The Guardian has now reported that the Kingdom of Saudi Arabia hacked Jeff Bezos’s cell phone, which is what many of us who work in the information warfare area of national security had assessed shortly after The National Enquirer ran their hit piece on him. What we got in today’s reporting, however, were important and disturbing details! (emphasis mine)
The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.
The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis.
This analysis found it “highly probable” that the intrusion into the phone was triggered by an infected video file sent from the account of the Saudi heir to Bezos, the owner of the Washington Post.
The two men had been having a seemingly friendly WhatsApp exchange when, on 1 May of that year, the unsolicited file was sent, according to sources who spoke to the Guardian on the condition of anonymity.
Large amounts of data were exfiltrated from Bezos’s phone within hours, according to a person familiar with the matter. The Guardian has no knowledge of what was taken from the phone or how it was used.
WhatsApp is notoriously insecure and should not be used! It is now owned by Facebook and there are serious concerns about what Facebook may be doing with the data from the app, including the personally identifying information (PII), of its users. Another security flaw is that the app itself isn’t encrypted, just the information while it is in transit from device (user) to device (user). So any spyware, on either the device on the sending or receiving end of the transmission, can pick up what is being sent and/or received.
The larger issue here is that WhatsApp is very popular. We know from reporting that Jared Kushner uses it to communicate with Muhammed bin Salman, as well as others. From the late Congressman Cummings’ March 2019 letter to White House Counsel Pat Cipollone:
During this period the Committee obtained additional information raising even more concerns about the use of private email and messaging apps by Jared Kushner and other White House officials.
For example, during a meeting with Mr. Kushner’s attorney, Abbe Lowell, Mr. Lowell confirmed that Mr. Kushner has been using the messaging app WhatsApp as part of his official White House duties to communicate with foreign leaders.
Jared isn’t the only US official using WhatsApp.
Multiple Trump administration officials are known to have used WhatsApp to carry out sensitive conversations, raising the prospect that their communications have been intercepted.
Gordon Sondland, Trump’s ambassador to the European Union and a key figure in in the administration’s campaign to pressure Ukraine to launch investigations that would benefit the president, communicated with other US diplomats about the effort over WhatsApp. During Trump’s run for the presidency campaign chairman Paul Manafort regularly sent polling data to a Russian associate via the app.
The problem isn’t isolated just to Jared and other US officials.
Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software that used Facebook Inc’s (FB.O) WhatsApp to take over users’ phones, according to people familiar with the messaging company’s investigation.
Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents. Many of the nations are U.S. allies, they said
Rudy Giuliani and Lev Parnas were also using WhatsApp!
WhatsApp messages from Parnas to Giuliani and Republican congressional candidate Robert F. Hyde are included in the evidence.
Let’s see what the President’s Cybersecurity Advisor and the First Name in Cybersecurity has to say:
Ruh Roh!
Anyone and everyone who has messaged Muhammed bin Salman using WhatsApp have likely had their phones or tablets compromised. And there is no telling what he collected, who he collected it from, and what he intends to do with it. Though we can be pretty sure it isn’t anything good. WhatsApp is not a secure form of communication. You should not be using it. More importantly, US government officials – from political appointees to civil servants to uniformed personnel to contractors – should not be using it either. Not for personal communications and certainly not for official and work related communication. That the President’s advisors, both those in the White House like his son in law Jared Kushner and those outside of it like Rudy Giuliani, and his other political appointees like Gordon Sondland are using WhatsApp means that over three years worth of official US communications have been compromised. And Muhammad bin Salman is not the only one whose intelligence and security services have compromised WhatsApp. Both the Israelis and the Russians have compromised WhatsApp, So have the Chinese.
Whatever information that Muhammed bin Salman or the Israelis or Putin or Xi have managed to pull off of the phones of US officials, as well as those of other governments, that use WhatsApp is a ticking political warfare information bomb. We don’t know when this information will be used. We don’t know how it will be used. But we do know that it will be used. It may be used subtly to try to force US officials to do something they ordinarily wouldn’t. Or it might be used, as was the case with Bezos’s data, in an almost brutish assault. But it will eventually be used.
Does anyone really want to contemplate what Mark Zuckerberg might do with the information transmitted via WhatsApp, which he owns? Zuckerberg has the ability to blackmail and extort everyone who uses his social media products because those products are designed to suck up everyone’s information and data so that Zuckerberg can monetize it. That is not a good thing.
Every one of these government officials that are using WhatsApp, from Jared Kushner to Ambassador Sondland to those we don’t even know about should have their security clearances suspended pending a full counterintelligence investigation. They have made themselves into insider threats by refusing to follow best information and operational security practices. Rudy Giuliani doesn’t have a security clearance to suspend, but he and his associates who have been using WhatsApp all need to be subjected to a full counterintelligence investigation as well given Giuliani’s pro-bono work as the President’ private attorney and all the activity he has been up to in Ukraine and other parts of Europe.
Open thread!
Another Scott
FB is evil. I don’t know why people can’t see it…
Cheers,
Scott.
Adam L Silverman
@Another Scott: While we may (sometimes) disagree on other things, on this we are in complete agreement!
Roger Moore
@Another Scott:
Plenty of us can see it. There’s a reason I’ve avoided getting on FB.
John Mc in NC
But her emails!
Roger Moore
This kind of thing is exactly why the fuddy-duddies in the national security apparatus insisted Obama get a clunky, special-purpose phone for his communications. It’s not just evil companies like Facebook; it’s that it’s incredibly difficult to secure anything when it’s being attacked by an enemy with the resources of a nation state. A COTS device on a commercial network is just too vulnerable, and you can assume nothing on it will stay secret if its owner has powerful enemies.
A Ghost To Most
@Adam L Silverman: Anybody on FB is already compromised.
Jeffro
Hostile powers (both state and non-state) are vacuuming up Americans’ data, both directly and via hacked businesses like Target, Marriott, and the like.
We’re already at serious risk as a country if hostile powers can blackmail, take offline, misrepresent, or otherwise co-opt our citizens. If our national leaders don’t hurry up and get the country onto a better footing, information-security-wise, we’re all going to pay a very heavy price.
jonas
I’m old enough to remember when high-level government officials using unsecured private information storage devices for official business and possibly compromising classified information in the process was the worst crime in the history of the universe. So many people to lock up…
Gin & Tonic
@A Ghost To Most: Not just anyone with an FB account. If your spouse or children or friends are on FB and they post pictures which you’re in, then the facial-recognition software also knows you, and by finding other pictures can build that “social web” almost as effectively as if you’d signed up yourself. Very soon there will be no difference at all.
hitchhiker
Has James Comey weighed in on whether or not this is extremely reckless?
Because I’m told his opinion on such things is definitive and must be repeated 900,000 times by the media, especially during the months just before a national election.
Maybe he plans to wait until next July, or October?
jonas
@Gin & Tonic: It’s like you’re reading Peter Thiel’s mind.
Adam L Silverman
Roger Moore
@Gin & Tonic:
It’s not just about other people posting about you on FB. Even if you don’t have a Facebook account, they’re tracking you through the like button and “Share on Facebook” button seen on practically every page on the web. It’s the same for most of the big internet companies: Google, Amazon, Twitter, etc. They’re building up profiles of everyone, not just their own users.
sab
@Gin & Tonic: Yeah. My spouse is on Facebook. I am not. He sees ads for everywhere I look. When I was looking at kitchen islands, he had been getting ads days before I consulted him.
He really isn’t interested in women’s walking shoes.
I will never order him a surprise gift on line.
Mike J
@Roger Moore: Yep. If you aren’t ultra, super aggressive with ad blocking fb, google, et al are following you everywhere.
Look at the front page of major media sites. There are more invisible ads than visible.
aliasofwestgate
I don’t know if i should repost my comment from before or not. Gods. CBP remain assholes. Nothing’s going to change until the executive office does and they start to crack down on that crap.
Gin & Tonic
@sab: That’s simpler – you likely use the same computer, so it’s just a question of the shopping sites leaving a bit of data called a “cookie” on the computer – which allows the site to be more responsive when you return – and Facebook reads all the cookies stored on the computer so it can present ads to you.
Kai-two
What’ App, Facebook, Instagram – they are all shitty and either actively promote republican/russian propaganda or look the other way and permit it: https://www.washingtonpost.com/news/powerpost/paloma/the-technology-202/2020/01/17/the-technology-202-pelosi-s-facebook-slam-reflects-rising-tensions-between-social-media-giant-and-democrats/5e20a6bf602ff14e66054288/
Anyone who logs into facebook is voting for Trump.
Gin & Tonic
@Roger Moore: That wasn’t my point. Yes, Google is tracking me and knows stuff about me – that’s a risk I’ve taken more or less knowingly, by having a Google account and using their services. Amazon knows a lot about me, because I’ve been buying stuff from them for 20 years, and have made the same sort of bargain. Facebook is tracking me – even though I have no business or customer relationship with them, and never have, and use none of their apps or services – simply by virtue of the fact that some of my friends and relatives have posted my picture.
different-church-lady
This is kind of a big deal, since Amazon now handles all the data in the world, and probably stores it on Bezos’ phone.
(BTW, what the ‘eff even is WhatsApp?)
frosty
@Kai-two:
That’s a little over the top. I’m a reluctant FB user, but so far the ability to keep in touch with formerly lost and distant friends outweighs the risk. My profile has the wrong birthday (1905??) and that’s it.
Not that they can’t hoover up a bunch of stuff from friends, comments, and posts of course.
Bill Arnold
@Roger Moore:
I suspect (not completely sure) that late-model iPhones are pretty good. And Apple takes security pretty seriously; it’s a big part of their brand; both physical device security and software security. (The recent odd noises made by Trump about the Pensacola phones felt like they might be a favor to Xi Jinping, no evidence but an interesting possibility.)
Serious paranoids should use a passphrase, not fingerprint or facial recognition. And don’t click on unsolicited links. And maybe turn off iCloud backup if worried about subpoenas (in whatever jurisdictions that Apple cooperates with.) Unfortunately (my opinion, ok?) Apple abandoned their encrypted backups project a while back due to government pressure. Apple turns stuff (backups) over to governments (LE, intelligence) without informing the phone owners.
As far as messaging apps, Signal seems to be the most highly regarded (civilian at least). Not perfect; e.g. the most recent exploit was Oct 2019 (patched very quickly on discovery): https://www.forbes.com/sites/daveywinder/2019/10/05/signal-messenger-eavesdropping-exploit-confirmedwhat-you-need-to-know/
different-church-lady
@frosty: You have no other way of staying in touch with people?
Adam L Silverman
@different-church-lady: Smoke signals. Semaphore.
sab
@Gin & Tonic: We don’t use the same computer. We both have android Nooks, and he has an Iphone. Our Nooks go through the same router in our basement. I don’t know anything about the I phone. I am sure my flip phone isn’t implicated, which is part of why I use a flip phone still ( also it has never pocket/butt dailed anyone.)
I have listened many times to my sister chattering in a foreign language to dinner guests in who knows what country because she butt dialed me.
Same with blue tooth. My husband uses it. When I borrow his car, if I drive home from wherever, I can eavesdrop on his conversations in the house when I pull into the driveway. That ain’t right, but it happens.
Gin & Tonic
@different-church-lady: WhatsApp is a “messaging” app, sort of like Apple’s iMessage. It’s very popular outside the US.
different-church-lady
@Adam L Silverman: I find it odd that people need a special app on their phones to do a thing a phone already does by definition.
Adam L Silverman
@sab: Topically applied fluoride does not prevent tooth decay. Rather, it renders teeth visible to spy satellites.
Adam L Silverman
@different-church-lady: It wasn’t originally owned by Facebook. The guy who developed it and eventually sold it to Facebook intended for it to be a secure messaging app that would be used. Especially by people living in less than liberal democracies.
sab
@Adam L Silverman: Really? All the antiflouride people when I was a kid said it turns your teeth brown, as it did naturally by water in Texas hill country.
But no cavities!
different-church-lady
TT (tangental topic): I am now experiencing the joys of doing a panic back-up of a 2.5TB drive one… directory… at… a… time… because I don’t know which one has the corrupt permissions that are disallowing me to copy the entire drive at once.
(((CassandraLeo)))
@Mike J: I recommend Privacy Badger as a workaround to precisely this problem.
I am far too exhausted to provide a comprehensive summary of the issue, but I will simply add that the phrase “wireless security” is an oxymoron, like “jumbo shrimp” or “business ethics”. It does not exist and it is probably incapable of existing. You should simply never transmit sensitive data over a wireless network; the WPA2 protocol that underpins Wi-Fi is essentially a wet paper bag whose security depends entirely on the strength and integrity of the password used for the network. This goes, of course, about a thousandfold for unsecured Wi-Fi networks. Other wireless protocols are mildly more secure than WPA2, but this is roughly akin to saying “mildly more principled than Donald Trump”.
Simply put, do not transmit information that needs to be kept confidential over wireless networks. And yes, I fully realise this means I’m saying never to purchase anything or conduct business transactions of any sort over wireless networks. That is exactly what I am saying. Don’t do it. It’s a terrible idea. Seriously, I’m not exaggerating about this anywhere near as much as many of you probably think I am.
(I could also get into a rant about why passwords are a terrible 20th-century way to maintain data security, but I’m far too exhausted tonight. I’ll leave it for some other night.)
Ceterum censeo factionem Republicanam esse delendam.
The Pale Scot
@Mike J: Ad blockings not enough. You need to use a VPN and a Firewall like Little Snitch to just block access to anything but what you want to look at. There’s a corp offering software that claims to track by the way you use a track pad. And little thought of parts of your pc like the audio stack signature can be used to id also.
laura
Seems apropos – though I’ve taken liberties:
“They were careless people, Jared and Ivanka — they smashed up things and creatures and then retreated back into their money of their vast carelessness, or whatever it was that kept them together, and let other people clean up the mess they had made.”
Adam L Silverman
@sab:
different-church-lady
@(((CassandraLeo))): Have you seen the ad where the teenage boy sneaks up the ladder to his sweetheart’s bedroom window, but then her father shows up because he got a text alert that the boy’s phone just joined their WiFi network?
It’s a cute spot, but every time I see it, I think, “Dude, why in hell’s name don’t you have a password on your WiFi network?”
Gin & Tonic
@The Pale Scot:
Why do you trust who’s on the other end of your VPN tunnel?
sab
@Adam L Silverman: So where did I miss a connection?
Husband and I shouldn’t be using same router for wifi, especially if he was once on FB. Husband shouldn’t have phone on Bluetooth in his car. My sister should leave her phone behind when she goes to China or wherever.
Another Scott
In other news, GovExec:
Hmmm….
Cheers,
Scott.
Omnes Omnibus
@laura: Tom and Daisy were far better people than Jared and Ivanka.
Kelly
@sab:
Same. Last week I bought a new winter hat because she could tell from her Facebook ads I’d looked at it. She rather liked the way I’d look in it so now it’s mine.
sab
@(((CassandraLeo))): Yes . That is what I yell at my HP printer every time I use it: “Why would I want my computer to wirelessly transmit my document to you when it is plugged into you sitting on the desk beside you!?”
Kelly
@Gin & Tonic:
Nope. Same thing happens with my wife and I. She’s on her ipad I’m on my Chromebook
Adam L Silverman
@sab: I was just being a smartass. That’s it. You had made a list and descriptions of all your devices and indicated you thought your flip phone was safe. So this was a smartass response to that, as in they have other ways to track you, that I lifted from a cartoon from the late 90s.
sab
@different-church-lady: Yes!
Gin & Tonic
@Kelly: Plenty of other vectors for this, but it’s late and I’m tired. Sorry.
If you want a full vulnerability analysis let me know and I’ll send you a statement of work for you to review.
Jim, Foolish Literalist
holy counter programming! AMC is showing The Godfather, to make us all nostalgic for honorable and sympathetic gangsters
Adam L Silverman
@Another Scott: You’d be amazed at how much of an issue this is. A lot of the hiring since the sequester was put in place was intended to simply create safe landing pads at equivalent rank and grade for civil servants whose positions were being attrited out do to the sequester. Since the President was sworn in, it has gotten worse. Positions that should be open to the public are, instead, restricted to hires of existing or former civil servants and veterans only.
And that’s before you get to the rank issue. I had someone I know at DIA tell me they’d be interested, was I willing to take a GS 10 position? I’ve been either a mobilized civilian supervisory GS 15 step 5 or a contractor paid at the equivalent of a GS 15 since 2007. There is no way I’m going to DIA for a GS 10 position.
sab
@different-church-lady: In my parents old house, they had two neighbors. One neighbor was an art professor at local university. He taught printmaking. His wifi was secure, because acadamia has rules. Other neighbor was a gastro-enterologist handling all sorts of HIPA constrained communications. Not even a password there. Doctors are gods and abide no rules.
Omnes Omnibus
@Jim, Foolish Literalist: You fucked up. Now someone’s Facebook account is going to know you watch AMC.
sab
@Omnes Omnibus: I doubt that. They weren’t nice, just slightly more polished.
Bill Arnold
@Gin & Tonic:
This is why you run browsers in a jail, with scripts disabled. A browser is mainly a way for arbitrary untrustworthy servers around the world to run code on your computer.
https://panopticlick.eff.org/ can be fun. (You’ll need to enable scripts for a few tracker simulator sites for it to fully work.)
Re paranoia as amusement, black car with young man wearing suit stopped outside today, again. Dudes, I have a sniffer on the home network. :-) The 737 (?) with odd markings that occasionally flies over my house at 200 meters and 60 knots, goes about 2 kilometers then turns right and another 2 kilometers and right again then flies back to the local airbase.
Kattails
I’m thinking that Mark Zuckerberg should have his life suspended, by being tossed in jail, pending a full and extremely thorough counterintelligence investigation of his business practices. Full stop.
laura
@Omnes Omnibus: names were changed to protect the less awful ?
trollhattan
There was just that one time MBS asked to borrow my saw but I was like, “Hey dude, you’re megarich and stuff, getcher own saw, I need mine, man!” and so that was it for my exposure.
sab
@Adam L Silverman: Sorry. I know (??) you were being a well intenionned smart ass. Nothing is secure. It’s just some stuff is more secure than other stuff if you are an elderly midwestern housewife. You worry about serious things. I just worry about nosy family. Different levels of security.
The Pale Scot
@Gin & Tonic: I use one of the larger ones that claims to not keep logs. As far as I googled there’s no dispute about that. And I if I’m in a paranoid state of mind I fire up Opera and use it’s built in VPN service. So it’s double encrypted. I try to keep up to date on the legaling of VPNs. Some say that using an offshore corp is the way to go to avoid the five eyes but I’m not doing anything shady, I just don’t like my every click being hovered up. If I was 30 yrs younger I’d be looking on the dark web for designer dance drugs, but that scene is long gone.
Adam L Silverman
@sab: Being a smartass is sort of my default state.
Mnemosyne
@Adam L Silverman:
It’s a very common thing for corporations to do. After G was laid off from his position as a manager, a recruiter from the company called to offer him a supervisor job at half the salary that was 50 miles away.
My first question to him upon hearing this was, “Did you say ‘no,’ ‘hell, no,’ or ‘go fuck yourselves’?”
Omnes Omnibus
@sab: They didn’t think that they could run the world.
BruceFromOhio
It is simultaneously amusing and astonishing that:
– People think cellphones are secure;
– People think applications on cellphones are secure;
– People in power with so much to lose carry any kind of electronic device at all.
When I’m rich and powerful, my secretary will carry my daily burner phone, and we will communicate via ASL behind closed doors in the dark using an Etch-A-Sketch and a candle, while the phone waits in the car outside.
sab
@Adam L Silverman: It is one of your most appealing features, beyond the knowledge stuff.
different-church-lady
@Bill Arnold: Near a cafe I frequent someone with a sense of humor gave their WiFi network the name “FBI Surveillance Van”.
What makes it extra funny is right below there’s a network called “FBI Surveillance Van-guest”
rikyrah
So…did they sell the Bezos info…or.. what’s the story…how did it wind up in the National Enquirer?
Mart
@different-church-lady:
“I find it odd that people need a special app on their phones to do a thing a phone already does by definition”
Found What’s app handy years back when overseas. All you need is a wireless connection and you could call/text/facetime back home for free; or for the cost of a sliver of your privacy.
sab
@Adam L Silverman: Though if I knew Mandarin, I could actually learn stuff when my sister butt dials. Instead I just doze off.
trollhattan
@BruceFromOhio:
DPRK has hacked the Etch-a-Sketch. No longer secure!
different-church-lady
@BruceFromOhio: It’s one of the reasons I will never let my phone be my wallet.
different-church-lady
@BruceFromOhio: Dude… Cone of Silence!
Another Scott
@Adam L Silverman: A little bird told me that there are lots and lots of weirdnesses about the Federal government and the way jobs are filled. Like the best way to get ahead is to job hop between agencies. Which, of course, really does a number on trying to build up institutional knowledge and efficiency.
:-/
What got me about that story is that the 0th order factor on any job is how much it pays. Nobody with any sense would take months of training for a new job only to get paid less. It’s stupid that that (apparently) wasn’t recognized before the program even started…
The mumbo jumbo about SES and so forth in the rest of the story doesn’t make me confident that they know what they’re doing, either. (SES people aren’t doing entry-level IT jobs…)
I wonder is Jared was behind it. :-/
Good luck!
Cheers,
Scott.
Adam L Silverman
@rikyrah: We’re not sure yet.
Adam L Silverman
@Another Scott: I have no idea who is behind it, but OPM is kind of screwy when Federal hiring isn’t trying to be purposefully broken and derailed.
BruceFromOhio
@trollhattan: It’s air-gapped! No here or there! And we ASL in Esperanto, more secure than Wind Talkers in 4096-bit! Come get me, bitchez, I’m already gone.
The Pale Scot
I’ll add that the Vpn can also block domains that run ad networks and trackers, which results in websites listed on a google search being blocked because of the ad blocking. Oh well, their loss. Use a cookie manager to save the few cookies that are useful like for here and banking, and set the browser to delete the rest when it’s shut down
Roger Moore
@Bill Arnold:
They are pretty good. The problem is that pretty good isn’t going to cut it if your enemy has the resources of a nation state. It probably won’t cut it if they have the resources of a big company and are willing to break the law.
BruceFromOhio
@Roger Moore: This.
Another Scott
@The Pale Scot: We’re probably all doomed.
In olden days, you could write your own operating system, and your own compiler, and all the rest, and be reasonably sure that there weren’t any back doors in your system.
Now OSes are GB in size, compilers are GB in size, everything has its own OS, etc., etc. Even a text editor has hooks into the OS and libraries that do who knows what. Plus, everything’s networked, so even if you’re locked down like Ft. Knox, your packets are going who knows where. It’s hopeless. There are too many vectors.
I figure that once the NSA gave up treating encryption as munitions that required an export license that there was something they weren’t telling us…
Yeah, don’t click on unknown links, run ad blockers, etc., and keep your AV up to date. But for the rest, the cat is probably out of the bag. IMHO.
FWIW. YMMV.
Cheers,
Scott.
mrmoshpotato
Would’ve been more secure to yell at each other across the street with megaphones.
Roger Moore
@different-church-lady:
Who says he doesn’t? I have a password on my WiFi, but I give it to house guests as a matter of courtesy. If I had a teenage child whose friends came over to study, I would probably include them. Besides, my clever plan of monitoring my teenage daughter’s boyfriend’s illicit visits by checking when his phone joins my WiFi network won’t work very well if I lock him out.
mrmoshpotato
@Mart: Get ahead of it now. How much crimeing did you do over Whatsapp? :)
Another Scott
@Roger Moore: Sneaky!
:-)
Cheers,
Scott.
different-church-lady
@Roger Moore: Part of the gag is that the father hasn’t seen the boy before; “So you must be… [looks at text alert] …’Peter’s phone’.”
The Pale Scot
@Another Scott: I avoid using phones and tablets for anything but phone calls. If it doesn’t have a command line and logs it doesn’t really belong to me
Hkedi [Kang T. Q.]
Ach, I was partway through what I think will be a really nice individual cyber-security introduction for people that is a decent system for hardening their digital identities both politically and commercially, with a side tangent of taking care of elderly parents in the digital realm. Unfortunately time, the length of the subject, and a call from my mom delayed me to the point where I where it’s criminally ineffective to help our community within a singular post in this particular thread.
The topics I planned to cover were: stronger passwords, 2FA, password managers, antivirus/malware protection, elderly digital protection management, and civilian individuals who need targeted digital protection (activists, people of political note, etc.). This was originally planned as a single post, but it might be better as a series of curated front-page posts. Any frontpager that is interested, please contact me by my e-mail. I’ve met face to face with NotMax, he knows I’m a good Maui boy, ask him.
Adam L Silverman
@Hkedi [Kang T. Q.]:
Old people leave smudgy fingerprints everywhere!
Bill Arnold
@Roger Moore:
I’m not sure that’s true. Apple has been doing the physical device security game iterations for a while now, and their current designs look impressive. I hear stories too, but it is not clear how many of them are FUD to discourage people from attempting to be reasonably secure. (OK, will make an exception for US or Russian national labs level hardware attacks and sometimes, NSA level SW attacks.)
Most of the attacks we’re seeing are stupid stuff like people not realizing that whatsapp backs up messages to the cloud by default. (Is this still true?) Or devices being seized or given up by suspects and all messages on them available to LE.
Or phishing attacks. Or shitty passwords. Or attacks on account authentication reset protocols.. Or old devices or unpatched newer devices. etc.
Another Scott
@Hkedi [Kang T. Q.]: Isn’t it hopeless as long as it’s so easy for criminals to steal our phone numbers?
The FTC page about it doesn’t sound very reassuring…
Looking forward to your series!
Cheers,
Scott.
Hkedi [Kang T. Q.]
@Adam L Silverman: ….And forget their passwords constantly, and fall for online scams, and fall for financial scams (Multi-level marketing scams, Political scams, and Religious scams to mention a few). Protecting you elderly parents who due to age are degraded with cognition, is actually an important part of your personal digital security, especially since this is an easy route for social digital attacks through Phishing and general social network attacks.
Primarily though, taking care of these with these things helps minimize stress and possible trauma for your parents who grew up when a computer filled a room. It also helps with digital identities in end of life issues for families that were close and find that their dead parents Facebook page is suddenly spamming E.D. drugs to their extended family, or Russian political propaganda to their still-living elderly friends.
It’s a difficult issue, and is starting to become more prevalent now, but since we have a digital life (especially in the age of Facebook), we really need to have a serious think about post-mortem digital identities.
Hkedi [Kang T. Q.]
@Another Scott: Hello Scott, SIM crimes are rapidly becoming epidemic, but for most (I.E. non-political, non-rich, non-bitcoin-owning), it is not a problem. Yet. The current answer to this are Two factor authentication physical keys, which currently Yubikey is the best being manufactured. They cost about $40 each (I suggest buying 2, registering both, and keeping one in a safety deposit box). I was planning writing on this in advanced protections, since it does cost a bit of cash.
This is, last I checked, the best of procedure method for Google.
Hkedi [Kang T. Q.]
A little bit of TL:DR (though I haven’t written it yet)
1)Use good passwords, check https://haveibeenpwned.com/ to see if it’s compromised, password lists are passed around like trading cards for bad actors.
2) ANTIVIRUS!!! and don’t plug in random USB keys ANYWHERE! treat them like toothbrushes.
3) Use Two Factor authentication whenever you can. Phone is good, there are better options though.
4) Using a password manager makes your life easier and safer. There’s a good chance you are using one right now, and not even knowing it. (It’s probably not the best one, you might want to upgrade.)
5) Make sure you have an offline security recovery plan, not having this makes your life REALLY difficult.
6) Friends and parents can be a digital security risk, both socially and digitally.
Duane
@Adam L Silverman: Thousands and thousands of dollars spent on a college education and you’re making decisions based upon cartoons you’ve seen. //
Kent
It is kind of pointless here in the US where most cell phone plans provide unlimited text messaging. But WhatApp became very popular overseas where many cell phone providers charge per text message and not everyone has iPhones that you can do internet-based iMessages.
My wife is from Chile and WhatsApp is super popular down there because all the cellular plans charge per text message. So everyone finds a work-around. It especially started with teenagers who are the most prolific texters
It also lets you text overseas to any kind of phone. If someone has a Chilean cell phone number and you are here in the US you can either send them an international text message which is very expensive. Or you can send them an internet-based message using iMessage if you are both on iPhones. But if you have an iPhone and they have an Android phone, your only way to to free international messaging is with a 3rd party app like WhatsApp.
dm
@rikyrah: The Nat’l Enquirer published a bunch of texts between Bezos and his paramour, leading to Bezos getting a divorce.
The Nat’l Enquirer offered to sit on expanding the story if Bezos stopped talking about the links between the Enquirer, Trump, and the Saudis.
Bezos told them to fuck off, and wrote a public letter detailing everything (including the details the Enquirer threatened to expose):
https://www.bloomberg.com/news/articles/2019-02-08/text-of-bezos-statement-on-national-enquirer-sensitive-pictures
(Arguably, text at that that link, quoting the Enquirer’s threat, is NSFW.)
Bezos wrote, in part:
Martin
Honestly, this is a case where it doesn’t matter all that much how secure or insecure the application is. A nation state targeting a single individual can likely buy a zero-day exploit for almost any platform (zero-day meaning that it’s unknown in the broader community, probably unknown to the developer, and therefore can be used at least one time before it’s stopped – more than once if you move fast enough and can use it undetected.)
So, Bezos was probably screwed no matter what. That it was Whatsapp just means the exploit was easier to find and cheaper to buy.
?BillinGlendaleCA
@Kent:
Budget phone plans do not have unlimited messaging, until we got a plan at a higher price, we had only 20 messages a month.
Kent
@?BillinGlendaleCA: OK, well there you go. Unlimited messaging is not a thing at all in Chile. At least didn’t used to be. So pretty much everyone used WhatsApp. I expect that is also the case in many other countries.
Hkedi [Kang T. Q.]
@Martin: That is absolutely true. Fortunately, none of us are Jeff Bezos. There’s and old adage where two people can keep a secret if one of them is dead. Fortunately, there are some not-hard things you can do to make it much much harder for random bad actor to mess with you. Yes if somebody REALLY wanted to spend $500,000-$1.5M for a zero day attack on your e-mail or cellphone arstechnica cost for zero day attack, they could embarrass you on social media, but I doubt any of us on this top 10,000 blog are worth that kind of cash.
edit: some wording to make my point clearer
?BillinGlendaleCA
@Kent: I brought this up when folk were talking about texting people before the election(I think 2016), you could really piss off some folk by texting them, either using up their messaging allowance or actually costing them money. Not a good way to get people to vote for your candidate. That 20 messages are outgoing and incoming.
?BillinGlendaleCA
@Hkedi [Kang T. Q.]: I’m not so sure about relying on NotMax as a character reference, though NotMax is a character. //
Jay Noble
Poking along reading this Post. iPhone rings. It’s after 11pm. Have members of family who aren’t in robust health but It does that one ring thing. The Caller ID # is 12 digits long but says United States. Delete, delete, delete!Can I be creeped out now!!!????
Ruckus
@Adam L Silverman:
I thought I saw you at the club the other night……
I’d bet that’s the default state for a bunch of us here.
burnspbesq
@frosty:
There’s nothing inherently wrong with what data it collects or what it does with those data. You’ve decided that the benefits outweigh the costs for you. FWIW, I’ve made the same call.
Where FB goes wrong is in its lack of transparency about what it collects and what it does with those data. People should be able to do an informed cost-benefit analysis before deciding whether to sign up. Denying them relevant information is evil.