual visitors yesterday and started today at about one quarter the traffic I should have had by noon.

It’s Not That Simple

A response to a reader’s request.

The other day, I got the following email message in my In Box with the subject line “Quicken 2017 for Mac”:

As I write these words your “Quicken 2002 Deluxe for Macintosh” book sits in front of me. The time has come, whether I like it or not, to update to Quicken 2017 for Mac from Quicken 2007 for Mac. Sadly, thee’s no good documentation to use. In fact, I haven’t found any good material since your 2002 book! For all I know, you’ve moved on and no longer write books such as the one published back then. That being said, I’d like to request you consider writing a new Guide similar to the one your wrote way back then. All the best to you whatever your future ventures may be.

First, I want to thank the sender for phrasing his request so politely and understanding that I might not be writing books like that one any more. A lot of the email messages I get regarding my writing work is a lot less polite and a lot more demanding, which partially explains why the Contact page on this blog seems to discourage communication from readers. (It’s actually toned down a lot more than it used to be.)

Now let me tell you a little bit about the rise and fall of tech publishing.

The “Old Days” of Tech Publishing

Dvorak's Inside Track
This is the first book I was involved in; I was a ghost writer on 4 chapters and am mentioned in the acknowledgements.

I got into the world of computer how-to book publishing way back in 1991. I’d left my last full-time job as a Financial Analyst at a Fortune 100 Corporation the year before and was trying my hand at freelance writing. Through an odd series of events, I wound up ghost writing four chapters of a book by John C. Dvorak, Bernard J. David (who I worked with directly), and others. That led to a book that Bernard and I co-authored, which led to another 80+ books that I mostly authored alone.

Back in those days, the Internet was in its infancy. Hardly anyone had a website — I didn’t have my first one until 1995 — and services like Google, which was founded in 1996 and wouldn’t become the powerhouse it is for years, didn’t exist. When people wanted to learn, they turned to books.

Software developers knew this. They provided printed manuals with their software products. Manuals for some software could be voluminous — I remember the one I had for a version of FrameMaker that had to be at least 800 pages. But despite the availability of these reference guides, users wanted something easier to read and understand. So computer how-to books were born. I happened to be at the right place at the right time to write them.

And I was very good at it. I had a knack for learning how to use software, breaking it down into simple tasks that built progressively through the book to more complex tasks, and writing it in a way that readers found helpful.

With a lot of competition, however, not many readers got to see my books and there wasn’t much money in writing them. No problem: I’ll just write more books. My publishers — especially Peachpit Press — really liked my work and my ability to meet deadlines. They kept me busy. I once signed six book contracts in a single day. One year, I wrote 10 books.

I wasn’t the only one cranking out books. Numerous publishers had tech imprints and dozens of new titles appeared every month. Bookstores — and there were a lot more of them in those days — had trouble keeping up, but they did. Publishers published these books and bookstores stocked them for one reason: they sold.

Demand only got higher as software developers stopped including lengthy manuals with their software, favoring Quick Start books instead. And then switching to digital only manuals that they might or might not include on the software CD.

Thus began the glory days of computer how-to book authors and publishers, a period that lasted from around 1995 through 2010.

Success Comes with Sales

Quicken 99 Official Guide
This was one of my first bestsellers. Revised annually until I gave it up after the 2009 edition, it was a major source of income for me.

My financial success as the author of computer how-to books didn’t come from writing a lot of books with average sales. It came from writing two particular books, revised often, that were bestsellers. My Quicken 1999: The Official Guide was one of these bestsellers.

Quicken 2002 Mac
I was very happy to be able to write about Quicken for Mac, since I was a long-time user.

The success of one book often spurs a series of books. Quicken Press (later Intuit Press), an imprint of Osborne-McGraw-Hill, soon began publishing other Quicken and QuickBooks books. That’s how I wound up authoring Quicken 2002 Deluxe for the Macintosh: The Official Guide, the book referred to in the email message above.

I was pretty happy about this. Truth is, I’m a Mac user and had been writing Windows books only because there were more Windows users so the sales potential was higher. I’d been using Quicken on my Mac for years and knew it better than the Windows version I’d been writing about since 1998.

But my Quicken Mac book didn’t take off the way we’d hoped — there were a lot fewer Quicken Mac users and Intuit still had viable competition to Quicken on the Mac OS platform. To complicate matters, Intuit didn’t revise Quicken for Mac as often as it revised Quicken for Windows. When the next version, Quicken 2007, was released, neither Intuit nor my publisher saw a sufficient market for a book about it. So I was never asked to revise my book for future editions.

Google and the Death of Tech Publishing

Meanwhile, as publishers and authors were churning out computer books as fast as we could, the Web was growing. People were writing how-to articles and publishing them on blogs, on software support websites, on user group websites, and in online magazines. Even I did this for a long while, mostly to help promote my existing titles. These articles were free and available immediately. When search engines like Google proved to be extremely effective in helping readers find the content they sought, people started thinking twice about buying computer how-to books.

After all, why go to a bookstore or go online at Amazon to find a book that may or may not answer your specific question when you could spend a few minutes searching with Google and find the answer you need? Why wait for a book you ordered online to arrive when you could find the information you needed immediately? Why depend on the voice of one author when you could access information provided by dozens or hundreds of them?

Book sales dropped off dramatically in the late 2000s. I could see it in my royalty statements; my income peaked in 2004 and 2005 and then began a steady decline. Books about software staples like Word and Excel, that I’d revise with every new version, were dropped one after another. Publishers who had once agreed to a contract for nearly every title I proposed now declined, saying they didn’t think there was a sufficient market for the book. There were fewer and fewer new software-related titles being published. Editors who’d worked on dozens of titles a year suddenly found themselves unemployed. Publishers or imprints merged or disappeared. The few brick and mortar bookstores that managed to survive the rise of Amazon reduced or even eliminated their computer book shelf space.

By 2013, all of my book titles were officially dead — not scheduled for revision. And I know I’m not the only tech author who lived and thrived through the computer book glory days to find myself without a book market for my expertise. There are lots of us out there. The ones like me who saw it coming had a safety net to fall into; others weren’t so lucky and find themselves struggling to stay relevant and earn a living writing words few seem willing to pay for.

Don’t get me wrong — I’m not saying that computer how-to books no longer exist. They do. There just aren’t many of them. And rather than appeal to the beginner to intermediate user I wrote for, they’re mostly written for a much higher level of user about far more complex topics. Or very narrow markets that are easy to sell to.

This Reader’s Request

Fast forward to today.

The very politely worded email request from a reader quoted in full above is asking me to revise my Quicken 2002 for Mac book for Quicken 2017 for Mac. If you’ve been reading carefully, you know why this is unlikely to happen.

There is not a sufficient market for such a book.

And that’s what it’s all about: being able to publish a book that will sell enough copies for the publisher to make a profit. It has nothing to do with the author; publishers really don’t care what authors make. Their contracts routinely minimize author royalties to help the book’s bottom line. That’s all that matters. They have spreadsheets that calculate breakeven and if a title can’t break even with a decent profit, they won’t publish it. Simple as that.

Would I write and self-publish a book about Quicken 2017 for Mac? Probably not. Even self-publishing such a book doesn’t mean I’ll earn enough money to make such a project worthwhile. Let’s do the math. It would take me a good 400 hours of time over two months to write the book and prepare the manuscript for publishing. Say I need to make a minimum of $25/hour. That means the project would have to net me $10,000. Even if I managed to net $5/book after fees paid to Amazon, Apple iBooks store, Nook, etc., I’d still have to sell 2,000 copies. Are there 2,000 people out there willing to buy a book about Quicken 2017 for Mac? I seriously doubt it.

And I’ll share a secret with you: I still use Quicken 2007 for Mac. I bought but decided I didn’t like the 2015 version and I haven’t even bothered to buy the 2017 version.

So if I — a loyal Quicken user since the early 1990s — haven’t bothered to upgrade, how many other people have? And how many of them want a book about it?

The answer is simple: Not enough for me or apparently anyone else to write a book about it.

This Explains It

And this pretty much explains why I don’t write books about how to use computers and software anymore. I can’t make a living doing it.

But I’m lucky: at least I’ve found something else to make a living at.

Mobile Devices, Passwords, and Security

A few words of wisdom from someone who has seen more than her fair share of hacking attempts.

This morning, when I fired up my laptop after a weekend away with friends, I was greeted with an on-screen notification telling me that there was a problem with my iCloud account.

iCloud, in case you don’t know, is Apple’s cloud service. I use it for some email and to synchronize data among my three computers and three mobile devices. I generally don’t use any cloud storage for any sensitive documents. I simply don’t trust it.

Today’s notification prompted me to log into my iCloud account. When I tried to do so, an error message told me that the account had been locked due to too many incorrect password entries.

I do know my password and I know I hadn’t entered it wrong too many times. That means someone else had. Another hack attempt.

This isn’t the first time someone had tried so hard to hack into my iCloud account that the account had been locked. It also happened back in October 2014. I know this date because I blogged about it back then — and oddly enough, that’s the most popular blog post so far today. (Is someone looking for clues in my blog? Good luck with that.)

Anyway, I went to Apple’s website and logged into my account again. That required Apple to send an email message to my backup account and for me to click a link in that message. I normally don’t click links in any messages I get unless I’m expecting a message with a link. I was expecting that one so I clicked the link, signed back in, and checked to make sure everything was still secure. It was.

I then changed my password, just for good measure.

A Lost Phone Story

All this comes right on the heels of a rough weekend for a friend of mine.

We went out to run some errands in the Phoenix area where she lives. Our first stop was Lowe’s. She took out her phone to take a picture of something she wanted to compare with other options in other stores. Then she decided she wanted to sketch it instead. She put the phone down and took out a pad and pencil. I wandered off to look at other things. We later met up at check out, I paid for my purchase, and we left.

About a mile down the road, she declared, while searching frantically in her purse, that she was having a senior moment. She couldn’t find her phone. When she realized it definitely wasn’t there, she began to panic. She knew she’d left it in Lowes. I turned around and we headed back. She ran in. I waited two minutes, then called her phone as she’d asked me to.

It went right to voicemail.

I knew what that meant: someone had picked up her phone and turned it off so it couldn’t be tracked. Someone smart enough to do that wasn’t going to turn it in at Lost and Found. The phone was stolen.

I went into the store and gave her the news. I had to explain what the phone going right to voicemail meant — she was in a bit of denial before panic took root. “My life is in that phone,” she told me. I asked the question I already knew an answer for: was the phone locked? Did she have to enter a password it to use it? The answer was no.

Worse yet, she had used an unsecured “memo app” to record her passwords for banks, credit cards, and all kind of other important things. If someone opened that app, they’d have complete access to her finances.

My friend is not a technically minded person. She had no idea what to do. She asked me. I’m an Apple person and I know exactly what to do for an Apple device. But I was at a lost with her Samsung Galaxy 5. I called her husband, who I knew would know. But he’s an airline pilot and his phone was switched off for a flight.

We raced to the closest Verizon store. I repeatedly dialed her number and it immediately went to voicemail each time. That means the phone was still turned off. The average phone thief would not be able to get data off the phone with it turned off.

At the Verizon store, my friend used the tech guy’s computer to log into her Google account. He pushed the right buttons to wipe the phone clean and basically brick the phone.

Disaster (probably) averted.

The odd thing about all this is that although I’ve been keeping my phone locked for the past few years, lately it’s been bugging me that I need to go through that extra unlocking step to use it. I’ve been debating with myself for the past few weeks about removing the passcode and leaving the phone unlocked for my own convenience. I even came close to doing it once or twice.

But after seeing what happened to my friend, there’s no way in hell that I’ll remove the passcode on any of my mobile devices or computers.

And if your mobile devices aren’t secured with a password, take my advice and secure them now. And then make sure that your devices can be wiped remotely if needed.

Passwords

Whoever attempted to access my iCloud account recently hit a wall when he/she couldn’t enter the correct password. Apple automatically locked the account when a certain number of incorrect attempts — three? five? — had been made. The lock required me to recover it using a secondary email account or security questions.

Passwords are the first line of defense for security. We all want to use passwords that are easy to remember and we all want to use the same password for everything. Resist the temptation! If your password is easy to remember, it might also be easy to guess. And if you use the password for everything, if someone guesses one password, they automatically have access to everything you used it for.

Your passwords should not be easy to guess. Period. They should be a combination of upper and lowercase characters and numbers with one or two symbols thrown in whenever possible. Minimum password length should be eight characters; longer is better.

Password Notebooks are STUPID
This is the most idiotic idea I’ve ever seen. Unless you plan on keeping this book locked up in a safe all the time, you’re just making it easy for a thief to access all of your accounts.

If you have trouble keeping track of your passwords, do not write them down in a place where other people can find them. That includes post-it notes, notebooks, and unsecured apps and documents on a computer or mobile device.

My wasband used to store all of his passwords in a Microsoft Word document that was not password protected. Then, as if that wasn’t dumb enough, he routinely emailed it as an attachment from one of his email accounts to another to get the file transferred between computers when he updated his passwords. He even did this after he knew that one of his email accounts had been breeched, thus giving the “hacker” access to all of his passwords everywhere. (And yes, I do constantly ask myself how I could have loved someone as stupid as he is.) For all I know, he probably still does this.

My advice? Instead of insecurely storing this information, invest a few bucks in a password security app. I use 1Password, which works on my Macs and iOS devices, keeping all of my passwords synced between them. (There are plenty of other options out there; feel free to suggest your favorite in comments for this post.) To access my passwords, someone needs to first get into my computer or device (which is password protected) and then open the 1Password app (which is password protected with a different password).

Don’t give your passwords to anyone — even someone you trust. A long time ago, when I was a lot less security-minded, I had a simple password I used for most (but fortunately not all) things, including my Netflix account. My idiot wasband, while we were still married, gave that Netflix password to his roommate. Fortunately, he did this right in front of me so I knew about it. (Let’s not go into how pissed off I was.) I spent a good portion of that day changing my password everywhere it might be used. Needless to say, I never gave him any of my passwords again — which served me well when the divorce proceedings started and I had assets to protect.

Security Questions

Security questions are the next line of defense. They help protect your account while giving you access to it if you happen to forget the password. It’s the security questions that protected my iCloud account back in October 2014; someone had actually tried to answer them and failed.

After my recent iCloud hack attempt, I checked and changed a few of my security questions. I was very pleased to see that Apple offered questions that dug deep into my past, with answers that only I would know. Mother’s maiden name is the last question you should select and answer — it’s too widely used. So is where you and your spouse met — how many times have you told that story? (And of course, your spouse knows the answer, which can come back to bite you when divorce papers are filed.) Always pick questions that are easy for you to answer but damn near impossible for anyone else to figure out.

Of course, there is a more devious way to handle security questions and that is to use the same password as the answer to all of them. So while the question might ask “What is your father’s middle name?” — a question that anyone who knows you can research to discover — the answer might be “Jj6MbFwp,” which is obviously not your father’s middle name. That same password would then be the answer to all of your other security questions. So while your ex is trying to figure out why the system isn’t accepting “John” for the father’s middle name question when he knows damn well the name is John, you’ve fooled him by using something he’d never guess in a million years.

Which approach did I use? I won’t tell.

Take Security Seriously

Computer and Internet security — is not something to be taken lightly. The more connected you are and the more you access your personal information and finances online, the more at risk you are for loss if someone is able to access an account. It’s only by having good, difficult-to-guess passwords for your accounts — and making sure you have different passwords for each account — that you can keep them safe.

And remember, your smart phone is likely to be more valuable to a thief than your wallet. Protect it!