Privacy First: Apple Strikes Another Blow

Full disclosure: I’m an Apple user and have been for decades. But one of the reasons I’ve been such an ardent Apple fan is that I’ve always felt like they had my back. I’m not sure how much of this is altruistic – but you can argue that the actual reasons might be more compelling (if more cynical): it’s their business model. Apple is a hardware company. They make computers, phones, tablets, and other devices. The software that comes with those devices is almost entirely free and is used to increase the value of the hardware. Most people still think of Google as a search engine company. If you happen to know that Google makes the Android smartphone operating system, then you might think of them as a hardware and software maker, too. And they are. But Google makes about 90% of their revenue from advertising.

Why does that matter? Because this means that Google’s primary product is you. They want to know all about you (and I mean all about you) so they can sell highly-targeted ads. Google may be extremely keen to protect your privacy… from everyone but Google. While Apple certainly has access to your personal information, and they even have a small ad business, they appear to be taking great pains to avoid abusing their position, drawing a stark contrast with Google and others. They actually appear to care about protecting your privacy and see this as a key marketing differentiator.

Apple Fires Another Shot Across the Bow

Apple was the first browser-maker to block third-party cookies by default about 6 years ago, which caused a huge fuss. Google was even caught circumventing this and ended up paying a $22M fine (which is, of course, nothing to Google).

And now Apple is at it again: daring to protect its users’ privacy using a new technology called Intelligent Tracking Prevention (ITP). This feature, built into Apple’s Safari browser, adds some common sense limits on the scope of web tracking. The details are rather arcane (if you want to give it shot, try this article), but the upshot is that Apple is actually proactively trying to protect its users’ privacy without breaking the way the web works (at least not the parts that users care about). It’s not preventing you from seeing ads. It’s not even preventing you from being tracked. It’s just putting some strict time limits on how long you can be tracked, depending on the user’s apparent actual interest in the product or web site. Sounds reasonable, doesn’t it?

Let Me Get My Tiny Violin

Not to web advertisers. They’re collectively freaking out, calling it “sabotage”. But let’s just be clear here that people never asked to be tracked. Advertisers love to claim that their targeted ads are so amazingly beneficial that removing them is actually harming the people they’re tracking. From an open letter to Apple from several ad agencies:

Apple’s unilateral and heavy-handed approach is bad for consumer choice and bad for the ad-supported online content and services consumers love. Blocking cookies in this manner will drive a wedge between brands and their customers, and it will make advertising more generic and less timely and useful. Put simply, machine-driven cookie choices do not represent user choice; they represent browser-manufacturer choice.

There are several problems with this statement. First, ITP doesn’t block ads and it doesn’t even prevent tracking – it just puts a time limit on tracking. Second, making ads more generic just takes things back to the ways ads were before tracking (ie, less creepy) – which is how advertising worked for decades or even centuries. Finally, users rarely bother tweaking any settings – even if they know and understand how tracking works, many people simply can’t be motivated to change their default browser preferences. It’s the Tyranny of the Default. People don’t actively say “I want to be tracked! Where is the setting that allows that? I want to make sure it’s enabled!” But sadly they also don’t do anything to stop being tracked.

Time for a Change

So kudos to Apple for trying to strike a balance and sticking up for their users. But I’m honestly more pleased that this has once again raised the issue of privacy and tracking. Most people just aren’t aware of the degree to which they’re being tracked, nor have they probably considered the consequences for themselves and for society in general. It’s going on constantly, right under our noses, and the results have so far been kept largely secret. (If you want to get just a taste of what these marketers know about you, check out aboutthedata.com from Acxiom or My Account from Google).

We got here because people don’t want to pay for web content – which led us to the ad-based web. We can debate the ethics of ad-blocking, but we really just need a new revenue model for the web that doesn’t incur horrendous privacy issues (for example, the new Brave web browser and micropayments).

[NOTE: Check out this week’s podcast where I go more in-depth on how and why we’re tracked, and what you can do to protect your privacy.]

Terms of Service: What Did I Just Sign?

Somewhere along the line, corporations decided that they needed to tack licensing agreements (terms of service) onto just about every product produced. We’ve gotten to the point where we just ignore them and click “Agree” or rip off the little sticker that says something about “by removing this sticker you agree to…. ” blah, blah, blah. Too long; didn’t read (abbreviated “TL;DR”.) The lawyers who write these agreements know we don’t read them. You would not be blamed for believing that they intentionally make these agreements long and hard to read so that we don’t read them.

And yet, does it really matter? When was the last time you looked back and said to yourself “man, I wish I hadn’t clicked ‘Agree’…”. Probably never. That’s because in many cases you’re signing away something you’ll probably never notice: your right to privacy or your right to sue.

Informed Consent

The bottom line, though, is that in order to have a productive debate on these issues, we have to be informed consumers. For market forces to work, we have to be able to easily compare this product with that product, and that should include the legally binding agreements attached to these products and services. And on a deeper level, we also need to be informed citizens so that we can vote for representatives that promise to protect our rights.

To that end, let me introduce you to a cool new web site: ToS;DR (that’s short for “Terms of Service; Didn’t Read”). The site cuts through the lengthy, obfuscating language and summarizes the key elements of these Terms of Service and End User License Agreements. They even have a simple report card grading system to help you quickly assess a given service, though I would still read the individual ratings because each of us will care about different things. You can even help them to keep the ratings up to date.

A Cure for Your Apathy

If you still find yourself unconcerned, then I highly encourage each of you to watch the documentary called Terms and Conditions May Apply (which can be found on Netflix and Amazon Prime Video). You can find more privacy information and links on my Resources page.

Equifax Hack: Protecting Against Identity Theft

You’ve probably already heard about the massive data breach at Equifax, one of the three major US credit bureaus. The company says that up to 143 million people may be affected, which is almost half of the entire population of the United States. The stolen data may include names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In other words, just about everything you might need to commit identity theft. Equifax has a “potential impact” web site that will supposedly tell you if you were affected, but there have been mixed results in practice. If you were affected, it will send you to enroll in their TrustID credit monitoring service. And then tell you to come back in a few days to do it. They are frankly not handling this well, and the law suits are already coming.

Step One: Mitigating Identity Theft

So what should you do? I would go ahead and take the free monitoring service, when it becomes available. It can’t hurt (and shouldn’t prevent you from participating in a class action suit). But there are two other things you should consider strongly: either a credit freeze or a fraud alert.

A credit freeze will prevent any new requests for your credit history, which should stop anyone (including yourself) from getting a new credit card or opening a loan in your name. You will have to do this by contacting each of the three major bureaus (Equifax, Experian and TransUnion) and it will cost between $5-10 each. However, credit histories are used for many other purposes. So it might also interfere with applying for a new job, signing up for new service (e.g., phone, cable, utilities), or even the above-mentioned credit monitoring. You can always ‘thaw’ your credit and re-freeze it, but you will have to pay again.

The simpler option is a fraud alert, which is totally free but less effective. A fraud alert will simply require credit institutions to do a little more verification before allowing credit to be opened in your name. For example, they may call you if you have a phone number on file. Unlike the credit freeze, you only need to contact one of the three agencies and they are required to tell the other two. However, it only lasts for 90 days, though you can renew it as many times as you like. (If you can prove you have actually been a victim of identity theft, you can get a 7-year fraud alert.) I would do this immediately, and then after signing up for Equifax’s free monitoring service, you can consider implementing a full credit freeze.

Step Two: Basic Security Hygiene

Your next steps should be to beef up your general security – things you should already be doing, but things that become much more important in the wake of this horrific data breach.

  1. Use strong, unique passwords for your important accounts (financial, email and social media). Do not repeat passwords! To help with this, use a password manager like 1Password, LastPass, KeePass, etc.
  2. Set up and use two-factor authentication for these same accounts. This means you’ll have to enter a password and a one-time PIN code. (This is usually only for the first time you log in from an unknown location.) You can search for your service here and get quick links to help.
  3. Get your free annual credit reports from each credit bureau. I would recommend spreading them out – do one every four months, rotating through each of the three services. Set a repeating annual calendar reminder for each one, maybe Experian in January, Equifax in May and TransUnion in September.
  4. Keep a close eye on your credit card, bank and other financial statements for suspicious activity.

Stay tuned… I’m sure there will be more on this soon. My radio show and podcast will delve into this a bit further later this week.

UPDATE: This is another excellent article on credit freezes and fraud alerts.

UPDATE 2: Great article on the broader issues for democracy and privacy. The above is about you; this article is about everyone. The market is not able to fix these problems, it’s going to require legislation – and that means you need to be informed and lobby your  representatives.

How to Send Files Securely (like Tax Info)

Editor’s Note: Yeah, this is a long article. But if you ever need to transfer a file that contains financial, medical, or otherwise personal/private stuff, you need to know the techniques and concepts in this article. So read it carefully.

Tax time is upon us once again here in the US of A… ah, that magical time of year when you take hours and hours to collect the info that the IRS already has and calculate what they already know.

According to this article, 56% of American filers pay someone else to do their taxes for them. If you’re one of those people, then you will inevitably have to send some sensitive financial statements and info to your tax preparer. But it’s also highly likely that there are other situations where you will want to be able to send private data to someone else over the internet – medical, financial, or just personal. You should never, EVER send this sort of info in an email – as an attachment or in the email body itself. Email is just not secure (unless you go to great pains to make it so).

Encryption Overview

Encryption is a proven, rock-solid mathematical technique for transforming normal, readable digital files (documents, pictures, emails, whatever) into complete gibberish, and then (crucially) converting them back. Encryption uses a key (sometimes called a passphrase or password) and some well-known algorithm to do the conversion and reversal (that is, encryption and decryption, respectively). Whoever had the right the key can decrypt the files. If you don’t know the key, even if you know the algorithm, you cannot recover the original file. Okay, you can – but if done properly, it would take all the computers on the planet working together for centuries to finally guess the key (despite what you see in spy movies). That’s cool stuff. (If you find this stuff the least bit interesting, check out The Code Book by Simon Singh.)

Let me just say right now that dealing with any sort of encryption today is just not convenient, to be polite. Encryption should just be the default for all communications today and you shouldn’t even notice that it’s happening. While we’re slowly getting there, we have a long way to go. (Don’t believe all the hype from law enforcement agencies about “going dark” – this is the golden age of surveillance.) The techniques I’m going to cover here are going to feel like a pain in the butt. But these are skills most of us will need at some point.

NOTE: I’m not talking Snowden-level security here. The techniques in this article are very good, but if your life depends on this, you need to looking at sites like privacytools.io and securedrop.org.

We’re going to be talking about two distinct flavors of encryption here: encrypting the files themselves (we call this ‘data at rest’) and encrypting the files as they are traversing the interwebs (‘data in motion’). Ideally, you will want to do both – that is, encrypt the files you’re sending and then send those files using an encrypted transfer mechanism.  But at a bare minimum, you need to encrypt the files themselves.

STEP 1: Encrypting Your File(s)

Whether you have one or many files to send, you should compress and zip them up into a single bundle. Fortunately, the same tools we’re going to use to encrypt the files will also take care of compressing and bundling them all into a single output file called a ‘zip file’. When your recipient decrypts this zip file, they will get all the original files back.

The trick here is finding a zip tool and format that your recipient can handle. There are many, many ‘zip’ file formats – but for pure simplicity, we’re going to use the 7zip format. (While you can make the arguably more-standard .zip file format work, getting the current free tools to actually use the better encryption formats is needlessly difficult.)

For some unknown reason, there is no single tool that works both on Windows and Mac to create an AES-256 7z file. There are many for-pay tools out there, but I’ll stick to two free tools that work quite well: 7-Zip on Windows and Keka on Mac. (Shout-out to this How-To-Geek article for inspiration.)

a) Choosing Your Zip File Password

Before we can encrypt the file, we need to choose a password. This is a crucial step in the process – don’t wimp out here and go with your name, “password”, or “12345678”. Just make it easy: go to this online password generator and have it create a killer password for you. You can tweak the settings on this page if you want to make it a little easier for the recipient to enter, but make sure it’s at least 12 characters long.

b-Win) Creating Your Zip File on Windows (7-Zip)

Start by putting all of your files into a single folder, say “My Private Files”. Then right-click this folder and select “7-zip -> Add to archive”. Don’t let all the options scare you. In the window that pops up, you only have to change three things:

  1. set the “Archive format” to “7z” (upper left)
  2. set the “Encryption method” to “AES-256” (lower right)
  3. enter your chosen password.

Note carefully where the file will be created (top of the window). Click “OK” and you’re done!

b-Mac) Creating Your Zip File on Mac (Keka)

Keka is handy, but a little odd to work with. Launch Keka. If not already selected by default, choose the tab for “7z”. Fill in your chosen password. I usually also select “exclude Mac resource forks” (harmless and invisible to Mac users, but confusing for Windows users).

Put all of your files into a single folder, say “private files”. Drag that folder on top of the Keka window and it will change (like below). Just let go and your encrypted 7z file will be created (by default, it will be in the same location as the original folder). That’s it!

c) Decrypting the 7z FIle

The process at the receiving end is much simpler – the receiver usually just has to double-click the .7z file. They will need some sort of application installed to handle this, of course. 7-Zip and Keka are obvious choices, but there are others that will decrypt these files (even if they can’t create them in the first place) like Unarchiver for Mac or PeaZip for Windows. Obviously, the recipient will also need the password (Step 2).

STEP 2: Sharing Your Zip File Password

As always, the devil is in the details… you have your strong password and you’ve used it to encrypt your zip file. Now… how do you get this crazy password to the other guy? Believe it or not, this one step is where so many people fail miserably. Don’t send the password along with the file! (Don’t laugh… people do this.) In general, you need to share the password using a different mechanism than whatever you used to share the file.

Here are some options. Note that in all cases, I wouldn’t say anything like “here’s the password”. Just send it with no other information, if possible.

  • The simplest and most secure way to share a password is to just call the recipient and read it to them.
  • If time is not an issue, you could mail it to them (like, a real letter).
  • If both you and the recipient use iMessage (ie, you both have Apple devices), you can feel fairly secure sending the password this way.
  • A regular text message isn’t great, but it’s not horrible, especially if you don’t say what it is.
  • Gold star: Send half the password one way and the other half some other way!

STEP 3: Sending Your Encrypted Files

Now that you’ve encrypted and zipped up your files into a single .7z file, and you’ve securely communicated the password to the recipient, now you need to actually send the zip file. While you could just email the zip file (because, after all, it is encrypted), I would still recommend that you choose an encrypted transfer mechanism. Why? Well, whenever you send something via email, copies of that message and the attachments can be made along the path between you and the receiver. Those copies may survive for a very long time and are subject to being stolen or copied. If you didn’t choose a good password or if in the future someone finds a glitch in the encryption algorithm (less likely), then those copies could be compromised. But you’ve done the most important part: you’ve encrypted the files and, as long as you have a good password, they’re very safe. If you want to email them and be done with it, that’s your call.

There are various ways to transfer a file to someone securely over the internet. Here are a few you could use:

  1. Use a share link with a cloud storage service
  2. Use an encrypted email service
  3. Use a real-time, encrypted file transfer tool

Using a share link with a cloud storage service is the least secure method, but it may be the easiest. There are three main problems with this technique. First, while most popular cloud storage services have some level of built-in encryption, they really aren’t super secure – in particular, the provider usually holds the master key. If compelled (or perhaps hacked), your files could be copied. Second, as a convenience to you, most of these services retain copies of files even after you delete them (see if they offer ‘undelete’ or ‘file recovery’). Finally, if you create a share link, anyone with that link can get to the linked file – at least until you cancel the link or delete the file. Again, you’ve already encrypted the file once, so this is less of an issue, but it’s still not ideal. However, if you want quick and easy, check how your cloud service creates share links and send it to the intended party. (You can often right-click the file to get this.) When your recipient has the file, cancel the share link and/or delete the file.

If you and your recipient happen to both have an account on an encrypted email service, then you can use that to send your file. Unfortunately, these services are not terribly common and they aren’t cross-compatible. However, most offer a free service option, so you could set up an account just for this purpose. This web site has good info and comparisons.

This last technique is dead simple. All you need is a web browser – no special tools to download or services to sign up for. The only trick is that you both have to be online at the same exact time – that is, they have to be there to ‘catch’ the file when you ‘throw’ it. There are several of these services and new ones keep popping up. I’ve personally used reep.io, but you might also check out sharefest.me and file.pizza. In all cases, you drag the file you want to transfer (your zip file in this case) onto the web page. The web page then gives you a special, unique link, which you need to send to your recipient (email, text, etc). When they click it, the file downloads to their computer. Ta da! This technique has one of the same problems as cloud storage share links: anyone with the link can download the file. However, they would have to somehow intercept that link and click it before your intended recipient. Once you close the web page, the link won’t work anymore. Also, some of these transfer services have the added option of setting a password on the transfer, which I highly recommend. (Use a different password from the one you used to encrypt the zip file!)

UPDATE (9-13-2017): There’s an even easier tool out there now called Firefox Send. The nice thing about this tool is that it will save the file in the cloud for your recipient: unlike reep.io and file.pizza, they don’t need to be online at the same time. You drag the file onto the page and it will upload. It then gives you a download link which you send to your recipient. They have 24 hours to download it. The file will be deleted as soon as it’s downloaded (one time only) or after 24 hours.

Conclusion

See what I mean? Sending a file securely today is not simple – and it really should be. Once you get used to using these tools, it’s not so bad, but it should still be simpler.

That said, I would be remiss if I didn’t at least mention a cool new tool called miniLock. If you’ve ever heard of PGP, miniLock is a hipper, modern version that is much, much easier to use. PGP and miniLock use what’s called ‘public key’ encryption (as opposed to the techniques we describe above which use ‘private key’ encryption). With public key crypto, you have two keys that are paired: a public key and a private key. You give the public key away freely to anyone that might want to send you an encrypted file – it’s not secret. The magic is that any file encrypted with the public key can only be decrypted with the private key (which only you have, hence the ‘private’). No need to try to figure out how to securely share a single, shared key! This is truly the best way to share stuff securely, but using PGP really sucks. miniLock has the potential to be a usable public-key crypto tool for the masses because it’s so much easier to use. This tool is currently only supported (well) in the Chrome browser, but hopefully will expand to Firefox and other browsers soon. If you want to give it a try, check out this how-to article.

 

Check out my new weekly podcast!

I was asked to be a guest on an internet radio show a couple times late last year. The host of that show decided that he needed to focus more on his business, and asked me if I would like to take over his show. I was floored – I’d never considered hosting my own show. I spoke at length with the network’s owner and agreed to give it go! We rebranded the show after my book and the very first episode went live last week (the second episode should be available shortly)! You can find it on the America Out Loud web site, as well as on iTunes. (It will show up on other podcast sites soon.)

Like the book and the newsletter, my goal is to provide timely, practical, easy-to-understand advice for securing your digital devices and guarding your online privacy. I will cover noteworthy news items, interview a guest about an important topic, and answer questions from listeners. Please check it out and tell your friends! If you have a question you’d like me to answer on the air, or if you happen to know of someone who would make a great guest, please drop me a line at “CareyParker” at “americaoutloud.com”.

Beware Hype and Click-Bait

(It’s been a while since I’ve written a full blog post. I’ve been putting most of my efforts into my weekly newsletter – be sure to subscribe to get weekly tips and news on cyber security and online privacy.)

Headline Hyperbole

This week, we saw the following headline from The Guardian: “WhatsApp vulnerability allows snooping on encrypted messages”. This story was immediately picked up by just about every other major tech news web site, with headlines that were even more dire:

  • A critical flaw (possibly a deliberate backdoor) allows for decryption of Whatsapp messages (BoingBoing)
  • WhatsApp Apparently Has a Dangerous Backdoor (Fortune)
  • WhatsApp encrypted messages can reportedly be intercepted through a security backdoor (Business Insider)

I swear there were others from big-name sites, but I can’t find them – I think they’ve been deleted or updated. Why? Because this story (like so many others) was completely overblown.

Which brings us to the point of this article: our online news is broken. It’s broken for much the same reasons that the media is broken in the US in general – it’s all driven by advertising dollars, and ad dollars are driven by clicks and eyeballs. (See also: On the Ethics of Ad-Blocking). But the problem is even more insidious when applied to the news because all the hyperbolic headlines and dire warnings are making it very hard to figure out which problems are real – and over time, like the boy who cried wolf, it desensitizes us all.

WhatsUp?

Let’s take this WhatsApp story as an example. The vague headline from The Guardian implies that WhatsApp is fatally flawed. And the other headlines above are even worse, trotting out the dreaded and highly-loaded term “backdoor”. Backdoor implies that someone at WhatsApp or Facebook (who bought WhatsApp) has deliberately created a vulnerability with the express purpose of allowing a third party to bypass message encryption whenever they wish and read your private communications.

The first few paragraphs from the article seem to confirm this. Some excerpts:

  • “A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.”
  • “Privacy campaigners said the vulnerability is a ‘huge threat to freedom of speech’ and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.”
  • “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access”

Now let’s talk about what’s really going on here. It’s a little technical, so bear with me.

The Devil In The Details

Modern digital communications use what’s called public key encryption. Unlike private key systems (which have a single, shared key to both encrypt and decrypt data), public key systems use two keys:

  1. Public key: Freely given to everyone, allows a sender to encrypt a message
  2. Private key: Fiercely protected and never shared, used to decrypt received messages that were encrypted with the public key

If you had a single, shared key, then you would have to find some secure way to get a copy of that key to your intended message recipient. You can’t just email or text it, or even speak it over the phone – that could be intercepted. The public key system allows you to broadcast your public key to the world, allowing anyone to send you an encrypted message that only you can decrypt, using your closely-guarded private key. In this same fashion, you use the other person’s public key to respond. This is insanely clever and it’s the basis for our secure web.

As is usually the case, the devil is in the details when it comes to crypto systems. The underlying math is solid and the algorithms have been rigorously tested. Where these systems break down is in the implementation. You can have an unbreakable deadbolt on your front door, but if you leave the key under your door mat or there’s a window right next to the lock on the door that can be broken… you get the idea.

Here’s the problem with how WhatsApp implemented their encryption. The app will generate public and private keys for you on the fly, and exchange public keys with the person you’re communicating with – all in the background, without bothering you. That’s fine – so far, so good. But let’s say Alice sends a message to Bob while Bob is offline. WhatsApp on Alice’s phone has used Bob’s last known public key to encrypt these messages, and they’re waiting (either on Alice’s phone or maybe on WhatsApp’s servers) for Bob to come online to be sent. In the meantime, Bob has dropped his phone in the toilet and must get a new one. He buys a new phone, reinstalls WhatsApp, and WhatsApp is forced to generate a new public/private key pair. When he comes online, Alice’s copy of WhatsApp figures out that the public key it has for Bob is no longer valid. And here’s where things fall apart. WhatsApp will then get Bob’s new public key and re-encrypt the pending messages, and then re-send them.

Bug or Feature?

That’s it. That was the fatal flaw. The “backdoor”. Did you catch it?

If you missed it, don’t feel bad. This stuff is complicated and hard to get right. The problem is that Alice was not warned of the key change and (crucially) was not given the opportunity to validate Bob’s new key. So, theoretically, some third party – let’s call her Mallory – could somehow force Bob to go offline for a period of time and then pretend to be Bob with a new device. This would trick Alice’s copy of WhatsApp to re-encrypt the pending messages using Mallory’s key and send them to Mallory. So, if you’re following along, what that means is that Mallory could potentially receive the pending messages for Bob. Not past messages. Just the pending ones, and potentially ones in the near future –  at least until Bob comes back online.

This key change is part and parcel of how modern public key crypto messaging works. The only possible fault you can find here with WhatsApp is that they don’t (currently) enable changed key warnings by default and they don’t block re-sending of pending messages until the user (in this case Alice) reviews the new keys and approves the update (ie, satisfies herself that it’s really Bob who is sending the new key).

Is that a “backdoor”? No. Not even close. It was not maliciously and secretly implemented to allow surreptitious access by a third party. Furthermore, if Alice turns on the key change warning (a setting in WhatsApp), it would allow her to see when this happens – a big no-no when it comes to surveillance. Is it a vulnerability or bug? No, not really. It’s a design decision that favors convenience (just going ahead and re-sending the messages) over security (forcing Alice to re-authenticate a recipient every time they get a new device, reinstall WhatsApp, or whatever). You can argue about that decision, but you can’t really argue that it’s a bug – it’s a feature.

UPDATE: The EFF has an excellent article on this with a very similar description. However, it also mentions a new effort called Key Transparency by Google which looks promising.

Remove Profit from the Press

So now let’s return to the big picture. Online news sites produce free web content that we consume. But producing that content costs money. In today’s web economy, people just expect to get something for nothing, which makes it almost impossible for sites to rely on a subscription model for revenue – if you ask people to pay, they’ll just go to some other site that’s free. So they turn to the de facto web revenue model: advertising. The more people who view the ads on your web site, the more money you get. And therefore you do whatever you can to get people to CLICK THAT LINK – NOW!! (This is called click bait.) It’s the same influence that corrupted our TV news (“if it bleeds, it leads”).

Some things should just not be profit-driven. News – in particular, investigative journalism – is one of those things. The conflict of interest corrupts the enterprise. TV news used to be a loss leader for networks: you lost money on news with the hopes of building loyalty and keeping the viewers around for the shows that followed.

Maybe that ship has sailed and it’s naive to believe we can return to the days of Walter Cronkite or Edward R Murrow. So what are we to do? Here are some ideas (some of which came from this excellent article):

  1. Subscribe to local and national newspapers that are doing good work. If you don’t care to receive a physical paper, you can usually get an on-line or digital subscription.
  2. Give money to organizations that produce or support non-profit investigative journalism. You might look at ProPublica, Institute for Non-Profit News, The Investigative Fund, NPR, and PBS. This article also has some good ideas.
  3. Share news responsibly. Do not post sensationalistic news stories on your social media or forward hyper-partisan emails to everyone you know. Don’t spread fake news, and when you see someone else doing this, (respectfully) call them out. Not sure if a story is real? Try checking Snopes.com, Politifact, or FactCheck.org. This article also has some great general advice for spotting fake or exaggerated news.
  4. When you do share news stories, be sure to share the original source whenever possible. This gives credit where credit is due (including ad revenue). If you found a derivative story, you may have to search it for the link to the original source.
  5. Use ad-blockers. This may seem contrary to the above advice, but as I mentioned in this blog, right now the ad networks are being overly aggressive on tracking you around the web and are not policing their ads sufficiently to prevent malware. It’s not safe to blindly accept all ads. You can disable the ad-blocker on individual web sites that you wish to support – just be aware of the risk.

 

Second interview: IoT

My second interview has posted on the George Orwell 2084 site – this one about the Internet of Things, or IoT. As they say, the “S” in “IOT” is for security. In this interview, we talk about the impact that these newly-connected “smart” devices are having on our lives, particularly with respect to our overall security – including some simple things we can all do to mitigate the threats. Check it out!

Interview on George Orwell 2084: Gooligan

Check out my radio/podcast interview with David Boron at George Orwell 2084. We talked about the Gooligan malware for Android, which has infected over 1 million Android phones so far and is making lots of money for the hackers.

Look for another interview in the near future about the Internet of Things and how the insecurity of these devices is a major threat.

If you are worried, you can go to Check Point’s Gooligan web site to check. (Check Point is the company that discovered this malware.)

Ditch Yahoo. Use ProtonMail. [updated]

I’ve been a Yahoo Mail user for 19 years. My Yahoo user ID has only 4 characters in it. It’s been my public (read spam) email address since 1997. I’m sure it’s the longest actively-used email account I’ve ever had. But now it’s time for me to move on. You should, too. Here’s why, and how…

How NOT To Handle Security

Yahoo announced recently that there was a massive breach in 2014 of many of its users’ accounts. While initial reports estimated 500 million users were compromised, it could actually be much worse. (If you haven’t changed your Yahoo password in the last two years, you should do so now.)

Password database breaches are going to happen. Security is hard and nothing is ever 100% secure. But we can and should judge a company by how seriously they take their users’ security and how they react when bad things happen.

While we’re pretty sure the breach occurred two years ago, it’s not clear yet that Yahoo knew about it before July of this year. However, Yahoo didn’t tell anyone about it until after the story broke elsewhere, two months later. It’s also been reported that Yahoo execs had a policy of not forcing users to reset passwords after a data breach because they didn’t want to lose customers. It’s also obvious that Yahoo prioritized shiny new features over security and privacy.

The Last Straw

That’s all pretty bad, but it gets worse. In a separate report shortly after this breach was announced, it was revealed that Yahoo allowed and perhaps helped the NSA or FBI to build a real-time email search program for all its customers, enabling mass surveillance in a way that was previously unprecedented.

Either of these scandals alone would be unacceptable, and should give any Yahoo user a valid reason to abandon their services – but taken together, it almost mandates it. This is a clear case where we, as consumers, need to show Yahoo that this is not acceptable, and do it in a way they will understand: close your Yahoo account and move to another service.

Ditch Yahoo

I’m not going to lie…. if you actually use your Yahoo account (like I do), this is not going to be fun or easy. But if you really care about your security, and security in general, you need to let Yahoo (and the other service providers) know that you take these horrendous security failures seriously. To do that, you have to hit them where it hurts: money. In your case, that means abandoning their services. Ditching Yahoo will not only make yourself safer, it will hopefully drive other service providers to improve their own security – which helps everyone.

I would say that you have at least three levels of options here, in increasing order of effectiveness (in terms of protesting Yahoo’s behavior):

  1. Stop using Yahoo email and all its other services
  2. Archive your Yahoo email locally and delete everything from their servers
  3. Delete your Yahoo account entirely

To stop using your Yahoo email, you will need to change everywhere you used your Yahoo email account and migrate to a new email service. LifeHacker has some tips that will help, but read through the rest of this article before choosing your new email provider.

To really rid yourself of Yahoo completely, you also need to abandon all their services: Flikr, Tumblr, fantasy sports, Yahoo groups, Yahoo messenger, and any of the dozens of other services.

Your next step is to archive all your old Yahoo email. These emails may contain valuable info that you’ll some day need to find: important correspondence, account setup/recovery info for other web sites, records of purchases, etc. If you’ve used an email application on your computer to access Yahoo (like Outlook or the Mail app on Mac OS), you should already have all your emails downloaded to your computer. But you might also want to consider an email archiving application: Windows users should look at MailStore Home (free); Mac users might look at MailSteward (ranges from free to $99).

Once you’ve safely archived everything, you should delete all your emails from Yahoo’s servers. Why? Well, if nothing else, it should prevent successful hackers from perusing your emails for info they could use against you (identity theft, for example). Assuming Yahoo actually deletes these emails, it may also keep Yahoo (or the government) from digging through that info.

You should reset your Yahoo password to a really strong password (use a password manager like LastPass). I would highly recommend setting up two-factor authentication, as well.

As a final step, you can completely close your Yahoo account. Note that this may not actually delete all your data. Yahoo probably retains the right to save it all. But this is the best you can do.

If you find that you are just too invested in Yahoo to completely abandon your email account (and I’ll admit I may be in that camp), you can set up email forwarding. This will send all of your incoming Yahoo email to a different account. (It’s worth mentioning that it looks like Yahoo tried to disable this feature recently, probably in an effort to prevent the loss of users.)

Use ProtonMail

While GMail and Outlook are two popular and free email providers, you should take a hard look at newer, more security- and privacy-conscious services. I would personally recommend ProtonMail. They have a nice free tier of service that includes web access and smartphones apps for iPhone and Android. If nothing else, grab your free account now to lock in a good user name before all the good ones are taken. Tell your friends to do the same. Just adding new free users will help the cause, even if the accounts aren’t used much.

But I’d like to ask you to go one step further: I encourage you strongly to sign up for one of their paid tiers of service, even if you don’t need the added features. The only way we’re going to force other service providers to take notice and to drive change is to put our money where our mouths are. Until it becomes clear that people are willing to pay for privacy and security, we’ll be stuck with all the ‘free’ services that are paid for with our personal info and where security is an afterthought.

Update Dec 14 2016:

Yahoo has just announced another breach, this time over 1 billion accounts hacked (maybe more). DITCH YAHOO!!

protonmail

(This article is adapted from a few of my previous weekly security newsletter articles.)