Small Business Data Breaches in Australia and My Experience with One

What happens when a company you deal with in Australia has a data breach, and their annual turnover is less than $3 million? I thought I’d find out, after this happed to me. Here’s the events in chronological order with some information censored:

The Dropbox Email

I receive an email from my Strata Management company in October 2019 whom I’d already regarded quite low in their digital actions – emailing without unsubscribe options, using email addresses given to them purely for Strata related comms for commercial purposes – but this was more concerning again:

To me this was immediately dodgy and cried out of an account being compromised. The file is still there right now, ~ 6 months later. It’s a standard jump file – redirecting you off to phish your creds.

The credential stealing page you get to from the ‘Access Document’ link above is down – the entire domain doesn’t respond, so at least nobody will get caught by this link.

I email back with what I thought was correct information from a quick Google on it, but the details are their problem to work out and send an email to the address listed on the website, rather than the compromised account:

From: Adam Fowler
To: admin@company

Hi,It appears XXX account has been compromised by a third party, which includes my personal contact details on it. You’ll need to comply with the government’s Data breach standards: https://www.oaic.gov.au/privacy/data-breaches/

Under law I believe you have 30 days to disclose this breach: https://www.oaic.gov.au/privacy/data-breaches/make-a-data-breach-complaint/

Thanks
Adam Fowler

Two weeks pass… nothing. I follow up:

From: Adam Fowler
To: admin@company, person@company

Hi,

Any chance of getting a response on this?

Thanks
Adam Fowler

I get an out of office from the person, but it doesn’t take long for their manager to respond:

From: Manager@company
To: Adam Fowler

Hi Adam,

Thank you for your email and I apologise for the delayed response – the front office thought it may have been another scam email due to the multiple links and opted to delete and ignore it.

As you are aware, we do have 30 days to respond to this with the breach happening 15 days ago we still have time on our side. In saying that, we actually have our IT guys coming in today again to assist me with the lodgement and I will be finalising it either tonight or over the weekend.

I can confirm we acted promptly on the issue and our IT guys responded extremely fast as well.

Thank you for your concern and notification, I will confirm with you once this has been lodged.

Have a great weekend.

This sounded sort of promising – beyond the weird conclusion my email was another scam, they seemed to be treating this seriously and properly. I was content with this and waited for the confirmation that was promised.

That confirmation didn’t come, so 1 month later I followed it up. This is where it went downhill:

From: Manager@company
To: Adam Fowler

Hi Adam,

I did lodge this and I spoke with the Office of the Australian Information Commissioner.

As far as I am aware from them there was no further action required from us on their end.

Kind regards,

OK… that’s great that they’ve met legal requirements, but that’s not really what I cared about:

From: Adam Fowler
To: manager@company

Hi Manager,

I’m more concerned if any of my personal data was compromised after your investigation rather than what data breach notification steps you’ve taken with the government?

Thanks
Adam Fowler

Another concering response:

From: Manager@company
To: Adam Fowler

Hi Adam,

No personal details have been compromised from this. They did not have access to our server.

Kind regards,

This takes me to a conclusion pretty quickly that they really have no idea what they’re talking about, or just trying to get rid of me because I’m a hassle. I call them on it:

From: Adam Fowler
To: manager@company

Hi Manager,

That’s obviously incorrect, my email address is personal information, and XXX’s mailbox may have contained other personal information that I’ve emailed them, such as the address of my unit.

Apparently what I’ve asked for hasn’t processed and they’ve given up:

From: Manager@company
To: Adam Fowler

What would you like for me to do Adam, I’m not sure on what steps you are asking me to take? 

This got me annoyed. I have no idea what data they have on me and what could have potentially been accessed, so I did a bit of research and shot off what I wanted, outlining why I was concerned:

From: Adam Fowler
To: manager@company

Advise on what data of mine was actually accessed. “None” isn’t true or I wouldn’t have received a phishing email. The responses you’re giving don’t give me any confidence that you’ve actually had this investigated, or have any reasonable understanding of the statements you’re making. My next step is to lodge a complaint with the OAIC, which I’d rather not bother to do.

You hold money that is partly mine, my personal details and I’m not sure what else.

Separately, I’ll actually request you provide a copy of all personal information you hold on me, as per https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/access-your-personal-information/

Access your personal information — OAIC
Australian privacy law gives you a general right to access your personal information.This includes your health information.. An organisation or agency must give you access to your personal information when you request it, except where the law allows them to refuse your request.www.oaic.gov.au

Please let me know what other details you need from me for this request.

Three days later I get this answer:

From: Manager@company
To: Adam Fowler

Hi Adam,

Below is all of the information we have for you.

Salutation: Mr Fowler

Mr Adam Fowler

*My home address*

*my mobile*

*email address different to the one they’ve sent this email to*

We don’t have your bank details and as I mentioned, they did not have access our server so they would not have received the above information.

I’ve searched XXXs emails over the past two days and you do reference your unit, but never your home address.

It was obvious they weren’t doing this properly. They didn’t list the address of the ACTUAL PROPERTY they managed for me, nor the email address they’d just emailed me on. I decided to just stop responding and lodge a complaint with OAIC; I didn’t really have anything to lose by doing so. Lodging a complaint was pretty easy, there wasn’t too much info I had to provide and I included the email thread above.

The next day after filling in the form, I received a fairly generic email which contained the case number I’d been given:

From: OAIC
To: Adam Fowler

Dear Adam Fowler

Thank you for your correspondence received on 2 December 2019. The Office of the Australian Information Commissioner (OAIC) has registered this matter as a privacy complaint by you about STRATA MANGEMENT COMPANY

We aim to contact you further about your complaint as soon as we are able to. Information about what happens to your privacy complaint is available on our website, www.oaic.gov.au.

Actions you can take now

·      Generally for us to consider your complaint you first need to have complained to the respondent. While waiting to hear from us, we recommend that you continue to pursue resolution of your complaint with the respondent organisation.

·      You may also be able to lodge your complaint with a recognised External Dispute Resolution (EDR) Scheme. A list of recognised EDR schemes is available on the OAIC’s website. These EDR schemes cover financial services (including credit reports), telecommunications, and energy and water providers. If the OAIC considers your complaint would be more effectively or appropriately dealt with by a recognised EDR scheme, we may decline to investigate the matter.

·      If your matter relates to consumer credit, please forward a copy of your credit file to this office, as well as copies of any correspondence you have received from the credit provider, credit reporting bodies and any dispute resolution body you have complained to about this matter. You should also include the relevant password if the copy of your credit file is password protected.

Next steps

Unfortunately we are not able to allocate all complaints to a case officer as soon as they are received. At present there are delays on some matters being allocated because we have had an increase in the number of complaints we have received.

At this time, it may be several months before an officer contacts you about your matter. We will contact you earlier if we are able to.

Once your complaint is allocated a staff member will contact you to discuss the next steps in our complaints handling process. The OAIC aims to resolve privacy complaints by conciliation, whereby the parties resolve the matter through discussion and negotiation. Unless we consider it inappropriate to do so, your complaint will likely be referred to the respondent for it to contact you directly to try and resolve the matter.

Please let us know if your contact details change, if the matter has been resolved directly with the respondent or if other circumstances change.

You can write to us or call on our Enquiries Line on 1300 363 992 (local call cost, but calls from mobile and pay phones may incur higher charges). If you do contact us it will help us if you quote your complaint reference number which is found at the top left hand side of this correspondence.

We will arrange for letters and telephone calls to be translated if you would like to communicate with us in a language other than English. You can also let us know if you need other assistance, including documents in other formats or larger fonts.

Yours sincerely

Enquiries Team

Office of the Australian Information Commissioner

That didn’t give me much hope, so I left it at that and moved on.

2 months later, I received a call on my mobile. It was from the OAIC who had started to review my case. We had a chat, she understood the situation, completely agreed they hadn’t appeared to have done their due diligence in the data breach or provide me with my personal data as requested.

It sounded promising and I was a bit nervous. Their standard approach was to talk to the company and somehow come to an early resolution. She emailed me what was discussed too:

From: OAIC
To: Adam Fowler

Dear Mr Fowler

I refer to your privacy complaint about STRATA MANAGEMENT COMPANY , made under s 36 of the Privacy Act 1988 (Cth).

I am conducting preliminary inquiries under s 42 of the Privacy Act. The purpose of the inquiries is to establish whether this matter can be resolved quickly by the Early Resolution Team.

The Early Resolution team aims to resolve matters within 4 weeks. If the complaint cannot be resolved by 28 February 2020 and the OAIC determines further review or investigation is required then the matter will be referred to an investigations officer in another team.

If the matter is referred to another team, it can take several months to be allocated to a case officer. We therefore encourage both parties to try and resolve the matter through this early resolution process.

Next steps

We have provided a copy of your complaint to STRATA MANAGEMENT COMPANY and requested it provide the OAIC with a response to your allegations and to your proposed resolution.

We have also invited to contact you directly to try and resolve this matter. In our experience, direct contact between the parties leads to a higher chance of resolution.

We have requested STRATA MANAGEMENT COMPANY provide an update in a week’s time.

I am happy to discuss this matter and to clarify any questions you may have about our Early Resolution process. If you have any questions, please feel free to contact me directly on XXX or email to oaic.gov.au.

Yours sincerely 

Investigations Officer
Dispute Resolution Branch

The same day though, my hopes of anything were completely shot down:

From: OAIC
To: Adam Fowler

Dear Mr Fowler

In my conversations with  STRATA MANAGEMENT COMPANY it appears it is a small business operator and may therefore not have any obligations under the Privacy Act 1988 (the Privacy Act).

The APPs apply to businesses and not-for-profit organisations with an annual turnover of more than $3 million and to all private health service providers irrespective of turnover.

I have asked  STRATA MANAGEMENT COMPANY to respond to questions to confirm it is a small business operator and to provide evidence of their turnover or a statutory declaration.

If  STRATA MANAGEMENT COMPANY is a small business operator we will be unable to take any further action in the matter. I will write to you to let you know if this is the case along with our intention to decline to investigate the matter.

I was rather confident this company didn’t turn over $3 million a year. However, the manager did still call me and after advising he didn’t have to respond legally. I didn’t really say much since I had no legal standing now and in the laws eyes, they were in the right. They attempted to reset the password so I could access my own data from their systems – he couldn’t get that working so I did a password reset myself. Their password reset process actually sent me an email that contained my old password in plain text – ‘dontsendthisout’ – which I’d set a few years ago after they’d sent me my password in plain text via snail mail, along with the username and login URL. As I said at the start, I didn’t expect much from this company.

The data they had on me they said, would all be in this app. Again this of course isn’t true because of the data in their emails, but I felt defeated and didn’t press on this.

It was of course confirmed that they didn’t turn over $3 million a year:

Dear Mr Fowler

I refer to your privacy complaint about STRATA MANAGEMENT COMPANY, made under s 36 of the Privacy Act 1988 (Cth) (the Privacy Act).

The Office of the Australian Information Commissioner (OAIC) conducted preliminary inquiries into your complaint under section 42 of the Privacy Act.

I have reviewed your complaint and I do not consider there has been an interference with your privacy on the basis that  STRATA MANAGEMENT COMPANY appears to be a small business operator. The reasons for this view are explained below. You now have an opportunity to comment before I make a final decision.

Small business operator exemption

The Australian Privacy Principles (APPs) in the Privacy Act cover many private sector businesses in Australia, but there are exceptions. In particular, many small businesses are exempt from the obligations outlined in the APPs in the Privacy Act. Under the Privacy Act, a small business operator is a business with an annual turnover of $3 million or less that:

·      is not a health service provider

·      does not trade in personal information

·      is not a contracted service provider for a Commonwealth contract

·      is not a credit reporting body

·      is not related to a body corporate that carries on a business that is not a small business

·      does not operate a residential tenancies database.

In response to our inquiries,  STRATA MANAGEMENT COMPANY provided information, including its Business activity statements (BAS) to establish that its annual turnover and activities are such that it meets the Privacy Act’s definition of a small business operator.

This means that  STRATA MANAGEMENT COMPANY is not covered by the APPs in the Privacy Act and therefore there can be no interference with your privacy under the Privacy Act through STRATA MANAGEMENT COMPANY’s actions in this instance.

Next steps

Section 41(1)(a) of the Privacy Act gives the Commissioner the discretion not to investigate a complaint if she is satisfied that the act or practice complained about is not an interference with privacy, as defined in the Privacy Act.

As STRATA MANAGEMENT COMPANY appears to meet the Privacy Act’s definition of a small business operator, I intend to decline to investigate your complaint under section 41(1)(a) of the Privacy Act.

However, before I make a final decision I invite you, should you wish to do so, to provide a written response to this email. I would appreciate receiving any response by 11 March 2020. If I do not hear from you by this date, the OAIC will make a decision based on the available information and close your complaint.

If you would like to discuss your complaint, I may be reached XXX during business hours, or email oaic.gov.au.

Yours sincerely


Investigations Officer
Dispute Resolution Branch

I briefly responded saying I couldn’t dispute their annual turnover, and the act is the act.

The final emails redeemed themselves a bit, when the CEO emailed me without further prompt:

Dear Adam,

I understand you have made a complaint in relation to the dropbox email that was sent out when XXX’s email was hacked. As you were not satisfied with our responses, I have contacted my IT team and asked them to email me an explanation of what happened and what would have been hacked.   Please find below an email from our IT Company.   YYY is happy for you to contact him directly if you need, but I would ask that you cc me in on any email.  I have not copied him into this email to protect your email address.

I have inserted his email below.

Hi Adam,

It is our understanding that the breach was caused by XXX clicking through a link in a scam email and it tricked her into putting in her email password. As such that gave the hackers access to her Office 365 based email account. Once noticed, that day, we changed her password and confirmed they didn’t have access anymore.

It did not give them access to any other email accounts, though we changed all passwords to be sure anyway.

And it did not in any way give them access to the server where STRATA MANAGEMENT COMPANY store files and run their management databases. The server is not linked to Office 365 at all, and even if she used the same password for 365 as her PC/server then it wouldn’t matter as she didn’t have remote access allowed on her account, and our remote access also requires a certificate that the hackers didn’t have access to. So I am certain they never had access to the server.

Subsequently there has also been no signs of any breach of the server or anything further on her email account.

So in short you can be assured that only her email was breached.

As for what they did access or download from her email I cannot say, we can’t tell that from the logging available in 365. It seems unlikely to me they did download information. The usual thing with these hacks is they use the compromised account to perpetrate another scam to force a bank transfer. I’d say that they worked out she wasn’t responsible for bank transfers and so instead used her account to try to hack more email accounts.

So the only data that they could have about you is anything you emailed to XXX, with the exception of anything she deleted after you sent it and before they hacked in.

Let me know if you want any more information.

I felt that at least they’d now had a better understanding as to what happened, and MAYBE cared a bit more about the impact of it.

From: Adam Fowler
To: CEO@comany

Hi CEO,

Thanks for the additional details and the explanation makes sense. I’d also expect they’d do basic searches for things in an account like credit card information and bank details which is why I was asking what XXX may have had in her inbox in relation to me.


The other question is why you didn’t have MFA in place on your Office 365 accounts – easy to do and protects the data that I send your company from these threats. I hope you’ve implemented it since, as it’s a relatively easy setting to turn on.

Thanks
Adam Fowler

The CEO thanked me for this email and said they’d pass it on to their IT department. I hope they’ve actually implemented MFA now as it seems their external IT support is reasonable, and I wouldn’t expect a smaller company to have advanced Office 365 logging features available in an E5 plan to see what was accessed exactly. They’re still the company that holds the money for the Strata pool of funds, so I care that our money isn’t stolen.

Finally, the OAIC closed the case:

Hi Adam

Thank you for your emails and feedback on the Office of the Australian Information Commissioner’s (OAIC) 26 February 2020 view that there had not been an interference with your privacy on the basis that STRATA COMPANY, is a small business operator.

As a small business operator, STRATA COMPANY does not have to follow the Australian Privacy Principles (APPs), so it does not have to provide you with a copy of your personal information, or follow any of the other APPs in relation to security, use or disclosure of your personal information in the Privacy Act. It may have other legal obligations in relation to how it handles personal information.

I acknowledge your concerns and view that regardless of the technicalities of the Privacy Act 1988 (Cth) (the Privacy Act), your privacy has been breached.

However, as defined in the Privacy Act , an interference with privacy can only occur when an APP entity breaches an APP in relation to personal information about the individual (section 13). As STRATA COMPANY meets the definition of a small business operator in the Privacy Act, it is not an APP entity which is subject to the provisions of the APPs in the Privacy Act, and it cannot interfere or breach your privacy as specified in the Privacy Act.

Decision

Section 41(1)(a) of the Privacy Act gives the Commissioner the discretion not to investigate a complaint if she is satisfied that the act or practice complained about is not an interference with privacy, as defined in the Privacy Act.

As STRATA COMPANY is exempt from the provisions of the APPs in the Privacy Act, I have decided under s 41(1)(a) of the Privacy Act not to investigate the complaint on the grounds that there is no interference with your privacy as defined in the Privacy Act.

The file is now closed.

Thank you for bringing this matter to the attention of the Commissioner. I am sorry we are unable to assist you.

Yours sincerely

Investigations Officer
Dispute Resolution Branch

Although I could say that nothing happened out of this 5 month experience, I hope it was a valuable lesson for the staff there – and the CEO knows a bit more about it.

Lenovo Thinkbook 14 Review

Lenovo’s Thinkbook brand is aimed at the SMB market – it’s as close to being a ThinkPad without being an actual ThinkPad, and the price reflects it.

The Thinkbook 14 follows up from the Thinkbook 14s (compare on Lenovo’s site here) which I saw while I was at Lenovo Tech World and was the first time I’d even heard of the Thinkbook brand. A few months later, I managed to get my hands on one as a trial unit from Lenovo to have a play with the hardware, as it was at a price point that I was looking at, and above the minimum specifications I needed.

Let’s start with the hardware, and then I’ll dive into what I liked/disliked about the laptop:

ProcessorUp to 10th Generation Intel® Core™ i7-1065G7 Processor (1.30GHz, up to 3.90GHz with Turbo Boost, 4 Cores, 8MB Cache)
Operating systemWindows 10 Pro
Display14″ FHD (1920 x 1080) IPS, anti-glare, 250 nits
GraphicsIntegrated Intel® UHD GraphicsIntegrated Intel® Iris Plus Graphics
MemoryUp to 16GB DDR4 2666MHz
StorageUp to 512GB SSD PCIe-NVMe M.2
BatteryUp to 9 hours* with 45Wh battery* Based on testing with MobileMark 2014. Battery life varies significantly with settings, usage, and other factors.
AudioStereo speakers with Dolby® Audio™Dual-array mic, Skype for Business certified
PortsUSB 3.1 (Gen 2, USB-C + DisplayPort + Power Delivery)USB 3.1 (Gen 1, USB-C)USB 3.1** (Gen 1, Type-A, always-on)USB 3.1** (Gen 1, Type-A)Hidden USB 2.0 (Type-A)HDMI4-in-1 card reader (SD, SDHC, SDXC, MMC)Headphone / mic comboRJ45Power DC
Connectivity 802.11AC (2 x 2)Bluetooth® 5.0
Camera720p HD
Dimensions326mm x 230mm x 17.9mm / 12.83″ x 9.06″ x 0.7″
WeightStarting at 3.3 lbs (1.5 kg)
KeyboardFull-sized keyboard with backlightOne-piece touchpadHot Keys for Skype for Business****Requires Skype for Business account, not pre-installed by Lenovo
SecurityThinkShutter Camera CoverSmart Power Button with Fingerprint ReaderActive Protection System (APS)Trusted Platform Module 2.0 (firmware)
ColorMineral Grey
What’s in the boxThinkBook 1465W AC adapter3 Cell Li-Cylinder 45Wh internal batteryQuick start guide

Tech Specs Source: Lenovo

As you can see from above, this isn’t a low end laptop. Processor wise, I only need an i5 CPU rather than an i7 which is fine for my requirements (I went with the i5-10210U), and it’s running the latest 10th GEN Intel CPU.

Display again I only need a 1080p screen, this isn’t a laptop designed for 4K video editing (although possible with a 4K screen attached) and for business requirements, most people want a 1920 x 1080 screen.

The older Thinkbook 14s only supported up to 8GB of RAM, but this supports 16GB which is what I promote as the standard you should aim for these days, which Chrome/New Edge using a lot of the RAM in our web driven world.

Storage, battery, webcam etc are all standard good specs and nothing notable there.

The keyboard is backlit which I always like. The inclusion of Skype for Business keys is a little strange with Skype for Business Online ending in July 2021, leaving only on-premises users; and if you’re running Skype for Business yourself as a phone system you’re probably a medium sized company or bigger, and this is a SMB laptop. Regardless, I personally am a fan and still use Skype for Business so it’s great for my use case, and I expect future models will instead have Microsoft Teams buttons. Maybe these buttons work with Teams anyway – I haven’t tested that yet. The buttons are secondary functions on the ‘print screen’ and ‘insert’ buttons, so worst case you can easily ignore them as they aren’t intrusive in any way, and there’s no dedicated buttons to Skype for Business.

Here’s some side shots of the Lenovo Thinkbook 14:

Front: Looks nice, not much else to see here!

Lenovo Thinkbook 14 Front

Back: No ports here either!

Lenovo Thinkbook 14 Back

Left Side: From left to right we have an RJ45 ethernet port which opens up when needed – seemed solid enough that it wouldn’t snap off easily, full sized HDMI, USB 3.1 with always on, USB-C, USB-C + DisplayPort + Power in, audio jack.

The one complaint I have is that the power in USB-C is the more front of the two ports, where every other Lenovo laptop I’ve had it’s been the one closer to the back. I initially plugged in the wrong one for power and wondered why it wasn’t charging! A minor issue though.

Lenovo Thinkbook 14 Left Side

Right Side: USB 2.0, card reader, USB 3.1, Power.

Yes, behind that little panel is a hidden USB 2.0 port, more on that below. You can also use the older rectangle shaped charger on this laptop, and it’s in it’s rightful place at the back.

Lenovo Thinkbook 14 Right Side

Base: nice long rubber stoppers to stop the laptop sliding around on a desk.

Lenovo Thinkbook 14 Base

Hidden USB 2.0 Port:

This seems like such a simple idea, yet I’ve never seen it before: a port that’s great for your wireless keyboard/mouse dongle, which is recessed into the laptop and has a cover. You’ll no longer have that awkward dongle sticking out of the laptop, asking to be knocked and bent out of shape. All laptops should have this!

Other notable features are the camera shutter so you can avoid feeling like someone’s watching you, and the ‘Smart Power Button’ which has a fingerprint reader, but also briefly ‘saves’ your fingerprint when turning the laptop on, to use when logging in. This means you can turn on and login to the laptop at the same time, getting to your desktop quicker. Another feature that seems simple and hopefully we see more of in other models.

There’s also two Dolby Audio speakers and dual array microphones, as one of the use cases for this is to be a reliable audio/video calling device without needing a headset.

The laptop feels solid and sturdy enough, but not as nice as a high end ThinkPad. You can feel the join where the top and bottom halves of the laptop were joined together, as one layer is on top of the other – but how often are you gently caressing the case of your laptop? Only every few days if you’re me.

Overall I’m very impressed with the ThinkBook 14 for the price point I can see at the time of writing with promotions applied. You won’t get military-spec testing, but you’ll still get a decent laptop fit for SMB.

Lenovo claim that “ThinkBook undergoes stringent tests to withstand spills, bumps, drops, dust, and extreme temperatures.” but I have yet to test the hardyness myself – maybe I will inadvertently.

Although Lenovo provided a demo unit, this was a trial only and the unit returned.

HEIC and HEIF Files Can’t Be Viewed on Windows 10

If you haven’t come across these file formats already, you probably will soon. Created by the Moving Picture Experts Group (MPEG) and adopted by Apple amongst others, it’s looking like a replacement for the old JPEG image format.

The format was added in iOS11 and created when doing things like taking a photo. Early on the files were being converted back to JPEG in many situations, including OneDrive Photo Roll syncs.

I expect something else has changed recently, as I’m seeing the files turn up over email from other parties where I’d never seen them before. If I find out more I’ll update this post.

.HEIC and .HEIF files ‘appear’ to be the same thing, but at this stage I can’t clearly find information explaining if there’s a difference, and if so what that is.

These files can’t be natively opened on Windows 10 or earlier, but there’s a few options you have to view them.

OneDrive

If you have access to OneDrive or OneDrive for Business (which doesn’t take much, a free Microsoft account will do), you can copy these files into OneDrive, right click and ‘View Online’. Via your browser, you can then view the image in OneDrive without any extra software required. However, Microsoft documentation currently does not list the formats as being supported, and I’m also asking questions about this in a few areas. (Update 3rd March 2020 – Microsoft updated this page after I asked :) )

Windows 10

The native Photos app was supposed to have support for this as per these Insider Build notes. I’ve tested on a few different PCs including a fully patched standard Microsoft build laptop, and Photos doesn’t recognise the files. I’ve been told the support of the files needs the two Windows Store apps, and that matches my testing:

HEIF Image Extensions

HEVC Video Extensions from the Device Manufacturer

Both are created by ‘Microsoft Corporation’ so they’re not third party, and both are free. Once installed, HEIC and HEIF files work everywhere I’ve tried, including in the native Photos app.

There is also a paid HEVC Video Extensions version from Microsoft that costs $1.45AU, I’m not sure why you’d need this one over the one ‘from the Device Manufacturer’.

Frustratingly, the ‘HEVC Video Extensions from the Device Manufacturer’ app doesn’t seem to be available to add in Windows Store for Business, but the HEIF Image Extensions is. I’m asking around to try and have that resolved, if I can find someone to listen to me :) (Update 3rd March 2020 – this probably won’t change anytime soon for licensing reasons)

Converting

One final option is to convert a HEIC to JPEG. Here’s a quick guide using Linux via a Debian WSL image, installed from the Microsoft Store (thanks Purana for the tip!)

I’ve got a lot of unanswered questions in the above, but hoping this at least helps others that might get stuck in finding a working solution in the meantime.

Passwordless Sign-In with FIDO2 Security Key and Microsoft

We all know passwords are bad. Microsoft’s leading answer to this is Windows Hello – or Windows Hello for Business. Using a PIN or biometrics (fingerprint reader or facial recognition) is trying to move towards a passwordless world. We’ve still got a long way to go, but we’re off to a solid start with viable alternatives.

Source: Microsoft

FIDO2 Security Keys support true passwordless login, and supported devices can be used for both consumer Office 365, and Azure AD. eWBM makes these keys, and by the claim on their website are “world’s first and currently only FIDO2 Level 2 certified security keys”. They offered to send these out to Microsoft MVPs free of charge, so I took the opportunity to accept one, test it and write about my experience.

The eWBM key isn’t very large – on the smaller side of your standard USB flash drive. It’s designed to be plugged in (and comes in both USB-C and USB type A flavours) and then verified with a touch on the fingerprint reader.

To set up a key on Azure AD, it’s a matter of adding it as a sign in method, just like you would with other methods such as SMS or the Authenticator app. eWBM have a quick video on how to do this:

Once set up, using the key is pretty simple too. If you’re logging onto a site using your Azure AD account, instead of entering a password, you choose the ‘Sign in with a security key’ option, plug in and scan your fingerprint on the key, and you’re on.

If you’re wondering why you don’t even need to type the password, where you would with an SMS code – that’s because you’ve got two different authentication methods already built into the USB. Your unique fingerprint, and the unique USB key. Your fingerprint is tied to just that key, it won’t work anywhere else unless you configure another device separately. Combine that with needing to know which username those are tied to makes it a secure combination.

Source: Microsoft

The example above and what I’ve also tested, is a web login. There’s also a PC login option, but that’s currently in beta and you’ll need to be running a insider’s build of Windows 10 to try it.

I can see this working as an actual ‘password replacement’ solution because it provides less of an inconvenience than first logging in with a password, then using something else (SMS/Email/Code/Authenticator App). Instead it’s a single thing to do – plug in your USB key and put your fingerprint on it. The process of doing this is very quick, with the added benefit of being able to do it from any computer – web based sign ins will work from any PC.

A USB-C variant is also available and on it’s way to me, so you can pick from those two standards as to which is more fitting for your requirements.

eWBM sell the keys on their website and there should be more key makers on the way.

Update 28/02/2020

I’ve now received the USB-C version of the eWBM Goldengate Security Key – G320, pictured below against the G310.

Google Nest Mini Won’t Connect to 5Ghz Network

Update 21st February 2020:
I’ve now had Google Nest support confirm that 5ghz Channel 149 and higher isn’t supported – which to me is baffling that a device can be released in this state.

Original Post:
I received a Google Nest Mini as part of Google’s promotion to subscribers of YouTube Premium. A nice gesture, and I hadn’t actually jumpted into having a smart speaker at home myself. Beyond wondering what use I could actually get from it – it was free, so I ordered.

A few weeks later it arrived, and setup should have been simple. Power it on, get the Google Home app on a mobile device, and follow the bouncing ball to set up. I’d done this before for a Chromecast I have, which I could see in the Home setup and have connected to the home 5Ghz network – no issues there at all.

However, when going through the same setup for the Google Nest Mini, I couldn’t even see my 5Ghz home Wi-Fi network listed on my phone. Weird, I tried several things including adding the details of the network in manually. Nothing I tried would work. I also couldn’t get it connected to my 2.4Ghz home network, unless I picked my guest network. I’d had the same issue on a printer that wouldn’t connect and only supported 2.4Ghz; the cuplrit was the AiMesh ASUS setup I had (side note – I personally would recommend to avoid ASUS AiMesh as there’s multiple problems I experienced, it’s not user friendly and solutions that are half done in it such as menu options that display but aren’t supported, as I eventually had confirmed by ASUS support. That’s not to say you should avoid all ASUS solutions.).

That really wasn’t where I wanted to end up though – the Nest Mini streaming data from my 2.4Ghz non-meshed guest network. After a bunch of Googling on the issue, I saw a comment somewhere that said to try band 36. As a refresher on this – 2.4Ghz Wi-Fi has bands or channels from 1 to 11 – but there’s overlap between the bands and they interfere with each other, so you really only wan to use 1, 6 or 11. 5Ghz however, has many more. My 5Ghz network at home was set to ‘Auto’ – which should pick the least noisiest band. That resulted in band 149.

I changed my band from 149 to 36 – the lowest option available, and went through the Google Nest Mini setup yet again. This time, I could see my network! It went through the entire setup process seamlessly. For my own sanity, I tried jumping up to a band 165, higher than 149, reset the Mini, and tried setting it up again but without success. Jumped to band 44 this time, and again it worked perfectly.

5Ghz Wi-Fi Band Options

It seemed the lower channels were fine – from 36 to 48, but the higher bands the device just couldn’t see. Again, weirdly the Chromecast would successfully set up on any of these and was a much older device than my brand new Nest Mini.

I also know it’s not just me that has this problem, as @AjTechs also confirmed he had the same experience – no 5Ghz network visible on band 149, but was visible when he used band 44.

I tweeted about it of course because that’s what I do. The first fail was the frustrating plug design, that wouldn’t fit with any other standard plug I had next to it. It’s also not a USB charger, but a round connector of some sort.

@GoogleNest swooped in to attempt to save the day. They couldn’t answer that question, and after 1 1/2 hours of back and forth over DM, they really didn’t know what was going on still. They still couldn’t answer my original question, and didn’t get me any closer to proving the problem was any different to what I’d found myself.

If I get any more details I’ll update this post – but otherwise, if you’re having the same problem as me, then try a different band, and when that works, have fun reconnecting everything in your house back to Wi-Fi again :)