Tip: Make Sure Your PC is Safe from Meltdown and Spectre

Tip: Make Sure Your PC is Safe from Meltdown and Spectre

Posted on January 17, 2018

by Paul Thurrott in HardwareWindowsWindows 10




Tip: Make Sure Your PC is Safe from Meltdown and Spectre

Security expert Steve Gibson has done it again. His latest utility, InSpectre, can check your PC to see whether it is adequately protected from the recent Meltdown and Spectre security vulnerabilities.

You need this. So head on over to Steve’s GRC website and download InSpectre.

Put simply, InSpectre does three things: It determines whether your PC is vulnerable to Meltdown and Spectre. It checks to see what the performance impact is from the fixes you have installed. And it lets you toggle off those fixes, on the fly, if you need the full performance of your PC.

I ran InSpectre on my current desktop PC, an HP EliteOne all-in-one, and found that I was protected against Meltdown but not Spectre. And that my performance was “good,” which makes sense since I’m running the latest OS version on recent Intel hardware.

Steve’s utility noted that my vulnerability to Spectre was due to my BIOS/firmware not being updated.

So I checked with the HP Support Assistant and, sure enough, there was a BIOS update.

So I installed it, rebooted, and checked with InSpectre again. And now my PC is secure.

Get this now. And follow its advice. Seriously.


Posted in Hardware, Windows 10 | Tagged , , , , | Leave a comment

Some Basic Rules for Securing Your IoT Stuff

Krebs on Security



Some Basic Rules for Securing Your IoT Stuff

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important.

-Rule #3: Update the firmware. Hardware vendors sometimes make available security updates for the software that powers their consumer devices (known as “firmware). It’s a good idea to visit the vendor’s Web site and check for any firmware updates before putting your IoT things to use, and to check back periodically for any new updates.

-Rule #4: Check the defaults, and make sure features you may not want or need like UPnP (Universal Plug and Play — which can easily poke holes in your firewall without you knowing it) — are disabled.

Want to know if something has poked a hole in your router’s firewall? Censys has a decent scanner that may give you clues about any cracks in your firewall. Browse to whatismyipaddress.com, then cut and paste the resulting address into the text box at Censys.io, select “IPv4 hosts” from the drop-down menu, and hit “search.”

If that sounds too complicated (or if your ISP’s addresses are on Censys’s blacklist) check out Steve Gibson‘s Shield’s Up page, which features a point-and-click tool that can give you information about which network doorways or “ports” may be open or exposed on your network. A quick Internet search on exposed port number(s) can often yield useful results indicating which of your devices may have poked a hole.

If you run antivirus software on your computer, consider upgrading to a “network security” or “Internet security” version of these products, which ship with more full-featured software firewalls that can make it easier to block traffic going into and out of specific ports.

Alternatively, Glasswire is a useful tool that offers a full-featured firewall as well as the ability to tell which of your applications and devices are using the most bandwidth on your network. Glasswire recently came in handy to help me determine which application was using gigabytes worth of bandwidth each day (it turned out to be a version of Amazon Music’s software client that had a glitchy updater).

-Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities built-in. P2P IoT devices are notoriously difficult to secure, and research has repeatedly shown that they can be reachable even through a firewall remotely over the Internet because they’re configured to continuously find ways to connect to a global, shared network so that people can access them remotely. For examples of this, see previous stories here, including This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

-Rule #6: Consider the cost. Bear in mind that when it comes to IoT devices, cheaper usually is not better. There is no direct correlation between price and security, but history has shown the devices that tend to be toward the lower end of the price ranges for their class tend to have the most vulnerabilities and backdoors, with the least amount of vendor upkeep or support.

In the wake of last month’s guilty pleas by several individuals who created Mirai — one of the biggest IoT malware threats ever — the U.S. Justice Department released a series of tips on securing IoT devices.

One final note: I realize that the people who probably need to be reading these tips the most likely won’t ever know they need to care enough to act on them. But at least by taking proactive steps, you can reduce the likelihood that your IoT things will contribute to the global IoT security problem.

Tags: , , , , , , , , ,

Posted in Blogs, Education, Hardware, Security | Tagged , , , , , , , , , | Leave a comment

Twitter just got more serious about two-factor authentication. Here’s how to better protect your account

If you still haven’t properly secured your Twitter account with two-factor authentication then you have one less excuse today.

Twitter has announced that you can now use third-party apps (such as Google Authenticator, Authy, or 1Password) to verify yourself at login.

Which is great news, because previously – unlike many other online services – Twitter required you to either be capable of receiving SMS verification codes sent to your mobile phone, or to use their own smartphone app to verify a login.

Using SMS-based two-factor authentication has been frowned upon for some time, as criminals are able to exploit known weaknesses in the SS7 cellphone network to intercept text messages. In addition, there are countless malicious Android apps that are capable of capturing SMS codes as they are sent to devices, and then passing them on to account hackers.

Concerns grew so large in 2016 that NIST (the National Institute of Standards and Technology) announced it was no longer recommending two-factor authentication via SMS.

So, hopefully you’re convinced that it makes really good sense to enable two-factor authentication for your Twitter account, and even better to do it in a way that doesn’t involve you relying upon vulnerable SMS messages.

Here’s how to enable the feature (known as Login Verification in Twitter parlance):

1. Log into Twitter at http://www.twitter.com from your desktop’s browser.

2. In the top right-hand corner, click on your avatar to bring up a drop-down menu. Click on Settings and privacy.

3. Under Account, choose Set up login verification

If you have not previously configured 2FA for Twitter, you will still need to initially set up the service with a mobile phone number and SMS. Twitter will walk you through that process. Once that’s in place, you’ll be able to Twitter to using an authentication app like Google Authenticator instead. Yes, this is a bit dumb…

Assuming you’ve been through the rigmarole of initially setting up Twitter’s 2FA with SMS, here’s what
you do next.

4. Click on Get backup code. This will generate an emergency backup code that you can use, if for any reason, you lose access to the device running your authenticator app.

Make a note of your backup code and keep it safe and secure. You definitely don’t want this falling into the wrong hands. For obvious reasons I’ve obscured my backup code in the screenshot below.

5. Click on Review your login verification methods. It’s time to setup a mobile authentication app. In the Mobile security app section click on Set up.

6. Scan the displayed barcode into your preferred authentication app.

Your app should now be able to generate the codes you require to login. Twitter will ask you to enter a code to check that everything is working properly.

7. Think you’re done? Not quite. You need to make sure that Twitter won’t still try to send you its six-digit login codes via SMS.

Go to Text Message and click on Edit.

8. Under Text message choose Off, and click Save changes.

Congratulations! You’ve done it.

From now on, whenever you try to login to your Twitter account you will be asked for the six-digit login verification code from your authenticator app after you have entered your username and password. Even if your password is compromised in future, hackers are going to find it considerably more difficult to access your account.


Posted in Blogs, Privacy, Social Networks, Twitter | Tagged , , | Leave a comment

GPS is off so you can’t be tracked, right? Wrong

GPS is off so you can’t be tracked, right? Wrong



Don’t want anybody tracking you through your smartphone? Just turn off “location services” or whatever your device calls your GPS, and you will vanish from the online radar screen, right?

Of course not. That’s never been entirely true – since your phone continues connecting with cell towers even with GPS turned off, anyone with access to that data can come reasonably close to locking in on your location.

Recall, as Naked Security’s Lisa Vaas reported just a few weeks ago, that lawyers for Timothy Ivory Carpenter, convicted in 2014 of a string of robberies in the Midwest, are arguing that the convictions should be thrown out because prosecutors relied in part on cell tower data for which law enforcement didn’t obtain a warrant. Legal arguments aside, the point here is that, as Vaas noted, whether he had his GPS turned on or not was irrelevant:

The cellphone records… revealed that over a five-month span in 2010 and 2011, his cellphone connected with cell towers in the vicinity of the robberies.

But adding yet more evidence to the bulging “privacy-is-even-more-dead-than-that” folder are several researchers from the Electrical Engineering Department at Princeton University who created an app they call “PinMe” to show that, with just a couple thousand lines of added code (plenty of games and apps have hundreds of thousands of lines of code), smartphone users can be tracked just as precisely as their GPS, even when it’s turned off.

The researchers – Arsalan Mosenia, Xiaoliang Dai, Prateek Mittal and Niraj Jha – in a 15-page paper published on the IEEE (Institute of Electrical and Electronics Engineers) website (paywall), describe how their app collects data from sensors in the device that don’t require special permission to access.

As they put it, in tests using an iPhone 6, iPhone 6S and Galaxy S4 i9500:

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure and device’s timezone, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS are turned off.

This does come with a caveat. Mosenia, a post-doctoral research scientist at Princeton’s EDGE and INSPIRE labs, acknowledged to Naked Security that he and his colleagues had no way to verify if commercial apps are doing this kind of data collection and tracking, “since their codes are not publicly available and we cannot modify/examine their codes.”

But through their “proof of concept,” they have demonstrated that it is possible. Which is more than creepy enough, if not outright dangerous to those for whom privacy can be a life and death matter.

As they say, both iOS and Android are designed to run with third-party apps, of which there are hundreds of thousands on the market. And while smartphone operating systems are also designed to protect most personal information, “several types of non-sensory/sensory data, which are stored on the smartphone, are either loosely protected or not protected at all.”

Those include a gyroscope, accelerometer, barometer and magnetometer. According to the researchers, measurements from those sensors:

…are accessible by an application installed on the smartphone without requiring user’s approval. As a result, a malicious application that is installed on the smartphone and runs in the background can continuously capture such data without arousing suspicion.

Using what they describe as “presumably non-critical data” from those sensors, the app first determines what the user is doing – walking, driving a car, riding in a train or an airplane. As Christopher Loren put it, writing on Android Authority:

Moving at a slow pace in one direction indicates walking. Going a little bit quicker but turning at 90-degree angles means driving. Faster yet, we’re in train or airplane territory. Those are easy to figure out based on speed and air pressure.

And then, the sensors also tell the app your speed, your relation to true north and how far above sea level you are. It takes four algorithms to narrow down the location of somebody on a plane. It is even simpler if you’re in a car:

The app knows the time zone you’re in based on the information your phone has provided to it. It then accesses information from your barometer and magnetometer and compares it to information from publicly available maps and weather reports. After that, it keeps track of the turns you make. With each turn, the possible locations whittle down until it pinpoints exactly where you are.

During a test run in Philadelphia, the researchers said it took only 12 turns for the app to know exactly where the car was.

Cryptography and privacy researcher Bruce Schneier, CTO at IBM Resilient, linked to the research on his blog, adding the observation that:

This is a good example of how powerful synthesizing information from disparate data sources can be. We spend too much time worried about individual data collection systems, and not enough about analysis techniques of those systems.

That is the concern of other privacy experts as well. “It’s pretty alarming and definitely creepy,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology (CDT).

Location data is extremely sensitive personal information, especially when it is collected over a long time, with high frequency and in real-time. It can be dangerous for victims of domestic violence or stalking, and for people with very sensitive roles in society, like law enforcement, judges, politicians, etc.

And Rebecca Herold, CEO of The Privacy Professor, said commercial apps are not only, “collecting, storing, and sharing all the data possible from the devices upon which they are loaded,” but are combining that data with other datasets about users, including their locations.

They may be correct in saying they are not collecting explicitly named data from you specifically, but they almost always are combining what they do collect with other datasets, to then establish very detailed insights into your life, activities, locations, likes and dislikes, and a wide range of views into your private life.

What, if anything, can you as an individual do about that? Not all that much, other than to practice basic “security hygiene.” One of the most obvious, Herold says, is to remove all apps you’re no longer using. Stay away from sketchy apps – get them from “stores” that have done some vetting. Do a bit of homework on the companies that develop and sell them.

Beyond that, “users also need to periodically shut down and clear out cache, memory, and delete unnecessary files,” she said. “These are also valuable sources of data for apps.”

But that, of course, takes time, and most users are much more interested in the features of an app than in its security or what it collects.

So, for years, advocates have been lobbying for legislation to require apps that want to use the sensors to request access. This might get as much (very little) attention as Terms of Service and Privacy Policies, but at least it would raise awareness of what apps are collecting, and give users a chance to opt out.

The researchers offer some recommendations for the industry. Among them:

  • Require sensors to decrease their sampling rate when they are inactive. That would make it harder for malicious apps to get the data they need.
  • Add hardware switches to phones, allowing users to deactivate the sensors when they aren’t in use.

And Hall says it’s long past time for Congress to pass, “general data protection legislation that steps away from the silo-ed, sector-specific manner we legislate privacy protections now.” He said for years, CDT has pointed out that only the US and Turkey lacked such general privacy regulations.

But Turkey actually passed such a law recently, making the USA the lone hold out… we’re an opt-out country living in an opt-in world; something has got to give.

Posted in Blogs, Hardware, Privacy, Security | Tagged , , , , | Leave a comment

Buyers Beware of Tampered Gift Cards


Buyers Beware of Tampered Gift Cards

Krebs On security December 19 2017


Prepaid gift cards make popular presents and no-brainer stocking stuffers, but before you purchase one be on the lookout for signs that someone may have tampered with it. A perennial scam that picks up around the holidays involves thieves who pull back and then replace the decals that obscure the card’s redemption code, allowing them to redeem or transfer the card’s balance online after the card is purchased by an unwitting customer.

Last week KrebsOnSecurity heard from Colorado reader Flint Gatrell, who reached out after finding that a bunch of Sam’s Club gift cards he pulled off the display rack at Wal-Mart showed signs of compromise. The redemption code was obscured by a watermarked sticker that is supposed to make it obvious if it has been tampered with, and many of the cards he looked at clearly had stickers that had been peeled back and then replaced.

“I just identified five fraudulent gift cards on display at my local Wal-Mart,” Gatrell said. “They each had their stickers covering their codes peeled back and replaced. I can only guess that the thieves call the service number to monitor the balances, and try to consume them before the victims can.  I’m just glad I thought to check!”

In the picture below, Gatrell is holding up three of the Sam’s Club cards. The top two showed signs of tampering, but the one on the bottom appeared to be intact.

Kevin Morrison, a senior analyst on the retail banking and payments team at market analysis firm Aite Group, said the gift card scheme is not new but that it does tend to increase in frequency around the holidays, when demand for the cards is far higher.

“Store employees are instructed to look for abnormalities at the [register] but this happens [more] around the holiday season as attention spans tend to shorten,” he said. “While gift card packaging has improved and some safe-guards put in place, fraudsters look for the weakest link and hit hard when they find one.”

Gift cards make great last-minute gifts, but don’t let your guard down in your haste to wrap up your holiday shopping. There are so many variations on the above-described scheme that many stores have taken to keeping gift cards at or behind the register, where cashiers can more easily spot customers trying to tamper with the cards. As a result, stores that take this basic precaution may be the safest place to purchase gift cards.

Posted in Privacy, Security, Shopping | Tagged , , , , , | Leave a comment

Watch out – fake support scams are alive and well this Christmas

Watch out – fake support scams are alive and well this Christmas

A few years ago, fake support call scams were one of the most likely cybercrimes that would reach out and touch you at home.

And, boy, how those guys used to reach out.

Boiler rooms full scammers would make cold call after cold call, ploughing day and night through lists of phone numbers to scare victims into paying up for technical support they didn’t need for malware infections they didn’t have.

Here’s how we summarised the MO of these scummy scammers back in 2014:

The crooks call up and say they’re from “Microsoft” or “Windows”; tell you they’re following up reports of malware activity coming from your computer; convince you that you are infected; and charge you a fee of about $300 to sort you out.

All a pack of lies.

They’re not legitimate IT support technicians; they have no idea whether there is malware on your computer or not; the “evidence” they come up with is harmless and could be found on an uninfected computer; and the $300’s worth of fiddling around they do is simply $300’s worth of fiddling around.

You could achieve the same technical outcome for yourself by doing nothing at all – LITERALLY nothing.

If you didn’t hang up right away – or even if you did – then the crooks would often come back, sometimes calling again and again, ramping up the pressure, the fear and the threats in the hope that you’d eventually cave in.

For better or worse, technical support scams don’t make the headlines as much as they did.

Firstly, other, more directly pernicious threats such as ransomware have understandably grabbed our attention instead; secondly, this fake tech support “business” has become slightly more sophisticated.

We presume that more and more people have become less and less tolerant of cold calls, thus reducing the hit-rate of scammers who rely on contacting you first.

In recent years, support scams usually start from a website that’s poisoned with dubious advertising.

You’ll often get a pop-up a warning urging you to phone the crooks (typically via an in-country tollfree number to add legitimacy), so you end up pre-selecting yourself as a potential victim.

Well, don’t get fooled this Christmas, because the scammers are still hard at it.

Here’s one we saw over the weekend, while reading a legitimate news site, albeit not a mainstream one.

We clicked on one of those “you’ll never believe what happened next” stories (for research purposes only, of course!), and then mis-clicked (honestly!) on an ad simply by tapping the trackpad by mistake just short of our intended on-screen destination:


The crooks haven’t lined things up perfectly, as you’ll probably realise, especially if you’re a native speaker of English who currently lives in the UK.

For example:

  • The automatic text-to-speech conversion has messed up the pronunciation of some of the words. Pornography comes out as poor and/or graphic. The word logins is spoken with a soft -g-.
  • The phone number is written US-style, wrongly assuming a three-digit area code. The dialling code for this number would be grouped as four digits, like this: +44-1273-XXX-YYY.
  • The number isn’t toll free, as claimed. Numbers starting +44-1237 are paid calls to the Brighton area on the South coast of England.
  • The password request is superfluous, and so it should stand out as suspicious. Also, this is not an HTTPS page, so if you put in your password, not only will the crooks get it, but anyone else on the same network will be able to see it, too.

But these are details that are easy to overlook; the crooks often get the details right, anyway; and plenty of legitimate websites make similar mistakes.

What to do?

We haven’t called the number shown above; we don’t intend to; and we recommend that you don’t, either, no matter how much fun you think you can have messing with the criminals.

They’re crooks – why engage at all, especially when you might accidentally give something away about yourself in the process?

This festive season, even if trying new websites, buying from new vendors, contacting people you haven’t heard from in ages, and otherwise living a larger life online that you have all year…

…don’t let anyone, especially someone you don’t know, and whom you didn’t ask for help, pressurise you into doing, saying, posting, calling, texting, clicking or buying anything.

If you’re worried, ask someone whom you know and trust for help, face-to-face.

If you’re one of those “askees” who end up stuck with friends-and-family technical support over the holidays, please try to do it with good grace, to keep your loved ones out of the clutches of fake support sleazebags like the ones shown here.

If in doubt, STOP.THINK. And only then CONNECT.

Posted in DataLoss, Education, Privacy, Security | Tagged , , | Leave a comment

How a Wi-Fi Pineapple Can Steal Your Data (And How to Protect Yourself From It)

How a Wi-Fi Pineapple Can Steal Your Data (And How to Protect Yourself From It)

Daniel Oberhaus

The Wi-Fi Pineapple enables anyone to steal data on public Wi-Fi networks. Here’s how it facilitates two sophisticated network attacks and how to protect yourself against them.

This article is part of How Hacking Works, Motherboard’s guide to demystifying information security.

In popular media, hackers are often portrayed as an elite cabal of ski mask aficionados and computer experts that can keyboard mash their way into any digital device. But what if I told you that you can also pwn almost any internet connected device around you, even if you can’t tell an SSL from an SSID?


Yes, my friend, the device you are looking for is a Wi-Fi Pineapple, which can turn anyone from hack to hacker for the low, low price of $99. Since it is so cheap and easy to use, it’s important to understand how the Pineapple works in order to protect yourself against its attacks.

The Pineapple is a nifty little device first released in 2008 by Hak5, a company that develops tools for penetration testers, or “pentesters.” Pentesters are usually hired by organizations to attack their own networks in order to expose vulnerabilities before they are discovered by some bad actors. The Pineapple allows pentesters to easily execute sophisticated attacks on public Wi-Fi networks to see how the attacks work and how to protect the network from those attacks.

Pineapples aren’t much different than the normal Wi-Fi access points you use to get internet at home or in the office, just more powerful. They use multiple radios rather than just a single radio found in most routers. This means a Pineapple is able to interface with hundreds of devices at a time, rather than just a few dozen. Moreover, the Pineapple’s web interface is optimized to execute complicated network attacks.

Read More:The Motherboard e-Glossary of Cyber Terms and Hacking Lingo

“When I invented the Wi-Fi Pineapple, I saw that Wi-Fi had inherent flaws that made it vulnerable to spoofing attacks,” Darren Kitchen, the founder of Hak5, told me in an email. A spoofing attack is when a hacker impersonates a service or device in order to gain access to a victim’s data.


“A lot of nefarious types had already taken advantage of these weaknesses, but the majority of people weren’t aware of the problem,” Kitchen added. “I figured if information security people had access to a device that could easily exploit these flaws, it would raise awareness and get things fixed.”

Although the Pineapple has always had a cult following within hacker circles, it recently rose to prominence after it was featured as a major plot point in the shows Silicon Valley and Mr. Robot.

In these shows the device was used to spoof a website and to execute a man-in-the-middle attack to hack the FBI, respectively. According to Kitchen, who served as a technical advisor on the Silicon Valley episode, the fictional depiction of the Pineapple in these shows isn’t so far from the truth.

The Pineapple is an invaluable tool for pentesters, but its popularity is also due to the fact that it can be used for more nefarious purposes. Hackers can easily wield the device to collect sensitive personal information from unsuspecting users on public Wi-Fi networks.

It’s important to keep in mind that just because you can pwn all the things with a Pineapple, doesn’t mean it’s legal or that you should. Owning a Pineapple is legal, but taking money out of someone’s bank account by stealing their unencrypted password is not. The Pineapple just makes grabbing unencrypted passwords sent over Wi-Fi easier. I am not a lawyer, but in general, if you do not have explicit permission to use the Pineapple on a network that you own as well as from anyone who could reasonably connect to that network, you are treading in dangerous territory.


Again: Executing a Pineapple’s exploits on a network you don’t own if you’re not a pentester working in a professional setting can quickly put you into illegal territory. Even if you don’t get caught, you’re still an asshole for doing it, so just…don’t.

Read More:The Motherboard Guide to Not Getting Hacked

This guide is meant to be an informational glimpse into the world of network pentesting, as well as a reminder about the importance of personal information security. After showing you just a few of the ways a Pineapple can be used to pwn you, I’ll also walk you through some simple steps you can take to make sure you’re never on the wrong end of a malicious Pineapple attack.

Hak5 makes a few different versions of the Pineapple, but while putting together this article I used its cheapest model, which I bought at the DEF CON hacking conference for the purposes of this article: the Pineapple Nano. I configured it on a Windows computer, although it’s also compatible with iOS and Linux systems.

The Pineapple Nano. Image: Hak5

The initial setup is a piece of cake. All you need to do is plug it into the USB port on your computer, navigate to the Pineapple’s IP address and it’ll take care of the rest. After you’ve updated your login information for the Pineapple, you’re ready to try some exploits.


Every year at DEF CON, one of the largest hacking conferences in the world, the Packet Hacking Village hosts the Wall of Sheep. This is essentially a running list of devices that have connected to an insecure network at DEF CON. The list is usually displayed on a large projector screen at the Packet Hacking village, where anyone can see not only the device’s ID, but also the websites it was trying to access and any relevant credentials.


It’s a light-hearted way of shaming people into better information security, and you can easily create your own Wall of Sheep using a Pineapple.

Read More:72 Hours of Pwnage: A Paranoid N00b Goes to DEF CON

All of the exploits for the Pineapple are freely available as downloadable modules on the Pineapple’s dashboard and usually only take a single-click to download and install on the device. Once the Wall of Sheep module (called ‘DWall’) is installed on a Pineapple, any device that connects to it will basically be broadcasting their browsing traffic to the owner of the Pineapple.

The exception to this, of course, is if the would-be victim is using a Virtual Private Network (VPN) to encrypt their web traffic or only visiting pages secured by Secure Hypertext Transfer Protocol (HTTPS). This protocol encrypts the data being routed between the website’s server and your device and effectively prevents eavesdroppers from seeing which websites you’re visiting. HTTPS also helps protect your web habits from your internet service provider, which can only see the top level domain habits of its users (for instance, that you visited Motherboard, but not that you clicked on this article).

Although over half the web has switched to HTTPS from its insecure predecessor, HTTP, a 2017 Google audit found that nearly 80 percent of the top 100 websites don’t deploy HTTPS by default. This means that anyone who inadvertently connects to a Pineapple and then browses to an HTTP version of the site is basically exposing all of their activity on that site, from pages visited to search terms, to the person wielding a Pineapple.


Many websites have both an HTTP version and an HTTPS version, which as we’ll see in the exploit, is a security vulnerability that can be exploited by a Pineapple.

The original Pineapple released in 2008. Image: Darren Kitchen/Hak5


Pineapple man-in-the-middle (MITM) attacks are really the main reason pentesters get this device.

MITM attacks are a way of eavesdropping on a user by inserting a Pineapple between the user’s device and legitimate Wi-Fi access points (in terms of how data is routed through the network, not necessarily literally between them in meatspace). The Pineapple then pretends to be the legitimate Wi-Fi access point so it can snoop on all the information as it relays data from the device to the access point.

Another way of thinking about MITM attacks is that they are kind of like if someone dropped a letter in their mailbox and then a stranger opened up their mailbox, read the letter and then put it back in the mailbox to be sent.

Read More: Turning Off Wi-Fi and Bluetooth in iOS 11 Doesn’t Actually Turn Off Wi-Fi or Bluetooth

So how does a Pineapple trick your device into think it is a legitimate access point? There is a native feature on the Pineapple that scans for service set identifiers (SSID)—the names of Wi-Fi networks—that are being broadcast from devices in its vicinity.

Any time you connect to a Wi-Fi network on your phone or computer, your device saves that Wi-Fi network’s SSID in case you ever need to connect to that Wi-Fi network in the future. But this convenience comes with a major cost.


Let’s say you connected to the Wi-Fi at your favorite local coffee spot, and its network is called “Human_Bean_wifi”. After you’ve left the coffee shop, your phone or laptop will start broadcasting a signal that is basically asking if Wi-Fi access points around the device are “Human_Bean_wifi.” It does this for any network you’ve connected to in the past.

“A quick reality check is usually all it takes to see if you’ve been duped by a Wi-Fi Pineapple.”

Pineapples are able to take advantage of this feature by scanning for all the SSIDs being broadcast by devices in its vicinity. It then rebroadcasts these SSIDs so that it can trick devices into thinking it is an access point that has been connected to in the past. So to use the above example, the Pineapple will see that your phone is asking, “Is this network ‘Human_Bean_wifi’?” and then start broadcasting its own signal that says “Yes, I am ‘Human_Bean_wifi’, connect to me.”

Put another way, this would basically be like walking around with a set of keys to your house and asking every stranger you meet if they are your roommate. In most cases, those strangers will say “no,” but you also run the risk of running into an ill-intentioned stranger who will lie to you and say “yes, of course I am your roommate. Please let me in,” and then proceed to steal all your stuff.

Read More: The Motherboard Guide to VPNs

But getting devices to connect to a Pineapple is only half of executing a MITM exploit. An attacker also must be able to read the data being routed from the device through the Pineapple. There are a couple of ways to do this.


A Pineapple can be used to create an “Evil Portal,” which basically creates fake versions of websites to capture usernames and passwords, credit card information or other sensitive data.

These work by creating a local server on the attacker’s computer to host a web page that looks like a regular login page for a well trafficked service like Gmail or Facebook. These pages can easily be duplicated using free online services.

Then the attacker configures their Pineapple so that when any devices that are connected to it try to browse to a website like Twitter or Facebook, they will actually be redirected to the fake webpage being served by the attacker’s computer. If the victim enters their information on this page, their username and password will be revealed to the attacker without the user ever knowing they’ve been pwned.

Another way of gathering information about someone’s browsing habits with a MITM attack is to use modules built for the Pineapple that block forced HTTPS encryption and read the data that would otherwise have been secure.

For example, consider a website like Motherboard, which is secured with HTTPS. If you simply type in “motherboard.vice.com” in your URL search bar and press enter, you will be submitting an HTTP request to Vice’s servers. Vice’s servers will then field this request and respond to your device by directing it to a secure HTTPS version of the site. (This is the same for many major websites, such as Twitter).


Forcing users to an HTTPS version is a great way to beef up a website’s security, but it’s the user’s HTTP request in the beginning that can be exploited with a Pineapple. A module called SSLSplit is able to monitor HTTP requests from a user’s device when it is connected to the Pineapple. It will then route this request along to the appropriate server, but when the server responds with the secure HTTPS link, the Pineapple will “strip” away the secure layer and serve an HTTP version of the site back to the user.

At this point, the user will effectively be browsing an insecure version of the site, which will appear almost exactly the same. The only difference will be that a little lock icon will have disappeared from the upper left corner of the screen.

Always check for this lock icon in the upper left of your internet browser.

This attack clearly demonstrates the importance of encrypted communication protocols such as HTTPS. Without them, all the data being routed between the device and the access point can be easily read by anyone with a Pineapple.


The hacks discussed above are just the tip of the iceberg. Fortunately, there are a number of simple steps you can take to protect yourself from getting pwned by some asshole with a Pineapple.


The easiest thing you can do is only connect to Wi-Fi networks you know and trust. Your home network, for instance, is almost certainly safe from a Pineapple attack. This is because a Pineapple must also have access to the network it is trying to monitor traffic on, so unless the attacker has access to your home Wi-Fi credentials, they won’t be able to pwn you with a Pineapple.


Same goes for your office Wi-Fi—unless, of course, your office has hired a pentester to audit its network. The real danger of a Pineapple attack is on public networks—places like your local coffee shop or the airport are all prime places for an attack. Most people don’t stop to check whether the “free_airport_wifi” access point is legit and connect without thinking.

When it comes to networking infosec, vigilance is key. The most secure option is to never use public Wi-Fi networks at all. That is a major pain in the ass, however, and will almost certainly drive up your cell phone bills for data use. (For what it’s worth, your cell phone isn’t safe from IMSI catchers either, but I digress).


If you must get on public Wi-Fi, your best bet is to get a VPN. VPNs are a secure way of surfing the net by first connecting to a VPN server before venturing onto the World Wide Web. The VPN server encrypts your data before routing it to its destination, essentially creating a protective shell for your data that makes it unintelligible to prying eyes. So even though an attacker may be able to see that your device has connected to their Pineapple, if you’re using a VPN they won’t be able to see the data they are routing.

“Using a VPN is still the best advice,” Kitchen said. “When you use a VPN, anyone peering into your traffic is only going to see an encrypted mess. That goes for any eavesdropper—be it a Wi-Fi Pineapple, your ISP, an employer or even our wonderful government.”


Choosing the right VPN can be a really tough challenge. Here’s a simple guide with some suggestions.


Another good rule of thumb is to only visit websites secured with HTTPS (like Motherboard!) These days, most websites you’re likely to visit on a day-to-day basis that have sensitive information on them have switched over to this security standard from HTTP, thanks to a concerted industry effort to push HTTPS, including Google’s algorithms privileging sites with security over those that aren’t encrypted. Still, Pineapple modules are able to force a connected device onto an insecure (HTTP) version of a site if the visitor didn’t explicitly type https:// before the domain name.

Read More: Wikipedia’s Switch to HTTPS Successfully Fought Government Censorship

“Unfortunately too many websites don’t use HTTPS, and many that do are still susceptible to downgrade attacks,” Kitchen told me. “If you’re venturing anywhere off the beaten path, I’d advise against using this as your only line of defense. It’s still important to stay vigilant and check for HTTPS, but pack a VPN too.”

In short, always make sure to check the URLs of the websites you visit to make sure they’re using HTTPS. Browsers like Chrome, Firefox, and Opera make checking website security easy with a small padlock icon that says “Secure” on the left hand side of the address bar and warning users before they visit an insecure site.



Finally, it’s important that whenever you are done connecting to a public Wi-Fi network that you configure your phone or computer to ‘forget’ that network. This way your device won’t be constantly broadcasting the SSIDs of networks it has connected to in the past, which can be spoofed by an attacker with a Pineapple. Unfortunately there is no easy way to do this on an Android or an iPhone, and each network must be forgotten manually in the “Manage Networks” tab of the phone’s settings.

Another simple solution is to turn off your Wi-Fi functionality when you’re not using it—though that isn’t as easy to do on some devices anymore—and don’t allow your device to connect to automatically connect to open Wi-Fi networks.

Read More: WiFi Signals Can ID Individuals by Body Shape

While it’s easy to get paranoid and wonder if there’s a Pineapple waiting to pwn you any time you get a Wi-Fi connection, most Pineapple exploits can be easily avoided by simply staying vigilant about your network settings and internet experience. For all their prowess at manipulating electronics, hackers are still very much dependent on human error for their craft.

“The Wi-Fi Pineapple is really good at mimicking Wi-Fi networks you’ve connected to in the past,” Kitchen said. “If you’re at a park and your device says it’s connected to an airplane’s Wi-Fi, something is amiss. A quick reality check is usually all it takes to see if you’ve been duped by a Wi-Fi Pineapple.”

Posted in Hardware, Privacy, Security, Tips-n-Tricks | Tagged , , , , | Leave a comment

5 New Productive Gmail Apps and Extensions You Should Try


Gmail is the email service of choice for most of the world. Google has done an excellent job with it. But that doesn’t mean it couldn’t be better. With the right apps and extensions, you can be more productive in your Gmail inbox.

You can turn it into an Instagram-like feed to quickly skim through your inbox. A “Do Not Disturb” setting will ensure new message notifications don’t break your concentration. There’s something for everyone here.

But of course, none of these can replace the tips and tricks to become a Gmail power user. Master those first, and then move on to these other tools.13 Quick Tricks and Extensions to Become a Gmail Power User 13 Quick Tricks and Extensions to Become a Gmail Power UserIf you are a Gmail user, you have an endless stream of tricks and extensions to make the best of it. We’ll explore some of the best of them in this article.READ MORE

1. Drag (Chrome): A Trello-Like Board for Gmail

A while back, we loved a new app called Sortd, which turned Gmail into a Trello-like task board. Since then, Sortd has added myriad new features that turns it into a heavy extension. If you want something simpler like the old Sortd, try Drag.

The free version of Drag lets you create three columns within which you can move your emails around. Like Trello, you can turn Gmail into a visual Kanban task board, to manage your inbox and your to-do list.How to Manage Tasks Using Japanese Kanban Technique How to Manage Tasks Using Japanese Kanban TechniqueKanban is a Japanese recipe for getting things done. It’s an organization technique originally developed for Toyota’s production line. We show you how you can implement it for yourself or in your team.READ MORE

Most of the advanced features need a paid pro account, like adding a due date or a checklist. You can try them free for a week to see if you need them.

And yes, going back to the regular Gmail view is as simple as clicking a custom Drag button in your inbox.

Download: Drag for Chrome (Free)

2. MailTag (Chrome, Firefox): Free, Real-Time Email Tracking

When you send an important email, it’d be nice to know if the recipient received it and read it. MailTag will tell you that, and it will also say how many times it was read.

productive gmail apps and extensions

It’s the simplest, free extension for this. Install it in Chrome or Firefox and it will sit quietly in the background. When you send an email, add a MailTag to track it. Once the recipient opens it, the extension sends a notification saying the message was read. It will continue to track the email after that too so that you know if it was re-read.

Like the venerable MailTrack to track your messages, this one is completely free too. The only real advantage here is the notification, but hey, that’s what you want sometimes.How To Track Your Emails In Gmail & Find Out If The Recipient Has Read It How To Track Your Emails In Gmail & Find Out If The Recipient Has Read ItYou might send a vital email to a friend alerting him to a change of plans. A read receipt at least lets you know if your friend has read it, or do you need to…READ MORE

Download: MailTag for Chrome (Free) or for Firefox (Free)

3. DND Email (Web, All Gmail): Stop Incoming Distractions

Every new email is a distraction. A notification or alert makes it feel like you absolutely must check it right away. Only the email is often unimportant and breaks your concentration for no compelling reason. DND Email gives you control over when an email lands in your inbox.

productive gmail apps and extensions

The idea is to create Do Not Disturb (DND) times for your inbox. Set up which days of the week you want it for, start and end times for your DND period, and what times Gmail will fetch new messages. This way, your phone won’t ding with notifications all the time.

DND Email was one of our favorite Gmail addons for Firefox, so you can use it as an extension if you want. But the site makes it simpler since it’s a Gmail setting across all apps you use.11 Best Gmail Firefox Extensions 11 Best Gmail Firefox ExtensionsLove Gmail, but can’t bear Chrome? Firefox has some amazing Gmail extensions that Chrome users would kill for.READ MORE

4. gfeed (Android, iOS): Instagram-Like Feed for Inbox Zero

A filled inbox is overwhelming to look at, and even worse to go through. gfeed turns it into an Instagram-like social network feed. Along with seeming more approachable, it also has a few smart tricks up its sleeve.

For example, as you swipe to see new messages, each message is automatically archived. Remember, archiving is how you reach inbox zero. For any email that you want to refer to let, “star” it to add to your favorites.How to Archive All Old Emails in Gmail and Reach Inbox Zero How to Archive All Old Emails in Gmail and Reach Inbox ZeroThis simple email habit will help you reach Inbox Zero without all the effort. Let’s look at a few tips and tricks of archiving emails in Gmail.READ MORE

Whatever action you take on gfeed will be reflected in your Gmail inbox across all apps and platforms. In essence, the app makes it easy to scroll through messages at a quicker speed and take the right action each time.

Download: gfeed for Android (Free) or for iOS (Free)

5. Email Monster (Web, Chrome): Readymade Designer Templates

Gmail lets you create canned responses and templates to reuse multiple times. But writing better emails or well-designed ones is a tough task in itself. Email Monster does the heavy lifting for you, so you can simply use an existing template.5 Tools That Can Help You Write Better Emails 5 Tools That Can Help You Write Better EmailsEveryone is still trying to solve the email problem. So, let’s also talk about the most basic habit of all – the art of writing better emails. With the help of some cool tools.READ MORE

It’s a new site so there isn’t a huge collection of templates yet. But it’s a good resource nonetheless. Broadly, you will get announcements and newsletters, a template to send a portfolio, and some marketing and sales stuff. Design is the key here, which is the hard part for most people to do. If your email looks like it was made with professional HTML, a recipient might appreciate it more.

Get Email Monster’s extension for Chrome. Next time you open a Compose window, you’ll find an icon for it next to the Send button. Click it, choose a template, customize it to say what you want, and send it away. Simple!

Download: Email Monster for Chrome (Free)

Any New Gmail Tools on Your Radar?

Not too long ago, I took a long look at all the best Gmail extensions for Chrome. But in no time, new contenders like the above ones have sprung up.

Posted in Google, Tips-n-Tricks | Tagged , , , | Leave a comment

You Never Thought of Using Your Windows Start Menu Like This!


You don’t use your Start Menu much, do you?Windows 10 Start Menu Not Working? Here’s How to Fix It! Windows 10 Start Menu Not Working? Here’s How to Fix It!Is your Windows 10 Start Menu not working? We’ll help you troubleshoot and fix it.READ MORE

Besides the casual search for a program, most users don’t. Instead, it stays discretely nestled within the Windows UI never to meet its full potential. That is, until now! Read on to turn your Start Menu into a one-stop repository for almost anything you’d need to know from your PC.

If you’ve never modified your Start Menu before, learn the basics of the Windows 10 Start Menu customization here.

1. Voice-Enabled Assistant

First things first, enable Cortana. Over time, Microsoft has developed Cortana to become quite the handy Windows tool, completely usable from your Start Menu. You can’t grasp the full use of the Start Menu without Cortana, so enable it by clicking your Start Menu, typing cortana, and selecting the Cortana & Search settings.6 Coolest Things You Can Control with Cortana in Windows 10 6 Coolest Things You Can Control with Cortana in Windows 10Cortana can help you go hands-free on Windows 10. You can let her search your files and the web, make calculations, or pull up the weather forecast. Here we cover some of her cooler skills.READ MORE

From sending reminders to watching The Office on Netflix, Cortana is no longer a Windows 10 frill. It’s shaping up to be a genuinely impressive program which can theoretically send an email, schedule a reminder, find directions, write a note, send an SMS message, identify a song, convert currency rates, and set an alarm without typing a key.

You don’t have to use Cortana, but it definitely adds another dimension to your typical Start Menu. I haven’t even started iterating all the new, interesting feature Microsoft plans to pack into Cortana, so try it out for yourself.

2. Folder and Program Organizer

People look high and low for ways to organize their programs. Taskbar modifications, third-party docks, wallpaper sections, and folders can only do so much. Why not lay all the most-used programs in your arsenal right on your Start Menu? It only takes a few minutes, and will definitely save a lot of time tracking down those important programs and files.Why You Should Use a Vertical Windows Taskbar Why You Should Use a Vertical Windows TaskbarThe Windows Taskbar has always appeared at the bottom of the screen. Depending on your monitor, vertical Taskbar might have several advantages. Let us show you what they are.READ MORE

To pin a program or folder, right-click the subject within your File Explorer and select Pin to Start.

windows 10 start menu customizations productivity

Once you’ve placed your tile, you can mouse over the small, default space slightly above the tile. Click on this space, and you will be able to name your tile category. This will work for programs and folders alike, along with drive icons.

windows 10 start menu customizations productivity

You can also resize your icons by right-clicking the icons, mousing over Resize, and selecting your size. This will allow you to create smaller icons, which will shrink the tile and only display the icon instead.

windows 10 start menu customizations productivity

Take the time to place your most valuable folders and programs on your Start Menu. Once you do, you won’t regret it.

3. Weather and News Forecaster

I don’t know about you, but my morning routine never changes: drink some coffee, check the weather, and read the news. Now, however, you won’t have to sit through panel banter for the important bits of news anymore.

Head to the Windows Store and download a weather application along with a few news apps as well. I’ve chosen The Weather application for weather, for example. Once you’ve downloaded your application, right-click the listing within your Start Menu programs and select Pin to Start. When you see the application within your Start Menu, right-click the square and select Resize to add or subtract space from the application. Then, right-click the application again and select More, and then Turn Live Tile on to get tidbit text concerning the top story of the day.

windows 10 start menu customizations productivity

That’s it, now you have the news and weather every morning smack dab on your Start Menu.

4. Game Drawer

Putting your games directly on your PC not only bypasses pesky Start Menu searches, it also allows for an aesthetically pleasing menu. To add your games, Steam games specifically, onto your Start Menu, it’s as easy as downloading the Steam Tiles application from the Windows Store.

windows 10 start menu customizations productivity

When you first enter the application, enter your Steam ID into the entry provided and select Update. Your Steam games will automatically be loaded into the program.

windows 10 start menu customizations productivity

Keep in mind, this won’t work for all the games on your PC — only the games connected to your Steam account. If you’d like to add Start Menu tiles for any game or program located on your PC, head to the following article to learn how to create your own Start Menu tiles.How to Create Custom Start Menu Tiles in Windows 10 How to Create Custom Start Menu Tiles in Windows 10Windows 10 is jam packed with customization options, but some features are neglected. Like the Start Menu. We will help you turn your plain Windows 10 Start Menu into a crisp and beautiful command console!READ MORE

5. Calendar and Note Taker

Sometimes, you’d just like to have everything you need to do for the day laid out for you. The Start Menu can do that. You’ll only need to pin a few applications, namely: Mail, Calendar, Alarms & Clock, and Snips. All, except for Snips, should be available on your PC by default.

windows 10 start menu customizations productivity

Just like that, you won’t need to deal with several applications at once in order to display your most vital daily programs. With Live Tiles activated, you can even view the text of your notes, emails, and calendar entries to keep track on what’s planned ahead with a single keyboard click!5 Calendar Management & Scheduling Tools for the Year 5 Calendar Management & Scheduling Tools for the YearKeep on top of everything in your schedule. Here are five free tools that can be particularly helpful for keeping your calendar in order.READ MORE

6. Fullscreen Start Menu

Now that you know how to use what the Start Menu has to offer, you can utilize it full screen to create a command console of sorts. It’s also very simple to do. Click on your Start Menu and type in start. Then select the Start settings option and switch the Use Start full screen option to On in the following window.

windows 10 start menu customizations productivity

That’s it! Now, when you click on the Start button or select the Windows key on your keyboard, you will be able to view your Start Menu in complete 1080p (or whatever your resolution may be).

Of course, this feature works better with touchscreen interfaces than otherwise. Yet, once you’ve populated your Start Menu with useful applications, folders, and game tiles, the fullscreen Start Menu will become second nature.

Looks Like Utility’s Back on the Menu!

Don’t let your Start Menu go to waste. After a few minutes of configuration, you can ingrain some much-needed utility to your Start Menu. After you’ve set it, forget it and enjoy the utility your once ignored Start Menu has to offer!

Posted in Tips-n-Tricks, Windows 10 | Tagged , , , | Leave a comment

Yes, You Can Still Clean Install Windows 10 with a Windows 7/8.x Key

Yes, You Can Still Clean Install Windows 10 with a Windows 7/8.x Key

Posted on October 28, 2017


by Paul Thurrott

in Windows 10

Yes, You Can Still Clean Install Windows 10 with a Windows 7/8.x Key

Readers routinely ask me whether it’s still possible to clean install Windows 10 with an unused Windows 7 or Windows 8.1 product key. Over two years after Microsoft first enabled this functionality, the answer is a resounding yes.

And I can think of a number of reasons why one might need to do so.

As noted, Microsoft first introduced this capability over two years ago, and in doing so it erased what had been one of the early install/activation issues with the then-new Windows 10.

Almost a year later, I reported that this capability—which was supposed to be temporary, by the way–still worked. Since then, I’ve tested this scenario on a very regular basis, probably roughly once a month. And as people have asked me about it, on Twitter or via email, I’ve told them that it still works.

But it’s been a while since I’ve written on this topic formally. So here goes.

It still works.

What this means is that you can download the Windows 10 Setup media—which is always the latest version, so you’ll get Windows 10 version 1709, or the Fall Creators Update, at the time of this writing—and perform a clean install of the OS on any PC. And then you can activate that install of Windows 10 using an unused retail Windows 7, Windows 8, or Windows 8.1 product key. And it will just work.

You may think that most people will never need to do this. If your PC was already running Windows 7, 8, 8.1, or any version of Windows 10, a clean install of Windows 10 today will probably activate automatically anyway.

And that’s fair. A better way to look at this is that most people simply won’t be able to do this anyway. I mean, who has a bunch of unused retail Windows product keys hanging around anyways?

Some might. And if you have or have had an MSDN or TechNet subscription, all those old product keys will work too.

So let’s think about the scenarios where this might be useful.

It’s rare, but you might have a newly-built or purchased PC that did not come with any version of Windows.

You might want to clean install Windows 10 in a virtual machine (VM).

You might want to clean install Windows 10 on a Mac, either in Boot Camp or virtually.

You might want to upgrade from Windows 10 to Windows 10 Pro. Assuming you have the right kind of Windows 7, 8, 8.1 product key, this will work too. (See below.)

The unusual nature of most of these scenarios is what I think explains why this functionality is still working even though it was supposed to be temporary. It doesn’t hurt anyone. And if you really do need to do this, it’s nice to have.

That said, there are some important caveats.

That old Windows product key can only activate against an equivalent Windows 10 product edition. For example, a product key for Windows 7 Starter, Home Basic, and Home Premium can be used to activate Windows 10. And Windows 7 Professional and Ultimate product keys can activate Windows 10 Pro. It has to be a retail key, not a key that came with a computer. And it has to be unused, though there is some anecdotal evidence that even used keys will work in some cases. (And you could always call Microsoft support, explain the situation, and try for a phone activation.)

And here’s a fun future use for this feature. If you purchase a Windows 10 S-based and do not upgrade to Windows 10 Pro before the free upgrade offer ends next year, you can use a valid Windows 7, 8, 8.1 to do so. Yes. I’ve tried that too.

Anyway, you can activate Windows 10 at any time by navigating to Settings > Update & security > Activation. If it’s not activated, or if you simply want to upgrade from Windows 10 to Windows 10 Pro, you can do so from there.


Posted in Blogs, Microsoft, Tips-n-Tricks, Windows 10, Windows 7 | Tagged , , | Leave a comment