In light of this new world we find ourselves in, I figured I’d plan a few tech posts to share some knowledge and best practices relating to privacy and security. I hope this encourages some good conversation, questions, and other tips from readers. More or less, this mostly a good idea/bad idea discussion.
To be clear, this is a mix of technical, conceptual, and philosophical information and represents my views only. When it comes to governments, my concern as a civil libertarian is to preserve all of my legal and civil rights in all situations as possible, and this means preventing anyone except duly authorized parties from accessing my private information.
You may disagree with my stance regarding compliance with government searches of electronic devices (for any physical or electronic search or access to my information, I say “warrant or exigent circumstances, with me or my lawyer present, no you do not have my permission and I will not give away my precious rights”), but I did want to make clear my absolute position on this up-front.
Realms
When it comes to privacy and security of my information, there are three realms that concern me:
- Personal – things that you do, use, or carry
- Online –Â considerations and implications of things we do online
- Home – things to think about relating to your home/apartment
In these three realms, you should always consider your privacy and information security.
I don’t include Work because that is not an area where you have privacy, no matter what you think. Your employer has the right to observe and track you, and many do, so you cannot really protect what you don’t have!
Threats
Similar to the Realms, there are Threats. Â In truth, there are countless Threats, but for the most part, they break down into the following groupings:
- Corporations
Companies want to make money and violating your privacy, selling your information, or otherwise making money off of you beyond sales is a great addition to a company’s bottom line. - Thieves
People want to steal private information to use for fraud or to sell to others. Ethics and morals are not really in play; they will take everything they can get. - Government (domestic or foreign)
Depending on your country and status, governments, both domestic and foreign, may want to violate your privacy to understand you, your social connections, and causes (especially protest-related ones). Other goals include gaining insight into a colleague, family member, friend, or neighbor: you may just be a step towards a larger goal. - Manipulators
People in our lives – family, friends, neighbors, coworkers, and more – are not all angels. There are people who like to spy and nose around people’s private affairs in order to have information that’s useful for manipulation, ego reinforcement, blackmail, or as ammunition in a future argument or fight. - Brokers
Some parties try to collect as much information as possible purely because accurate information in bulk is valuable. Such brokers are often hackers who steal pre-summarized information from a source such as a company’s website’s unsecured back-end. They can also be app and online widget developers who provide a cheap or free thing in exchange for access to your data. Because their goal is bulk data, there is less emphasis on searching for anything of value beyond that information. In many cases, loyalty cards, free apps, software, tools, services, and websites aren’t free- they’re selling you. Not literally, of course, but they are analyzing and selling your behavior and information. - Social Engineering and Influencing
There are parties who use private information to affect behavior. For instance, a bad guy may steal some private information in order to successfully impersonate an employee to bluff their way into getting a password reset or door unlocked. Or to blackmail someone into securing a password or piece of personal information they need for a different purpose. Private information can even be used to encourage or discourage behavior – such as identifying folks who can be easily convinced to not vote for a candidate due to a certain term in, or subject of, past emails, chats, or messages. In this case, you don’t need to identify folks who you can convince 100% of the time, just folks who are more likely to be influenceable – if you target one such person, who cares, but if you target 100,000 folks like that, a 10% success rate means 10,000 folks not voting for a candidate. And those kinds of numbers can change elections.
As there is a lot to cover and things are in flux, this will be a multi-part series.
Let’s explore the Realms.
Personal
This is the most important realm as it’s with you at all times. Many folks know the basics, so I won’t waste too much time on them. Â Instead, let’s talk about a few key concerns:
- Your phone: unlike previous times, we now carry around with us a huge amount of valuable information at all times. Â You need to ensure it is secure.
- WiFi
When you leave your home/office/normal WiFi usage area, turn off the WiFi on your phone. Many companies track folks through their WiFi signals from their phones. So do amateurs and others. When WiFi is on, it is constantly looking for open hotspots to connect to, and depending on the approach your phone vendor/OS implementation takes, you may broadcast such information as the last successful WiFi network you connected to. Â Many bad guys setup fake hotspots in hotels (they rent a room and setup a router to impersonate official WiFI), conference centers, airports/trains/concerts/etc. – basically anywhere large numbers of people who aren’t regulars and might join a WiFi imposter. Your phone company’s internet service is much more secure than any WiFi you don’t control or trust fully. - Apps
Make sure to limit the apps on your phone, and ensure that appropriate privacy settings are set. There is no reason that most apps need access to your microphone, camera, contact list, location, or other user data. Many apps are sending back info about your location, usage, etc. and who knows how that data is combined with other data to reveal things about you you may prefer to remain private. Â As an (antiquated) example, just because you spend cash at the local Adult Store, if your phone is on and with you, you’ve left breadcrumbs showing you having been there. And, as is likely, you hit the ATM before going to the store, that location was also tagged, and it doesn’t take too much deductive genius to link the two events and to develop a better profile of you. - Password
Make sure to set a secure password that’s not easily guessed. Make sure it’s unrelated to all other passwords you use. At least 8 characters. Do not use only numbers, and try to include a foreign character or symbol; this diversity makes it that much more secure. - Lost Phone/Wipe
Do enable the “find a phone/wipe phone remotely” setting or function on your device. Better a stolen or lost phone than your personal data and other info as well as the phone! - Passwords
- Use different passwords for different devices or accounts.
- Never repeat a password.
- Use a different password for backups (this is to encrypt them)
- Make sure that all backups, whether local or online, are encrypted.
- Use a password database. My solution is to store my password database, encrypted, in my Dropbox. I have open source app on my computers, and a cousin app on my phone and tablet. I can access, enter, or edit logins and passwords no matter the device. LastPass was well-reviewed:Â https://www.engadget.com/2017/02/24/the-best-password-managers/
- NEVER enter passwords on strange computers. If you must, change it as soon as you can on a trustworthy device.A quick story – missed my connection in Beijing airport so spent the night at an airport hotel where I was one of just a few non-Chinese. It was mostly for flight crews and had arrangements with airlines. Â There was no WiFi, so I went to the lobby and there wasn’t a business center. There was a travel office, with a computer that guests could use.This computer was filled with more malware, tracking software, keyboard loggers, etc. than you can possibly believe (good hotel hygiene is to have guest computers start with a brand new session of Windows). I had to access my email, so I did, but I knew that when I did, my password would be grabbed. I also knew that in 8 hours, I’d be back at the airport using WiFi and could change it then.So the first thing I did the next morning was to access the airport (trusted from bad guys but not Chinese government) WiFi to reset my email password. Â And then I did it again, from my home, when I returned to ensure no state snooping.
- Fingerprint scanner
The fingerprint scanner is great but there are some privacy and security considerations.- Â It’s not difficult to create a fake fingerprint that works to unlock devices.
- When detained by customs or law enforcement, they may push your finger to the sensor to gain access to your device.
- Whenever you are in a situation where you wish to keep your private affairs private, reboot your phone or scan the wrong finger multiple times until the phone demands a password. Â From this state or from being freshly rebooted, the device will ask for a password and so no one can use your finger or fake fingerprint.
- Backup
- Local
Local backups of phone data are very handy, but they are often not encrypted by default. This means that someone can access your computer (physically or by hacking) and get access to lots of info that you thought was secure. This is how some celebrities get their personal pictures stolen. - Online
Online backups are very handy, but are not necessarily encrypted. They should be secure, but if it’s not in your control, you have no guarantees as to security, so encryption is fundamental. Also, someone may be able to get an older model of your phone (a model with worse security) and convince your service provider to reset your password and allow them to download the backup to that older model. So a good password on all cloud/remote backups is critical.
- Local
- Voice Control
Voice control in phones, home devices, cars, etc. can be great, but it also means that there is something listening all the time around you. Â If that info is being sent to the cloud for analysis of what you said, then your privacy is affected. So watch what you say when around your, or others’, technology. Germany just banned a toy bear because it listens and can be intercepted, easily hacked, etc. - Timeout
One nice thing about trying to hack passwords on most modern phones is that they enforce a timeout after an unsuccessful attempt. And this timeout often grows for each additional attempt. This makes brute forcing passwords not very practical. So if you have a reasonably strong password, you should be in good shape, even if a dedicated computer could crack it in 24 hours, with the timeouts, that 24 hours becomes centuries. This is why one hack is to copy the phone to multiple clones and try to brute force on these copies – allowing parallel attempts. Still, with a well-formed, long password, it would take a boatload of copies and months without state-level resources. - Text Security
Texting is both secure and insecure, depending on what your needs are. The nice thing about texting (normal, from your mobile phone company) is that it’s secure from private actors almost always. The text goes from your phone to the phone company (encrypted from phone to tower but not encrypted until going from tower to phone), then to the receiver’s phone company, then to their phone.  There’s no simple mechanism for a private party to snoop on that text. But…government certainly can, and the phone company knows what you’ve said as the encryption is between the phone and the tower and so it prevents eavesdroppers. There are controversial devices that mimic authorized cell towers and are in trucks or small planes and are used primarily by law enforcement and intelligence agencies – they act as a “man in the middle” and pass on your text to the real phone company, but only after reading and recording your text. In many countries and jurisdictions, there are laws mandating that phone companies keep all texts for months or years.iMessage and other encrypted texting apps such as Signal, offer a slight tweak to the texting formula. They encrypt the text from sender to sender, so no government, private party, service provider, or phone company can eavesdrop on the message. They can still tell who sent a message to whom, and when, but that’s pretty much it. (Unless you’ve stored your unencrypted backup of your phone in the cloud and in doing so, stored copies of your sent and received what-should-be-but-aren’t-encrypted messages). - Two Factor Identification
This is a great thing that more and more apps, service providers, phone companies, and phone makers are offering and even requiring. It is premised on the concept that you need two complementary pieces of identification – a password and proof of something you, and only you, have. This is often linked to your phone. For example, to access your online banking, you login with username and password, then are texted a code to your registered mobile phone number, and must enter this code within a time limit to complete the login process. When given the option to enable two factor identification, do so – it will make bad folks’ jobs tougher!
- WiFi
- Giving information away
It is amazing what you can get people to tell you; this is the core of why social engineering is so often successful. People want to help, to share, to communicate and bond with people. Â So be careful – most sites, apps, stores, and people don’t need to know much of what they ask. They ask because they know that a significant percentage of people will offer that information, for free, sparing the company the expense of buying it from household list providers and other data brokers. - Wallet/Purse
- Written passwords
Many folks keep a slip of paper in their wallet or purse. This is great – for a bad guy! A collection of passwords is worth a lot, so you’ve really made their day. Secure any written list of passwords as you would a platinum watch or gold bar. Also, keeping one on your desk isn’t the best plan either – unattended desks with Post-Its are an easy target for a cleaning crew, visitor, or coworker, and paper is easy to damage, from liquids, ink/other chemicals, or naughty girl kitties who really should know better than to eat the password list and, even more startlingly, cat food coupons! - Information that doesn’t need to be with you all the time
Don’t carry information you don’t need with you when you won’t need it! - Keys to things you don’t need daily access to
Similarly, don’t carry keys or other such security access items with you if you don’t need them. One – you might lose them and then feel stupid. Two – since you don’t need it everyday, you may not notice a missing key or pass, allowing an associate, coworker, or relative the time to access and pilfer from whatever is locked. - Any key beyond your house, car, office key that has an address/license plate
Some folks keep keyrings for other vehicles or properties and have them conveniently labeled… - RFID blocker not really useful with newer cards/post 2015
Until 2015, the earlier generation of chip-enabled credit/debit cards had some major security issues. And so a temporary market was created – wallets and purses with RFID-blockers in them. Since 2015, the cards in the USA are much more secure, joining much of the rest of the world. And this new, more secure “Chip and Pin” technology cannot be exploited by RFID readers hidden by strangers in their coats or bags. Don’t waste the money on RFID-proof wallets and purses; it’s really not a real threat worth the premium.
- Written passwords
- Payment
- Credit Card
Always use Chip reader over the traditional swipe if you have a choice as it is much more secure. - New chip
As of 2015, the standard for credit card chips in the US changed to EMV. The old chip used RFID technology whereas the new ones do not. They require a slot, a pin, and a unique cryptographic signature in that chip. - Chip and Pin
When using the chip readers where you slide your card into the machine and let it sit, make sure that you’re using the correct slot and that the equipment doesn’t look “patched together”. Bad guys will install fake equipment or add a fake slot underneath the real equipment, etc. - Card out of sight = possible it’s been read.
When a card is out of your sight, it may have been cloned. Check your next bill or two to ensure this hasn’t happened. This often happens at hotels, restaurants, and bars which business people use when traveling, especially near conferences. Keep your eye on whomever took the card and the other eye on your watch; a delay can mean that some skullduggery has occurred. - PayPal
Many folks dislike PayPal, but many security-minded folks love it. The love is very simple to me – instead of giving my credit card number, expiration date, and three digit security code, billing name and address, and then trusting all websites to secure that information and store it encrypted, I trust one company – PayPal. If my PayPal info is used fraudulently, I have a recourse, like with a credit or debit card, but no one gets the chance to lose my credit card number and associated data because all they know is my PayPal account name which is the same as my email address, and so not a secret I try to keep!
- Credit Card
- Fingerprint/other biometrics
At first blush, fingerprints and other biometrics appear to be the Holy Grail of access control and ID. But this information isn’t as unique as we’d like to think, and innovative low- and hi-tech approaches can turn an embedded security system into a paperweight overnight.  There are now documented cases of people making fake fingerprints from people’s HD pictures they’ve posted online, so much so that the Japanese Government has issued an advisory that people not show their palms up or let their hands be photographed if it might end up on social media. As sensors get better and picture analysis software more effective, I expect that other biometrics such as facial analysis and retina scanning will be made obsolete. Biometrics combined with a password seems like a great combination, a slightly-different implementation of Two Factor Authorization. - Personal access – everyone you let near you is technically, a threat. If you invite someone you just met to your place and go to the bathroom, you’ve left a stranger in your room with access to anything that you might have around, like passwords written on a Post-It above your computer or the answers to the secret questions for your online banking or investment account.  That and a quick glance at your computer can provide all someone needs to access your email, bank, home computer, etc.. Remember, not all information security is technical, some of it is physical common sense!
Well that’s the end of Part One; there’s at least a Part Two, likely a Part Three. Â I hope that this has helped open your eyes, helped you to identify areas where your privacy and security practices could improve, and hopefully you aren’t too scared to leave the house or use your phone, apps, etc. Â The point of this isn’t to scare you, but to inform you and help you to understand some of the risks about you in this digital age.
Should you have questions, tips, corrections, etc., please use the comments. I hope that our Commentariat share some best practices so that we all learn from each other. I know that many of you might consider something I’ve written to be inaccurate, incomplete, or just bonkers. Â I welcome the conversation as I most certainly do not know it all!
That said, if you would like me to review your practices, consult, clean up an issue, etc. just use the Contact a Frontpager form from the QuickLinks/Mobile Site Menu. I am happy to sign a Non Disclosure Agreement to protect your confidentiality, should that be a concern.
Keith P.
I’ve had to write a shitload of security software in my career, so I’m typically pretty mindful of risk, but it still surprises me that in 2017 how many people send all kinds of shit electronically with an assumption of security/privacy. And you see it in government, too (the DNC emails should never have even been written, much less hacked). Emails, texts, you name it. It’s like people *want* to believe their deepest selves are secure just by being electronic.
Simple rule – assume any data you have stored electronically can be compromised. Even your browser history – if you look at porn and don’t want people to know, use InPrivate or delete your history a lot. “But no one’s hacking my machine to see if I’m watching porn!” you might say. More than once I’ve been asked to diagnose someone’s computer, and I go into their browser and type something like “www.” and autocomplete puts in something like “www.shiteaters.com” (true story, including the site that popped up)
manyakitty
Super useful. I look forward to the next installment. Thank you!
Mike J
Don’t take your phone to a protest.
Yarrow
Thanks for this info, Alain. Good place to start. I wish it wasn’t so complicated!
I know I heard somewhere that at least one state (maybe Florida?) gave police permission to require people to use their fingerprint to open their phones and it had been upheld in court. This was if they’d been stopped or arrested for something, I think.
I was in the car yesterday and heard a bit of these folks being interviewed about their project–the Privacy Paradox. It sounded really interesting and they said on the radio it was ongoing and anyone could join in at any time. You can learn a lot about what your various devices and apps and so forth know about you.
Another Scott
On the Apps stuff, yeah, it’s annoying that so many things want so many passes to look at things like our contact lists, etc., but what can we do about it? Other than simply refusing permission (which seemingly means we can’t install the app), is there anything we can do? Any settings we can change, or things from the EFF or elsewhere that we can install to allow us to use the app without giving away the store?
I recently installed MS Office 2016 on a Win10 PC and it demanded that I give it a personal (non-work) e-mail address, it demanded access to my contact lists, it said it was going to send me information from MS about offers (even though on a previous screen I said not to), etc., etc. I ended up having to poke around in some obscure Office and Windows settings to try to turn that stuff off, but I have no confidence that I got all of them, and no confidence that MS won’t reset the settings as it wishes whenever it does updates….
Isn’t a lot of this “protect your privacy” stuff hopeless these days? Isn’t our best defense “herd immunity” in that there are so many target that we are very unlikely to be individually targeted? Look at the OPM Data Breach. Presumably every federal employee in those databases is already at risk…
It sucks, but short of not using smart phones and computers, and doing reasonable things where we can, it seems like something we will just have to accept giving up personal information going forward.
:-(
Thanks.
Cheers,
Scott.
Alain the site fixer
@Keith P.: Ugh yeah. I really don’t want to know what sites people frequent. I’m pretty open minded, but I don’t want to think, much less, know, that someone is into X sexual activity!
Plus, that’s giving me some potentially-blackmailable information about you!
manyakitty
@Alain the site fixer: What do you think of the EFF?
gvg
Thank you Alain, Could you save these posts somewhere where we can refer to them later? Something like the Mayhew on insurance pull down we have? I am pretty sure you have done a least one other post related to this, I think about cell phone security for protestors, that I would like to re read more than once.
Yarrow
Wasn’t someone else going to post here about security issues? Posted here once or something? It was several months ago. Or was that Alain? I can’t remember for sure now. Anyone else remember?
Aleta
Thanks for these clear explanations. It’s very helpful, including how it’s organized. Somehow you’ve made it simpler to view the whole.
HW3
Alain, thanks for getting this discussion going.
The Electronic Frontier Foundation is a worthy organization and they have offerings like the Surveillance Self-Defense starter kit which is a must for any modern student of journalism.
The Dangerman
@Keith P.:
Note to self: Probably best to avoid Balloon-Juice prior to breakfast. And after dinner. Anytime near a nap is probably bad, too.
Another Scott
@Yarrow: Okkam started a thread on it in November.
HTH.
Cheers,
Scott.
Xboxershorts
This came across my Twitter feed via John Schindler or maybe Louise Mensch, and it should be read by everyone. Cambridge Analytica and the convergence of Big Data and Political messaging
JFC my HTML skilllz totally suck
Google this:
the-rise-of-the-weaponized-ai-propaganda-machine
w3ski
OK, here is a question for you. I Do Not allow stuff to contact me, I don’t apply for new stuff, ever. Quicken loans Called me on the phone saying “I was interested”? The only thing ‘new’ was a purchase from an Online Nursery. Obviously it was them, but I never even saw the check box.
Can I stop this crap ahead of time?
w3ski
Major Major Major Major
@Xboxershorts: Looks like just more Cambridge Analytica wankery nonsense to me.
DCrefugee
Thanks, Alain. More like this, please.
Three thoughts:
— I’d like to know more about encrypting phones and computers.
— I’d like to know more about my search and seizure rights as a U.S. citizen/passport holder entering the country from overseas.
— Am I the only one who thinks the federal Do-Not-Call list needs a major facelift?
Alain the site fixer
@Another Scott:I used to think that herd immunity was good enough but I’m not so sure anymore. As an brief explanation – I have some background in geodemographic segmentation and applying it for media ad sales, and 10 years ago, you had up to 100 actionable segments you could analyze and target advertising to. Not so much demographics, but clusters of folks with some somewhat similar demographics who live in the same kind of neighborhoods and behave similarly. Suburban working families with children vs young urban singles, blue collar middle-aged empty-nesters vs retired folks in retirement villages, etc.
But now, with the wealth of data out there, there’s 350 million segments as there is so much data in so many places about each and every one of us, Companies like Facebook, for example, buy or license so much data and link it together. Facebook in particular is so omnipresent that it has insane amounts of self-reported data that can be used to group those 350 million folks into targets for negative advertising, propaganda, fake news – in general, affecting behavior on a large scale but one at a time.
Seriously, that’s what the 2016 results in both England and the US indicate to me – they can nudge the folks that have a higher likelihood of supporting their candidate’s views to vote without lots of the traditional mechanisms of politics such as calls, direct mail, and door-knocks. They can also corrode others’ trust in things so they don’t turn out and vote. Reducing your opponent’s vote by X% here and there means that you and I don’t really enjoy herd immunity – we are all targets and our sense of being hidden in the herd is a dangerous illusion.
Alain the site fixer
@manyakitty: Love them. Also ACLU, of course.
Alain the site fixer
@gvg: I think that was Adam, but yes I’ll make a new Category. Between us two and mistermix, I know we have all offered some such advice.
Alain the site fixer
@Another Scott: thanks – I’ll retro-add it to the category so it doesn’t get lost! And to be clear, I’m not positioning myself as an expert over some other writer. I have been reading about and keeping up on these issues since about 1994 welcome correction for that is how I learn!
cmorenc
Remember the quaintly naive pronouncement from the optimistic early days of the internet (back when Usenet was the killer app): “The Net interprets censorship as damage and routes around it” (John Gilmore) ? It turns out that the big risk was not censorship against expression, but the difficulty of protecting one’s anonymity. For the parties trying to compromise your anonymity, your expressions are opportunities to be exploited rather than hazards to be inhibited.
manyakitty
@Alain the site fixer: Good. I’ll keep sending them money.
Another Scott
@Alain the site fixer: Yet another reason I’m glad I never signed up to Facebook (nor Twitter). ;-) I get tempted by Twitter occasionally (it might save having 3-4 tabs open), but not enough to actually do it. I’ve never been tempted by Facebook (though I did post some “anonymous” things on G+).
Cheers,
Scott.
Joy in FL
This is really helpful. Thank you.
Alain the site fixer
@w3ski: If a site has a checkbox on the signup/account-creation form, it is often pre-checked. It will say something about letting them or their partners contact you, or something like that. Once you’ve signed up, you should be able to edit your profile and remove that permission. It could also be chance timing-wise. (I’ll be covering this type of thing in the next installment so your question is welcome!) A site’s privacy policy is important – any wiggle room can and will be, at some time, abused.
Alain the site fixer
@Major Major Major Major: I don’t think it’s nonsense tbh. Wish it were.
Xboxershorts
@Major Major Major Major:
More like Wonkery, If Amazon can do this and drop ads on your social media feed relevant to your “profile”, what makes you think a political organization can’t do the same?
In fact, they brag about doing just that
Major Major Major Major
@Alain the site fixer: I’ve yet to see a technologically literate technology writer write about it as influential.
@Xboxershorts: Amazon’s ad targeting is notoriously shitty and ineffective.
ETA: Of course a political organization can and does make use of these things, so what? Cambridge Analytica would hardly be the first to do so.
Xboxershorts
@Major Major Major Major: So, since no one has written about in a way that you could grasp, that means it.’s…FAKE NEWS!!!!! FAKE NEWS!!! FAKE NEWS!!!!!
Sorry man. S’all good…but it ain’t wankery.
Yarrow
@Another Scott: That’s it. Thank you!
Alain the site fixer
@Another Scott: They’ve still got a profile on you that’s scary detailed. Just without much of the “likeographics” that most FB users generate. Until recently, I have never considered the potential for big-data-enabled segmentation analysis and targeting being used to discourage behavior. I mean if you can target those folks who passed around nasty anti-Hillary jokes for the year or two before the election, then you can probably suppress their vote for Hillary at the minimum, or even make them feel so despondent about having to vote for her that they skip voting.
I do think Cambridge Analytica is a scary good company that snuck in and did some damage in service of the billionaires who own and steer it. And I know that the US and UK have complementary segmentation cultures/industries, so it’s no surprise that they would do effective work there and here. (Not to mention that we’re both Anglo-Saxon cultures) I’m curious as to whether they’ll be as successful in Germany or France, with their different cultural values and core identity. If it’s just identifying the haters and encouraging some non-haters to stay home, it will be a flash-in-the-pan (that’s an old photography reference, kiddos), but if they’ve really figured out the influencing thing and it works across cultures, then the Internet Age will have taken a dark turn indeed.
MattF
This is useful, but– in-real-life complications tend to make it all harder.
For example, I’ve got about twenty (yes, different) passwords for accounts that I can access on my iMac. About half of them are financial, for accounts that my personal finance software downloads data more-or-less automatically. The catch is that my password manager doesn’t work with my personal finance software. I know for a fact that it could, but it doesn’t. I can complain to the finance software publisher, and hope that integrating password management into their software is on their to-do list– but it’s a rather faint hope.
Major Major Major Major
@Xboxershorts: No, since nobody who would be able to analyze what’s actually going on with any sense of accuracy has written about it as something interesting, I’m inclined to think it’s not something interesting. Technology and science journalism is notorious for sensationalism by well-meaning but underinformed writers.
And, as somebody who actually used to do machine learning-based user persona construction for a living, I call bullshit.
Piggy McPigface
Good job… a tip on the work front: These people are especially not angels and just because they have permission to be in the building doesn’t mean you should trust them to behave.
I used to keep my annual performance reviews / pay raise letters in the bottom drawer of my desk at the office… Well,. more like at the bottom of a pile of junk. Anyway, that junk drawer wasn’t always locked and it turns out that there was an extremely nosy / gossippy co-worker who liked going through people’s stuff after hours.
The guy’s since been fired and it was no great loss on my part, but it was a good lesson for me on basic security and who to trust.
Yarrow
@Alain the site fixer: The Privacy Paradox link I put in my first comment–on the radio interview yesterday they talked about just that. How so many things are pre-checked to opt you in and you have to go searching to opt out. And how people really wanted it to be the other way around.
Alain the site fixer
@MattF: That’s a great concern to have shared! Does it ask you to provide the password every time it accesses your accounts or just when you set them up? I know that some software disables pasting via right-clicking, but still allows you to use the keyboard shortcut (CTRL-V in Windows), or vice-versa.
If your finance software does save the passwords, then make sure that you have a very secure password for the finance software!
The Moar You Know
Cybersecurity (and to a far lesser extent, physical security) is what I do for a living. Great primer on the basics, Alain. Looking forward to the rest.
Yarrow
@Alain the site fixer:
What happens if people just quit “liking” things? Does their model implode?
Xboxershorts
@Major Major Major Major: Like I said, s’all good. I been pushing data for 35 years and watched as the growing online profiles of us all are bought and sold and used to manipulate us. I don’t need you to approve or disapprove of this.
catclub
@gvg:
They are filed under the cybersecurity tag.
Keith P.
Another tip: assume your encryption can be broken. Even if it’s 1024 bit. Maybe it isn’t except by the NSA, who doesn’t care what porn you look at (well, maybe now it does). Point being, don’t let encryption lull you into a sense of potentially false security and start sending encrypted emails about various crimes you are committing…you don’t *know* your encryption is really 1024, do you? Or that it’s actually turned on and not misconfigured? Or that your comm tool is correctly implementing the encryption protocol? Even Tor gets compromised.
Xboxershorts
@Keith P.:
Google just announced that they’ve successfully hacked SHA-1 encryption.
Elizabelle
Thanks, Alain.
Alain the site fixer
@Major Major Major Major: I’ve not seen your side of it, but I’ve seen the collection of household or personal data (census, etc.), linking to hundreds/thousands of other data sources, linking to geography, and ending up with different groupings of people that act similarly, consume media and products/services similarly, etc. We just never had the computing power or insane amounts of by-click-per-person behavior data or self-reported data on likes and dislikes. I’m looking at it from building from a 50 year history of technique in building geodemographic segmentation in the US, building on that, not so much machine learning. Does that distinction make sense?
catclub
@Alain the site fixer:
so far all the finance software I have seen wants my password for all my financial accounts so they can go look at the balances, and which funds I am in. – To link it all together in one place!
If my financial companies specifically provided for a ‘look but don’t touch’ access for those finance software programs, i would be more likely to try them, but without that, no way I give away my financial institution passwords.
Another Scott
@Alain the site fixer: UPS had a “scary detailed” profile of me when I first signed up on their web site years ago. It listed about two dozen home addresses that I’ve had over 20+ years – many that I’d almost completely forgotten about – that I had to indicate yes/no whether I had ever lived there.
It was creepy.
Cheers,
Scott.
Keith P.
@Xboxershorts: SHA-1 has been “to-avoid” for some time. It along with MD5 both have potential hash collisions. Microsoft, at least, has been recommending SHA-2 and AES for I think close to 10 years. I can’t recall what AES supplanted…maybe Triple DES?
Alain the site fixer
@Keith P.: This is all so true. I was saving such darker wisdom for the end. It’s tough to get folks to think about or adopt encryption if you make them question it before it becomes an ingrained value!
Another Scott
@catclub: You’ve seen the “Personal Capital” TV ads, I take it? Who on earth would willingly sign up for that???
“Sure, I’ll give you my logins to all my financial accounts!!”
:-/
Cheers,
Scott.
Alain the site fixer
@catclub: yeah but I’m going to make a menu item for that to make it easy access.
Major Major Major Major
@Alain the site fixer: I’m not doubting that such things are possible, of course they are. They’re just not plausible yet in the way that’s being reported. Accuracy and scale are still mutually exclusive unless you have a massive outlay of resources, which they didn’t.
ETA: Again, I have not seen a single paranoid infosec person shitting themselves about this.
Alain the site fixer
@The Moar You Know: Thanks!
Xboxershorts
@Keith P.: Yes, SHA-1 is old, out of favor, but no one has successfully cracked it up to this point. That’s what makes it news.
MattF
@Alain the site fixer: FYWP ate my original reply, so I’m trying again.
The financial software saves the username/password used to access each financial institution. Just to make matters more complicated, the functionality to allow data access to a large number of financial institutions is provided by a third party. Not at all secure, IMO, but I can understand that the financial software publisher wouldn’t have the resources to set up potential access to hundreds, if not thousands, of different places.
Xboxershorts
@Major Major Major Major:
Don’t be so certain of this. Billionaire Robert Mercer is funding CA
Keith P.
@Xboxershorts: WP ate my edit, but I saw that after I posted. I’m surprised it took 10 years to actually go from theory to application, but impressive nonetheless. That’s some seriously dense mathematics in analyzing crypto.
Yarrow
@Another Scott: I was trying to buy something from a small company in the UK to be sent to my address in the US. My credit card was denied. I called the credit card company and told them I was authorizing the purchase. They asked me the usual security questions, then told me ti was fine and to try again. I did and it was denied again.
I called back. We did another round. It was denied again, this time while I was on the phone with the guy. So they escalated it up the chain to a higher level person who said they were going to have to ask me a bunch of questions and I needed to hold. I was on hold for several minutes and they came back asking me questions like the make, model and color of my car, my childhood home address and other such things. It was kind of terrifying that the random credit card representative, who I think was in an Indian call center, could pull up that info in about three or four minutes and question me about it on the phone.
They told me if I failed those questions they would cancel my card. And by that time I was stuck because canceling the transaction wouldn’t do any good. I had to answer them. Their algorithms had decided I was possibly dealing with a stolen card.
It was kind of jaw-dropping what they could find out about me in a few minutes. The info is out there even if you don’t think it is.
Alain the site fixer
@Yarrow: Yeah, that Like mechanism is crack to their engine, really to any user of FB targeting. It used to cost companies lots of money to find out what you, an individual, thinks about specific things. By Liking things, you give FB and those who license access to it (including governments!) more insight into you, your motivations, fears, values, etc. And with that information, it’s much easier to get you to buy their product, watch their program, use their service, etc. Or not to – if they know you love kittens and hate puppies, someone may use kittens to encourage their desired behavior, and puppies to discourage their undesired behavior. And since we’re talking scale here, it’s no big deal if they don’t effect you – if they get a rate of effect of 10 or 20%, that’s an astounding number of affected people.
schrodingers_cat
What about email? I have a gmail account, YouTube seems a little too stalker like.
The Moar You Know
@Major Major Major Major: Perhaps they should be.
Alain the site fixer
@catclub: I cannot say for sure as I don’t currently use it , but I thought that Quicken for Small Business did save the account passwords (this was a few years ago) but I didn’t set it up to pay – only to get balances, etc. I’m sure your finance software has an FAQ or support forum where you can research. I can see how you’d want to setup a deposit/pay account if taking or spending money (processing payments, paying bills), but I thought that was a separate function.
different-church-lady
COLE, WHY DO YOU KEEP LETTING PEOPLE TURN YOUR BLOG INTO SOMETHING DEEP AND USEFUL?
Alain the site fixer
@Major Major Major Major: They’re compromised, man! :)
Major Major Major Major
@Xboxershorts: Resource outlay is a fair unknown unknown, but in my reckoning there would be more to the reporting if there was a big investment in human capital, which is what I meant.
@The Moar You Know: You’re welcome to go around telling them that.
ETA: Or, fine, the robots are coming for your democracy WE ARE ALL GOING TO DIE. Because robots have such a great track record of being better than humans outside of narrow domains like games. Back to work for me.
sunny raines
tip no. 1: assume everything over the internet, including email, is read by someone other than who you intended to read whatever you sent, store, or access.
different-church-lady
@Yarrow: Did they ever tell you why the card was being denied in the first place?
Another Scott
@Major Major Major Major:
I don’t see any ads (thank you uBlock Origin), but it’s surprising to me that Amazon is still so stupid about what it shows me in it’s “Daily Deals” page. 90% of the stuff is something similar to what I’ve bought once before but have no need to ever buy again, or stuff that doesn’t apply (no, I don’t need a car seat), etc., etc. And the fact that I’m on Prime but have never downloaded a movie in low these many years should tell you that I have no interest in downloading movies so you don’t need to keep putting up that popup about it. One would think that they would understand me much better by now…
For a while, Target was much worse. Years after J’s parents died, we would still get ads for geriatric supplies, etc., etc. Thankfully, those eventually stopped.
Cheers,
Scott.
different-church-lady
@sunny raines: I pity the poor NSA agent assigned to read my email. Must be the most bored mo’fo on earth.
MattF
@Yarrow: True, but there are positive aspects to the personal data situation. A few years ago, I decided to get a current passport, which meant I needed a birth certificate. Since I was born in NYC, I braced myself for a long slog into and through the nether end of the NYC bureaucracy. But it turned out to be quite easy– the city Health and Records department had contracted out the whole birth certificate business to a company that looks up obscure facts about individuals and then uses them for identity verification. And it worked. The whole process turned out to be almost bizarrely easy.
I spoke later to someone who works in that department, and she told me that there was a huge battle over improving the process– the old guard wanted to keep it difficult.
Yarrow
@Alain the site fixer: I was seeing a physical therapist for awhile and we’d sometimes end up chatting during appointments. She brought up Facebook at one point and said she was on it but really never did anything with her account. She said her partner posted some picture of their kid or a trip they’d been on or something and asked if she’d seen it. She said told her partner she had seen it, the picture was great. Her partner was a bit upset: “You saw it but didn’t Like it! Why didn’t you Like it? You have to Like it! It needs more Likes!” Or words to that effect.
She said she just didn’t get it. Why did she have to spend her time “liking” Facebook posts or pictures or whatever? It just seemed so stupid to her. And then it got her in trouble with her partner because she didn’t Like something properly.
She’s clearly not participating in the Big Data project properly!
different-church-lady
@Yarrow: Yes, one of the biggest evils of the Facebook phenomenon was the “quantification of friendship.”
Yarrow
@different-church-lady: They said something like “other customers had reported problems with that company.” I eventually ended up using a different company for the purchase. Went right through and I’ve had no fraud issues with the card since. It’s been about a year. I don’t know what the real issue was.
What I didn’t understand at all was why, once they’d verified me and the purchase the first time, wouldn’t the purchase go through? Even the customer service guy couldn’t answer that question.
Yarrow
@MattF: Yes, but was it your long form birth certificate?
different-church-lady
@Yarrow: It sounds to me like your credit card company might have decided they weren’t going to let any purchases happen through the questionable company. (Not that I have any actual inside knowledge on these things, mind, it’s just a logical guess.)
Xboxershorts
@Major Major Major Major:
here I’m going to say, not necessarily.
Data Center networks are my realm of expertise. Not programming or databases. But Switching, storage, routing and security.
Hyper fast storage in petabyte quantity is now relatively cheap.
Data Center optical 40GB switching with dedicated QoS following engineered low latency paths is the norm.
All you need after that is CPU cycles and the right algorithms.
schrodingers_cat
@Yarrow: I don’t do FB. Mostly for the peace of my mind. Also too, baby FB, Whatsapp is super annoying. I am on it but not a part of huge family groups. Usefulness quotient is pretty low while annoyance quotient tends to infinity.
Taylor
@schrodingers_cat: I’d say it’s safest to assume your email is published on the internet. The complacency of the DNC staff was jaw-dropping.
Encrypted email is a good way of getting the attention of the FBI.
Similarly storing encrypted data in Google Drive, Dropbox, etc.
The only secure way to store data is (encrypted) on your own machine (say, NAS). And without allowing access from the internet.
WereBear
I have become a big fan of the Two Factor Authorization as the best combination of safety and annoyance. And most people probably don’t dislike their phone so much they constantly leave it in the other room :)
hovercraft
@Xboxershorts:
Is this the same Mercer who is father of Rebeca, who along with fellow billionaire Vladamir Putin, just purchase themselves a president and the nation he now holds hostage for the next four years?
Alain the site fixer
Not sure his nym – Dave or something – from NY I recall. As close as I could suss, he works for a research company that is probably doing some of this type of thing, but linking it to survey data. So if he’s here, I hope he speaks up if/when he can. But traditionally in geodemographic segmentation, census-reported data (adjusted/updated as people move and age, etc.) is coupled with survey and postal data to develop profiles of groups of people that can be projected into any geographic area around the country. These surveys are usually national, syndicated ones by companies such as Scarborough, Nielsen, JD Power, etc., and they survey media, lifestyle, shopping, financial, and other common categories.
Profiles of behavior like: Like people who Shopped at Macy’s in the last 30 Days, or Watched Game of Thrones last week, or Planning to buy a home appliance in next year, or Planning on Having a Baby in next year.
But now, with Facebook and other companies, surveys are not so important as people Like things all the time. And there’s much more direct measurement. For example – more and more, direct measures of media consumption are created – in the past, you knew what a family watched or listened to because they recorded in a diary what programs they watched, times, etc. Or answered less in-depth surveys about what they watched yesterday, last week, or over hte past month. That still happens, but now with digital cable boxes, streaming, and digital satellite TV and radio, direct tracking of what people watch and when is now possible.
So the traditional form of combining these different data sources isn’t new, but the scale and ability to set up a finely-defined target and launch your message to them and then deliver it immediately and then track user engagement with that message to further refine your efforts, is new.
Yarrow
@different-church-lady: Yes, they told me after they asked me the extra questions (my car, etc.) that if the purchase didn’t go through they’d have to cancel my card. That’s why I tried another card and it went right through.
It was such an odd thing. It was a small company that wasn’t selling anything that I could figure would be an issue. Most of its customers were in the UK, from what I could tell via comments. It seemed rather innocuous. I couldn’t figure out why it would be a problem for them. It didn’t seem like a big enough company to have enough customers to have triggered any warnings. But it also wasn’t brand new, in case that might have been a problem.
hovercraft
@different-church-lady:
Since he doesn’t read said blog, I’m sure he is completely unaware of this troubling development.
Taylor
I’d say the two things that people can do to improve their security is:
1. Use a password manager. One ring to rule them all. Then you can use long, distinct, random passwords for all the Web sites you register at, and if one of those sites get hacked (Hint: many of them will) none of your other sites are affected. Problems: what if the password manager is hacked? What about their tracking your use of Web sites? Alain, do you have a local password manager (local to my machine) that you could recommend?
2. Use 2-factor authentication whenever it is available. It is incredible how many banks don’t provide this for their customers.
ETA If I was the NSA and wanted to harvest people’s passwords, I would offer a cloud-based password manager service. I’d even make it a free service.
Yarrow
@Alain the site fixer: I remember reading somewhere that Netflix doesn’t release any ratings for its shows and won’t tell how it’s measuring them and that’s kind of messing up traditional ratings mechanisms like Nielsen ratings.
Pogonip
@Another Scott: Amazon has decided I’m black. I am not now nor have I ever been.
different-church-lady
@hovercraft: Well, don’t forget, he has a life now, so I can’t blame him for not reading the blog.
Alain the site fixer
@sunny raines: it’s not just what you send, it’s what you enter. For example, FB (not to pick on them, it’s not just them!) announced a year or two ago that they were storing everything you type. Not send, type. So if you write something and then change your mind and delete the text and write something else and then hit send, everything you typed in will be recorded and linked to you, forever.
WereBear
One caution: if you cannot memorize the password it won’t be available to you remotely, either.
I also have used Password Wallet for years now and am very pleased with it. It has a basic browser attached that lets me use its internal clipboard to do some basics on secure sites. Encryption and backups, too.
MattF
@Taylor: A few years ago I was attempting to get online access to an account of mine at a bank/brokerage. After jumping through the usual hoops, the process kept aborting right at the end, so I called Customer Service. It turned out that the password I was trying to use was too long. They’ve since learned better, but… yikes.
ETA: Which is one of the reasons I use the Apple Keychain for password management.
Alain the site fixer
@Taylor: Local password program recommendation: LastPass got some very good reviews. I use KeePass (open source/free) in Windows/Linux, and iKeePass app on my iPhone and iPad – there are other implementations of both but they work for me. I keep my password db in my Dropbox so I can access on any of my devices. Not perfect, but it allows me to access all pwds on my devices.
Steve in the ATL
@Pogonip:
Maybe you didn’t “like” enough Wilmer posts on FB? Or they don’t know that you binge watch “Modern Family”?
Alain the site fixer
I cannot tell you how many times (just yesterday, for example!) I fight a site I’m trying to sign up for and figure out later that they stripped characters at the end of, or that they didn’t like within, the password I created.
So I setup a 50 character password, and it strips out any & # or @ symbols, for example. Then when I go to login later, I can’t get in because the password I provided and stored in my database had those characters, and since the site didn’t tell me it removed those characters, my stored version doesn’t match. I’ve gotten in the habit of, once I login the first time, logging out, going to log back in, and pasting my password from my db to ensure that I have it correctly. If not, “Forgot Password” is my friend!
hovercraft
@Pogonip:
Did you order cocoa butter, grape soda, something “black”?
Perhaps there’s a drop way back when in your lineage and they are holding you to that standard?
Anyhoo, welcome to the club brother/ sister? We’ll let you know when the next planning meeting is.
hovercraft
@different-church-lady:
As far as we know ABC’s entry into his life is fairly recent, and he wasn’t reading it long before that. She just finally gives him a legitimate excuse for neglecting us.
Another Scott
@Alain the site fixer: The USPS site is like that – very restrictive in what characters can be used in the password. Very annoying…
Cheers,
Scott.
(Who wants a password with a Ctrl-G dag nabbit!!1)
WereBear
Anytime I look at couches and then have them pop up wherever I go has a real-time look at how we are in the crosshairs.
Another Scott
@Alain the site fixer: The USPS site is like that – very restrictive in what characters can be used in the password. Very annoying…
Cheers,
Scott.
(Who wants a password with a Ctrl-G dag nabbit!!1)
Another Scott
@Alain the site fixer: The USPS site is like that – very restrictive in what characters can be used in the password. Very annoying…
Cheers,
Scott.
(Who wants a password with a Ctrl-G dag nabbit!!1)
Another Scott
@Alain the site fixer: The USPS site is like that – very restrictive in what characters can be used in the pass-word. Very annoying…
Cheers,
Scott.
(Who wants a pass-word with a Ctrl-G dag nabbit!!1)
Alain the site fixer
@hovercraft: lol I’ve ordered two of those things, was born in Africa, but I’m white – and Amazon seems to properly think so.
Another Scott
@Alain the site fixer: The USPS site is like that – very restrictive in what characters can be used in the pass-word. Very annoying…
Hmmm. USPS seems to be a FYWP word…
Cheers,
Scott.
(Who wants a pass-word with a Ctrl-G dag nabbit!!1)
ThresherK
@w3ski: Are you a fellow radio amateur? Just curious, as your nym has the form of a callsign.
different-church-lady
@hovercraft:
What is life if not the successful implementation of legitimate excuses?
Another Scott
@Alain the site fixer: The USPS site is like that – very restrictive in what characters can be used in the pass-word. Very annoying…
Hmmm. restrictive seems to be a FYWP word…
Cheers,
Scott.
(Who wants a pass-word with a Ctrl-G dag nabbit!!1)
Another Scott
@Alain the site fixer: The USPS site is like that – very restrictive in what characters can be used in the pass-word. Very annoying…
Hmmm. annoying seems to be a FYWP word…
Cheers,
Scott.
(Who wants a pass-word with a Ctrl-G dag nabbit!!1)
Taylor
@Alain the site fixer:
Lastpass looks good, but they are cloud-based. They do support 2FA, which is good. They claim they encrypt your password DB on their server using your password. They have been vulnerable to some attacks based on malicious sites fooling LP into filling in your password info in hidden fields (They blame Google for not providing special chrome in Chrome for entering passwords). I would choose the setting in LP that notifies you whenever it fills in fields on a Web page. And of course they are able to monitor your use of Web sites.
I’m astonished that you’re storing your password DB in Dropbox. Even if you’ve encrypted the database, an attacker who has the DB can break it with a brute force attack (and you know Dropbox has the keys for their “encrypted” data, right?). I also suspect Dropbox may be using svn to manage their content, so if you ever store something in Dropbox, it never goes away on their servers.
ThresherK
@hovercraft: Spousal ThresherK is replete with curves, and pale as moonlight. Some of her clothing catalog ordering has resulted in “partners” sending her catalogs with nothing but WOC models.
different-church-lady
@WereBear: No, what’s creepy is when you DIRECTLY enter the name of your public utility website without using a search, and somehow Google knows about it and starts delivering ads for that utility when you go to other sites. And this is even with all the “do not track” checkboxes you can find checked.
Another Scott
@Alain the site fixer: The USPS site is like that. Very annoying.
I want to use Tab and Bell keystrokes in my passwords, but nobody will let me, also too.
;-p
Cheers,
Scott.
different-church-lady
@ThresherK: According to my dead-tree junk mail, I have been of retirement age since about 30, long before the internet.
The machines never make anything smarter, they just make the dumb go faster.
different-church-lady
@Another Scott: And what about that symbol Prince used to use as his name?
catclub
@Another Scott: Like I said, ONLY if the financial companies create a ‘look but don’t touch’ account access
method.
Otherwise: never give someone else your password applies to these goofballs.
hovercraft
@Alain the site fixer: See we got you at birth, some things stick no matter what. Where in Africa?
schrodingers_cat
@Pogonip: If it makes you feel any better the intertoobz think that I am a middle aged white male. I get ads to check my prostate and for Russian/Asian brides. I think its all the Balloon Juice surfing I do.
Another Scott
@different-church-lady: rofl. I like it!
ÆŹÌ”ÌŹÌ.
Cheers,
Scott.
(Yeah, why can’t we have Unicode and Emoji passwords, anyway???!?!)
a hip hop artist from Idaho (fka Bella Q)
@Taylor: I figured I was just too ignorant to not understand why storing such a DB on Dropbox isn’t a very bad idea. So I’m relieved that you mentioned it.
different-church-lady
@Another Scott:
Why stop there? Your kid’s refrigerator drawings!
hovercraft
@ThresherK:
It’s funny the assumptions people and now I guess machines make. For years people used to do a double take when I met them in person after speaking to them on the phone, they assumed I was white, because I didn’t sound “black”. They’d say it as if they were complimenting me. Sigh, the good thing is that people now know better to say shit like that to my face now.
Mart
@Major Major Major Major: Is it Cambridge wankery? I read an article that Cambridge Anallytica targeted ex-pat Haitians in Miami to hate the Clinton Foundation’s work in their country. I go to a restaurant (up north – not near Miami) and made friends with a Haitian who manages the joint. He voted for Trump and detests the Clinton’s because of all the horrible things the Foundation has done to his homeland. Thought that odd.
Kay (not the front-pager)
@Alain the site fixer: Huh. I always thought it was a reference to panning for gold and seeing the flash of false gold.
Alain the site fixer
@Taylor: I’ll give that some more thought.
different-church-lady
@Kay (not the front-pager): Wrong twice! (According to some of the wrong information on the interweb, that is.)
MattF
@Kay (not the front-pager): In fact the OED says it’s an old military term:
Alain the site fixer
@different-church-lady: creepy was being in Walmart two days ago and opening up Safari in iPhone and typing in “where are moth ba” and then having auto-complete complete “where are the mothballs in Walmart”
different-church-lady
@Alain the site fixer:
…period.
ETA: just tried that exact search right here in the comfort of my own home and the autofill also came back with WalMart. So it would appear that WalMart puts their moth balls in counter-intuitive locations.
3Jane Tessier-Ashpool (a/k/a Lorinda Pike)
@hovercraft: Robert Mercer is currently (IMHO) the most dangerous man on the planet. He is Hubertus Bigend. The substantive leader of The Klept. (Any William Gibson fans will get the reference. Yeah, I’m a broken record.) BTW, thanks, Alain. I have bookmarked this for future reference. Good work.
Alain the site fixer
@hovercraft: Born in Johannesburg, American Mom, Swiss father. They were both living in South America and, of course, met at a dinner party in London. Soon after getting married, they moved to Congo and the best hospitals then were in South Africa, so that’s my story. Amazingly enough, my maternal grandmother got from Bogota to Johannesburg within 24 hours of the telex!
a hip hop artist from Idaho (fka Bella Q)
@hovercraft: That’s just such an offensive behavior – both the thought and its expression. In the days when one applied for positions but hard copy and references were expected to be listed, I arrived at an interview to a double take.
I’d listed 4 professional references, including one in a different region. They were all were all black, and the form expected me to be as well. Frankly, it took some thought and consultation to figure out what misled them. Never occurred to me 1) that all my references were black, and 2) that anyone would make such a ridiculous assumption based on that.
I did not get invited back for a second chat, and I would have declined if I had. Idiots.
Avalie
The Privacy Rights Clearinghouse has a ton of consumer-friendly tools and advice on protecting personal information and data. Great place to start if people want to learn more….
catclub
@Another Scott: Personal Capital says this:
But does not explain AT ALL how that is done. They have a custodian (Yodlee apparently) hold the passwords, but still, it seems that if someone at Yodlee can get user and password they can log in. Maybe I am too simple minded.
Alain the site fixer
@a hip hop artist from Idaho (fka Bella Q): I never said it didn’t have risks. I said it was the current solution for me. I know DropBox is the weak link but I trust that link more than a Password Manager company. As I said, his comment is one I will consider and will share the results of. I’m not running in fear right now as there are tradeoffs no matter the path.
Alain the site fixer
@different-church-lady: I think that there is some emerging research into symbols and perhaps colors as password substitutes.
hovercraft
@3Jane Tessier-Ashpool (a/k/a Lorinda Pike):
Gibson description of Hubertus Bigend seems to fit Twitler, I don’t know enough about Mercer to judge, but any person whose first choice was Ted Cruz, and has been bankrolling Bannon et al for years is evil period.
Mercer it would seem to me, knows that this is all a con to gain money and power, the shitgibbon is delusional, and represses the truth to protect his fragile ego.
catclub
@WereBear:
not quite true. I ssh in to my home machine to get passwords.
Alain the site fixer
@hovercraft: A friend – white guy – in Colorado has just moved from the Tallahassee, FL area. His name was Leon, and he regaled me with so many tales of shocked folks that “Leon from Tallahassee” was a good old boy and not African American. Even more funny to me – a geography geek – is that he had been living in Leon County in Florida!
Alain the site fixer
@Mart: That’s the thing – identify 10-100-1000 issues, divide the population by folks who care about those issues, expose them to weeks or months of stories, gossip, etc. and boom – they vote for Trump or at least don’t for Hillary.
different-church-lady
@Alain the site fixer: Blue. No, yellow!
StringOnAStick
Thanks for the tip on not leaving wifi on when out and about. We use a cheap 3rd party reseller of Verizon services because we just don’t talk on the phone much or use data outside the home setting (Luddites, and tight with our funds I guess), but that means using a lot of free wifi services. We never do anything involving accounts or purchases through the phone, but since you can get email that way I have to wonder if we are less secure than we think.
I only recently got in the habit of leaving the wifi off because we were in Costa Rica recently and there isn’t much wifi to be had, even most of the hotels only had password protected wifi in the lobby that didn’t work well enough in the rooms to use it. Maybe that has more to do with every major building being made out of concrete. I sure noticed how my battery stayed full for days with the wifi off though.
Alain the site fixer
@Kay (not the front-pager): Yeah I think it’s the flash from flash powder in the pan for very old-school cameras, but no, I was wrong: apparently, flintlock reference! Thank you Wikipedia.
Alain the site fixer
@different-church-lady: or are you close to one? Are you using Chrome right now to read the site? I’ll try next time I’m at Home Depot or Target.
Pogonip
@hovercraft: I’ll be there.
Grape soda is associated with black people?!?!? I have bought grape soda but with cash. How’d they find me?
Alain the site fixer
@Avalie: Thanks, I’ll add that to a list of Resources I’ll publish here.
Alain the site fixer
@catclub: it may be a class of access – as in, “anything that comes in through this ‘door’ can only look and not touch”.
3Jane Tessier-Ashpool (a/k/a Lorinda Pike)
@hovercraft: Gibson hinted at the idea that Bigend isn’t quite as invincible as he thinks toward the end of Zero History. I thought of Twitler / the Yam as Bigend for a while, but Twitler is in no way as mentally adept as Mercer / Bigend. They do, however, have a greatly inflated assumption of their own power and intelligence. There are cracks in the facade, but Twitler’s are canyons. Not so much with Mercer / Bigend. He has more self-control when that is necessary. The grandiosity is more muted, and it’s the under-the-radar that makes him more frightening. The connections to the Yam’s cabal (DeVos, Erik Prince) make it convoluted. But maybe that’s just me.
Kay (not the front-pager)
Re: foreign travel, my plan is to take a burner phone so I won’t have any personal info on it, at least when I return to the US. I haven’t really figured out the laptop problem yet. Since I only travel for leisure (I’m retired), maybe I could just take an old tablet, and wipe it before returning.
I’m an old white person who was born in the US, so I don’t expect to be targeted. My doctor was born in a majority-Muslim country, and has been to Saudi Arabia for the Haj and Iraq for medical charity in the last few years. Travelling abroad, even just to Canada, is frightening under those circumstances. I suggested the doctor get a duplicate passport without those visa stamps as well as a throw-away phone before travelling abroad. I don’t know what they will do for computers.That made me very sad/angry/frightened/depressed.
On a happier note, my Korean-born daughter-in-law returned safely today from a visit with her mother. Normally I wouldn’t have thought she would be subject to particular hassling. But she was followed and hassled at the mall by a racist xenophobic jerk a few days before her trip and I know the CBP at our airport have been particularly aggressive and assholeish, so I was relieved when she made it home without any problem.
different-church-lady
@Alain the site fixer: Nope, 8 year old Mac and Firefox Obsolete.7.3. Nearest WalMart is at least 5 miles from here.
And for what it’s worth, “Where are the moth balls in Target” was second on the autofill list.
WereBear
@hovercraft: Despite my Midwestern birthplace and a Northern European genetic history, my maiden name got double-takes on resumes; in the NorthEast, some consider it to be a “black” name.
Go figure :)
different-church-lady
@Kay (not the front-pager):
Soon to be the only kind of American allowed by law.
liberal
@cmorenc: doesn’t matter as long as you don’t have marble countertops.
hovercraft
@Alain the site fixer:
Aha, you are African!
So now you can get into a bullshit argument from the other side of how we categorize people, Charlize Theron is not African because she is white!
My family is from Zimbabwe, so sabona, neighbor.
liberal
@Another Scott: yeah, I love it when I buy some shit online and then Amazon’s genius software places ads for the product I already purchased.
catclub
@Alain the site fixer: agreed, it should be and probably is, but they do not make that clear, and it should have a different password* than the account that DOES have full privileges.
*For all I know it DOES have a different password, but again, they do not make that clear at all.
hovercraft
@a hip hop artist from Idaho (fka Bella Q): @Alain the site fixer:
It never stops, I guess at this point we should be grateful that BilO’s reaction to Sylvia’s earned him scorn and not just a shrug.
@Pogonip:
We take our grape soda and kool aid very seriously ;-)
liberal
@Taylor: Dropbox doesn’t have the master key for KeePass. And KeePass allows you to require both a password and a random file. You put a copy of the file on your device but not in dropbox. Assuming they did the encryption right, seems like it would be hard for an attacker to break that.
trollhattan
@different-church-lady:
That’s so silly; moths don’t have balls!
trollhattan
Before the nerdstorm disperses, my phone just decided to update itself to Android 7. Any insights/suggestions on accessing new or important features?
TIA!
Alain the site fixer
@hovercraft: I’m African, European, South American (both parents spent significant time and life there and so some cultural tendrils), and North American: I carry a bit of all those places in my heart and soul but I am an American, just not a “normal” one, like so many others on Balloon Juice.
Another Scott
@trollhattan: Lucky you! I keep hoping that my T-Mobile V10 will get 7 sometime before the V30 is out. :-/
My go-to place for Android stuff is AndroidPolice.
HTH!
Cheers,
Scott.
Steve in the ATL
@Alain the site fixer: “normal” on Balloon Juice? I see you are also a comedian!
different-church-lady
@trollhattan:
People only think that because they’re so hard to find.
trollhattan
@Another Scott:
Thanks, will check it out!
Mine’s a Verizon Moto Turbo 2 and I had no forewarning, it just happened (but I don’t follow the on-line resources either).
trollhattan
@different-church-lady:
You got me there!
Pogonip
@hovercraft: If I didn’t already have one, I’d order a copy of “7 Samurai” to see if Amazon would decide I’m Japanese.
Maybe I should try “The Godfather.” Salud! (She said, hoisting her grape soda in a toast.)
Pogonip
@trollhattan: Then where do all the little moths come from?
I remember reading that moths hear with their knees. Never knew until then that they had knees.
Bill Arnold
@HW3:
Specifically, the Surveillance Self Defense pages at eff.org are worth reading.
Miss Bianca
This is crazy good info – do we need an “Alain on Security” tag now? ; )
ETA: Or would that be “Site-Fixer on Security” – you know, to maximize the alliterative/allusional effect?
PST
The creepiest I ever felt about an ad came after I heard “More than This” as background to something, and when it struck a nostalgic chord for me, I spent a leisurely half hour or so listening to old Roxy Music cuts on iTunes and YouTube. Then I turned to the New York Times (this was a while back so don’t mock me) and right on the main page was a little ad with Bryan Ferry saying that he stays at the Mandarin Oriental. I found myself wondering whether I would have been looking at Robert Plant recommending the Carlyle if I’d happened to hear “When the Levee Breaks.”
Alain the site fixer
@Miss Bianca: I left it as Cybersecurity for now. I’m not trying to make this a centerpoint feature like Adam or Richard.
Alain the site fixer
@Steve in the ATL: Kinda like the good-good/good-bad/bad-good/bad-bad classification system for Chinese delivery food, there’s “normal”, normal, and “normal” normal. I’m not sure there’s a normal “normal”, but maybe they’re just better at disguising themselves as other types…. I often think when people think “normal”, they mean boring, and by that measure, no one here is boring, and there are truly very few boring people, you just need to learn how to find their spark and help them express it.
DocSardonic
One other thing to remember is that unless you are under oath and subject to penalties of purgery, you have absolutely 0, zero, zilch, nada, reason to provide accurate information on any online demographic form.
Another Scott
@DocSardonic: Yup. I was a 103 year old woman when I signed up for a WaPo online account years ago. ;-)
Cheers,
Scott.
Another Scott
Speaking of Password Managers…
See the original for embedded links.
Cheers,
Scott.
frosty
@Another Scott: my FB birthday is 1/1/1905.
Alain the site fixer
@Another Scott: yeh but not KeePass. I’m hesitant to use paid online enabled services but for many or most users, that’s the reality. I automatically distrust Android for fundamental reasons so I’m not surprised to read about issues in Android implementations.
Sincerely, I could easily see why my trust in IOS is misplaced (that is, I could see that all along, Apple’s been a tool of government and surveillance, but I see 0 evidence to support that contention.) but so far, so good. There’s a lack of freedom and such, but that’s a tradeoff for security and performance that I find quite acceptable. For a lot of security mechanisms, I think that open source produces superior results on average; sometimes the crowd misses the forest for the trees, and sometimes a secret group of one or a few clever folks can create something remarkable. And so KeePass and apps made to support it in iOS are a good thing. I’ve just decided to explore Minikeepass to see how it goes as a different front end. They publish their code so it’s more transparent compared to iKeePass software which now has some email and website issues that are a bit suspect tbh. I’m going to post some corrections or such edits when I publish part two.
Alain the site fixer
@frosty: the FB birthday you entered and they humor you with is that date; they likely have a hidden field for you called something like trueBirthDate and it’s populated from more traditional data such as survey, financial, registration, etc.
J R in WV
@DCrefugee:
Your rights as a citizen don’t exist at border entry points, even at airports deep inside the nation. The legal policy is that you aren’t in the country yet, so your rights haven’t begun to apply yet. I think that’s nonsense, but the courts appear to buy that BullShit.
So CBE/ICE police can detain you and demand that you provide passwords for your devices AND for selected social media services like Facebook or Twitter, etc. Apparently indefinitely, or until your friends/relatives/employer show up with an immigration lawyer and a court order.
I have seen recommendations that people obtain a burner phone for travel, or just don’t take one, instead renting one at your destination airport. Same for tablets. If you must take and use a device like a camera, etc. you could upload encrypted datasets of text or photos to a secure cloud site, and then do a factory reset on your tablet/phone/camera.
They held a US born citizen with long hair and a foreign name in detention until he unlocked his NASA issued devices, which was perhaps not legal as it was a federal device with security itself. He worked at the Jet Propulsion Lab at Cal Tech and was in South America for his solar-power racing team, which is his hobby. I suppose they could have held him indefinitely had he not given up his devices passwords, they then copied his devices for lengthy inspection at their leisure.
They held a Norwegian diplomat holding a diplomatic passport, a violation of many treaties between nations. The Customs and Border officials have seemingly taken leave of their senses and abandoned any pretense of following laws, whether federal or international, court orders are being ignored, just regular politeness seems to be disallowed.
We have had a trip to Tuscany in Italy paid for and arranged long ago, with old friends – since the 1960s and early 70s. When we have traveled before, coming home was mostly a relief. Now I expect to be bullied rather than told “Welcome Home!” I’m still working out how I will respond to that if it happens.
I will definitely have very little personal data on any devices. No phone, tablet with only travel-related software installed, Navigation, translate, some novels to read. Any advice from lawyers here would be welcome!
J R in WV
@Alain the site fixer:
Why I’m not part of Facebook, Twitter, any of that BS. If you aren’t paying for a service, YOU are the product, not the buyer.
I have reluctantly started to use Amazon for shit I can’t find elsewhere. Usually I google for the actual provider if they sell to the public.
J R in WV
@Taylor:
Two-factor authentication – sounds great. Social security, which has online accounts for people who deal with them, tried to set up two-factor authentication not very long ago.
One day I got an email from the SS admin telling me that I had to give them my cell phone number, so that when I tried to long into my SS account, they could text me a temporary authentication password. There were several problems with this.
Everyone doesn’t have a cell phone. I do have one, but it doesn’t work at my residence, ever. It never will until the cells are at 50,000 feet above the mountain ridges than comprise the geography of the eastern mountains.
Even people who do have cell phones, and I have a Galaxy running a modern release of Android, don’t all use text messaging. I don’t. I won’t. I do not care to send twits or texts, and I won’t do it.
So I wrote letters to first the Social Security administration, second my (democratic) senator and (R) congressman (sorry, no women). I told them just what I told you. I told them that I approved of two-part authentication completely!
Using cell phones and texts was a broken implementation devised by someone who doesn’t know anyone receiving social security benefits, doesn’t know anyone with no cell service, doesn’t know anyone who doesn’t text all the time. Not a competent systems analyst, didn’t ask the right questions, didn’t get the right answers.
Very soon after they wrote everyone a new email canceling that first system, probably at great expense. We were told that two part authentication would come someday, and would be useful for everyone. But some people still have trouble dialing their rotary phone, let alone using the internet.