Best and Worst Tech Gifts for 2017

The holiday season is upon us, and that means people will be scrambling to find the best presents for their friends, family and loved ones. Geeky gadgets are always popular, but not just for the recipients! The Internet of Things (IoT) has been a major boon for hackers and marketers, as well. So let me help you identify the best and worst tech gifts for this season…

Worst Gift: DNA Analysis Kit

DNA analysis kits have gotten very popular: send away a little swab of your mouth and get back a detailed analysis of your heritage. Some tests even claim to provide you with health information. I’m not here to judge those aspects, however (for that, you can check this article). I’m here to explain why these services could present a privacy nightmare. First of all, there may be relatives out there that you don’t want to know about – or have them know about you. I’ve personally heard a horror story about a paternity secret that was kept for decades – and would have remained a secret had this test not been run. (The analysis kit was given as a gift, by the way).

But beyond that, you also have to realize how much deeply personal information is contained in your DNA – and we’ve seen how even the most secure organizations have failed to keep their secrets safe. It’s well worth nothing that the privacy policies for companies like Ancestry.com and 23andme.com are pretty creepy. We’re just beginning to discover how to read our gene sequences and these services can continue to analyze that data forever. The privacy policies seem to allow them to share your data with others, as well. Even if they claim to share your data anonymously, it’s your DNA… it is you. I wouldn’t count on it remaining anonymous. Maybe some day these companies will manage to offer a truly secure and private service, but right now I would take a pass on this.

Don’t Skimp on IoT Devices

The Internet of Things is the new frontier of techie gadgets – taking something that used to just sit there and happily do its job, and connecting it to the Internet so your smartphone can talk it from anywhere on the planet. Thermostats, light bulbs, refrigerators, outlet switches, web cams, even toasters. Unfortunately, these devices (like most tech devices) need to be as cheap as possible. And one of the easiest places to save some money is on security. Most consumers are clueless, so why bother? My main advice here is to avoid no-name brands or super-cheap products from overseas. Bigger, established companies with reputations to protect are more likely to go the extra mile on security. If they screw up (and every company will at some point), more expensive products from established brands are more likely to fix or replace their products.

Avoid Antivirus Subscription Services

If you’re giving someone a computer, I would not bother to buy them a subscription to an antivirus service. I wrote about it extensively here, but in summary, these products tend to be overly aggressive and can actually do more harm than good. Windows computers come with Defender, which is free and plenty good for most people. For Macs, try the free home versions from Sophos or Avira. But your best protection is just safe surfing habits.

Protecting Your Network

The main gate to your home network castle is your WiFi router. Many Internet Service Providers (ISP’s) now provide you with a combination modem and WiFi router, but I would forego their box and buy your own. Buy a brand name router like DLink, TPLink, Netgear or ASUS. I’m not saying these brands are 100% secure – nothing is 100% secure – but they’re likely to fix their bugs in a timely manner. Be sure to register your device so that you will get emails when critical fixes are available. Here are some quick tips to make sure your WiFi router is secured:

  • Set a password for WiFi access – this means turning on WPA2 encryption. Make sure the password is not easy to guess. Write it down somewhere safe.
  • Enable the guest network. All modern routers should offer this option. It lets you keep your home computers, tablets and smartphones separate from less secure devices. Put your IoT devices on the guest network and have all your visitors use this network, as well (their devices could be infected without their knowledge).
  • Change the router’s admin password! It comes with a default password that is well known.
  • Set your router’s DNS to use Quad9 (see this article for more info).

This article has several other tips for locking down your IoT devices, including your router.

Protect Your Precious Data with Redundancy

Everyone should be backing up their files – certainly anything they can’t replace like family photos, home videos, historical documents, etc. For these special digital files, we should all be following the 3-2-1 rule: three copies of every file – the original plus two backups, one of which should be offsite. So ideally, you would have a cloud backup service and a little USB external hard drive for local backups. I personally like Backblaze for most people – it’s dead simple to use and the cost is very reasonable.

Power in the Darkness

I would recommend that everyone with a desktop computer have it hooked up to a good Uninterruptible Power Supply, or UPS. This is basically a big battery that will keep your computer running for a short time when you lose power. It’s not really about being able to use the computer when the lights are out, it’s about giving your computer time to shut down gracefully. Yanking the power from a running computer is really harsh and it could even corrupt your hard drive. Make sure to also connect your computer to the UPS via the included USB cable. This allows the UPS to tell your computer “hey, power is going away soon, shut down now!”

It’s also very handy to have for your Internet modem and WiFi router – allowing you to use the Internet even when the power is off (using battery-operated devices like smartphones, tablets and laptops). You can find some great recommendations on UPS’s here.

Give the Gift of Privacy

Our level of privacy is quickly eroding, and much of this is done willingly these days by using “free” web services that support themselves by capturing and selling your personal info. Besides choosing the best web browser and plugins, there are two services everyone should strongly considering using: end-to-end encrypted email and a virtual private network.

Truly Private Email

Most of us use one of the prominent free email services. And why not? The service is excellent and it costs nothing… except your privacy. Google is not giving away gmail altruistically. They’re collecting vast amounts of information on you and using that info to target you with advertising. What could I find out about you by scanning all your emails? Probably quite a bit. And even if they say they will never abuse your data, that doesn’t mean hackers won’t just steal it. If you’re ready to put a stop to this rampant data mining, then you’re going to have to pony up and pay for your email. There are several secure email services out there now, including Tutanota, Hushmail, Mailfence, and others – but I personally like ProtonMail. It’s easy to use, reasonable priced and they’re expanding their services all the time. You can try their free tier first to see if you like it.

Blinders for Prying Eyes

Virtual Private Networks allow you to shield your Internet traffic from prying eyes – whether it be everyone else in the coffee shop or airport, or your Internet Service Provider (who now has no restrictions on snarfing up your data for profit). Choosing a VPN service can be tricky, however. I would avoid free services and find a reputable, long-lived company that focuses on privacy. TunnelBear is a great choice for most people, but ProtonMail now includes a VPN service that you can use if you pay for their email already. EncryptMe and VyperVPN are also good.

Give the Gift of Knowledge

Last but certainly not least, I personally like to read books when I want to learn about something. Forewarned is forearmed! Here are some great stocking stuffer ideas:

  • Data and Goliath by Bruce Schneier. Bruce is a world-renowned security expert, but he’s also a very good writer. This book does a very good job at explaining why data privacy is so important and how our corporations and governments are holding way too much power of us. (Full review here.)
  • Little Brother by Cory Doctorow. This book is short and entertaining fiction, but it’s also a treatise on the importance of security and privacy in the digital age. This book is even free, if you want to download the PDF.
  • Firewalls Don’t Stop Dragons by me! The entire purpose of my book is to help people protect themselves. The book covers all the tips above, and over 100 other tips, complete with easy step-by-step instructions and pictures, covering Mac, PC, iOS and Android.  If you’re giving someone a new computer, tablet or smartphone, it’s a great companion gift.

 

Fixing the Apple Root Bug (Permanently)

It’s been a pretty bad week for Apple software, both for their macOS computer software and their iOS smartphone and tablet software. But today I’m going to focus on a truly horrendous software bug that somehow slipped through Apple’s normally stellar quality control process. This one screw up could allow someone to quickly and easily take over your Macintosh computer – potentially even remotely. It’s like leaving the master key to a building on the front doormat. Not under the doormat, mind you – on top of it, with a label saying “master key”. So without further ado, let’s tell you how to fix the Apple root bug, for good.

What is the Apple Root Bug?

Apple’s macOS software – the operating system for its Macintosh computers – is based on the Unix operating system. Unix and its various Linux variants all come with a standard administrator account called “root”. This account can do absolutely anything. It has the highest possible level of permissions and privileges – it’s the “superuser”. This account is extremely powerful and Apple normally disables this by default.

But a recent update to Apple’s latest OS (High Sierra, or 10.13) somehow allowed access to this super user account with no password whatsoever. That’s right. You could successfully log into a Mac with user ID “root” and leave the password field empty. There was basically zero security on the most powerful user account on the system. In most cases, this would require physical access to an unlocked Mac, if you have remote access enabled, then you could log in remotely, as well. That’s about as bad as it gets, folks.

It’s Fixed. No Wait, It’s Broken Again.

To Apple’s credit, they released an emergency fix for this bug within about 24 hours (Security Update 2017-001). If you had your auto-update enabled, this fix was even  installed for you. That’s great. All software companies will have bugs from time to time,  so what really counts is how they respond. Apple responded quickly with a fix. Yay!

This fix was obviously rushed out because in addition to fixing the root bug, it broke Apple’s file sharing feature. While that’s bad, it’s still a good trade off. But it gets worse. A day or two later, Apple released a new full update to macOS (10.13.1) that reintroduced the same root bug! I’ve seen some reports that say if you just reboot your Mac, the root bug will be fixed again… but that’s silly. There’s a real fix that will be permanent…

Fixing the Root Bug Permanently

The underlying issue here is that the root account apparently has no password or somehow a fail-safe mechanism was broken that allowed failed logins to succeed… I’m not sure. But if you just explicitly set the root user’s password, the problem goes away. So how do you do that?

First of all, be sure that a) you generate a strong password for this account and b) you store this password away somewhere. It’s okay to write this on a piece of paper, as long as you put that paper somewhere safe. (Consider using a password manager to both generate and store the password.)

You can set the root password in at least two ways. The official way, according to Apple, is to do the following (using the instructions here):

  1. Enable the root account
  2. Change the root account password
  3. Disable the root account

However, I find that too cumbersome. There’s a simpler way and it feels a lot cooler: use the Terminal application.

  1. Launch the Terminal application from your Applications > Utilities folder. You will get a text-based window with a little “$” prompt.
  2. In the terminal, you will need to switch to “superuser”. Type “sudo su” and hit Return. Then enter the password for your current account (you have one, right?):
    • $ sudo su
    • Password: (your password)
  3. Now you should be logged in under the root account, and you’ll have a new prompt. To change the root password, type “passwd” and enter the new password (twice).
    • # passwd
    • Changing password for root.
    • New password: (enter something you’ll remember)
    • Retype new: (type it again)

This should fix the problem once and for all. Again, make sure you keep that password somewhere safe!

Evading Malware with Quad9

Evading malware can be difficult these days. The bad guys are very clever and surfing the Internet involves several complicated technologies. Software is rife with bugs and traps are ready and waiting for any slip-up you might make. I posted a detailed article on choosing the most secure web browser setup recently that you should have a look at, but today I’m going to talk about something much simpler and more fundamental: choosing your Domain Name Service, or DNS.

Brief Overview of Internet Routing

Whenever you type in a web address like “google.com” or “amazon.com”, you are giving your web browser a domain name. Domain names are easy for humans to remember, but the Internet actually routes traffic based on IP addresses. So the very first thing your web browser does is convert that domain name to an IP address using a Domain Name Service. Your DNS provider is usually just given to you by your Internet Service Provider (ISP) like Comcast, Spectrum, or Verizon. Though you can choose whatever service you want, most people never change the default.

Enter Quad9

A new DNS provider called Quad9 has been created by a consortium of concerned companies, including law enforcement, in an effort to stem the tide of malware and botnets. This non-profit organization was founded not only to enhance security but also to protect privacy. (There’s still a long way to go before it’s totally private, though). Quad9 will actively block your web browser, your apps, and even Internet-connected devices from talking to known-bad servers, using a list that is updated multiple times per day. This can save you from phishing sites, malvertising, and botnet control servers. It’s important to note that this service will not perform any other filtering. That is, it’s specifically avoiding censorship issues and focusing solely on evading malware.

Evading Malware using DNS

To use the Quad9 service, you just need to change a simple setting on your computer, and the Quad9 web site has two videos to help you do it (one for Mac, one for Windows). If you want to kick it up a notch, you can set your DNS service right on your home’s router to use 9.9.9.9 (four 9’s, or “quad” 9). Most devices will defer to the router’s choice of DNS provider by default. But you can effectively change this setting for every device on your home network in one fell swoop.

Give Thanks and Donate

Thanksgiving is almost upon us here in the US. I felt it was a good opportunity to say thanks to some of the wonderful organizations out there working very hard to improve our security, protect our privacy, and defend our rights. If you believe in a cause but don’t have the time to get directly involved, then donating money to groups with the skills, time and talent to truly make a difference is an excellent way to go. You might even get break on your taxes, too. (Note that some companies have donation matching programs, as well – so you might ask your employer about matching your contribution.)

Many of these organizations will send you something for donating – a shirt, hat, sticker, magnet, etc. Display it proudly for others to see. Perhaps it will cause them to look it up or ask you about it, offering another opportunity to spread the word or spark some much-needed debate on these issues.

Electronic Frontier Foundation

If I was going to pick one organization that just does it all (and does it well), I would have to pick the Electronic Frontier Foundation. (This won’t come as a surprise to anyone who follows my podcast.) Staffed with top-notch technologists, lawyers and policy wonks, EFF is at the forefront of privacy, transparency, security, and free speech issues. They have been involved in hundreds of important legal cases, including an impressive string of legal victories. The EFF web site hosts some wonderful security guides, including tutorials and materials for people willing to teach others. They have created two of my most recommended browser plugins: HTTPS Everywhere and Privacy Badger. And that’s just the tip of the iceberg.

Saving Democracy, Fighting for Your Rights

Of course there are many other superb organizations that are fighting for your rights, holding governments and corporations accountable, and trying to improve our democratic institutions. Here are just a few that you might consider supporting:

You can find these and other great security and privacy links on my Resources page.

Browser Safety: Choose Your Weapon

Your web browser is your primary portal to the wild and woolly world wide web. For many people, the web browser effectively is the Internet. As such, it’s one of the most vulnerable areas of our attack surface (i.e., the sum of all the places where we might be susceptible to attack by digital bad guys). Therefore, it behooves us to choose the most formidable browser we can find, bolting on whatever extra ‘armor’ and ‘stealth’ technologies we can find.

How Do We Define a “Safe” Browser?

There are at least two primary aspects to ‘safety’ when it comes to web browsing: security and privacy. A secure browser will do whatever it can to prevent you from visiting bad web sites, warn you against entering sensitive information on insecure pages, identify sites that aren’t encrypted, and strictly enforce policies that prevent malvertising and other malicious web exploits.

However, while security is something that all browsers claim to seek, privacy is another matter entirely. Because much of the web is “free”, most web sites have turned to advertising for revenue. And unlike traditional newspaper and billboard ads from days of yore, web advertising is built on hordes and gobs of personal data. Companies like Google and Facebook collect intimate details on you in order to serve you highly targeted (and much more lucrative) ads. Data, as the say, is the new oil. In their lust for data, online advertisers have gone seriously overboard with their tracking technology, prompting many to use ad blockers. So a good web browser will help protect your privacy by severely limiting the ability of web sites and marketers to track you.

The Big Four

The four most popular browsers today are Chrome (60%), Internet Explorer/Edge (20%), Firefox (13%), and Safari (4%). It wasn’t long ago that Microsoft had a near monopoly on web browser use, but Google’s Chrome browser has come on strong and clearly holds the lead today. Internet Explorer and Edge are the default browsers on Windows PC’s and Safari is the default browser on Apple Macintosh computers. Firefox (which rose from the ashes of Netscape Navigator) is the only browser in the top four that is open source (meaning the source code is freely available for review). Firefox is made by the non-profit Mozilla Foundation, which is funded primarily by search royalties. Despite very different aesthetics, at the end of the day, all four of these browsers do basically the exact same things: they show you web pages. So how do you know which is safest?

Choose Your Weapon: Security

Let’s just get this out of the way now: it’s almost impossible to know which browser is the most secure. This is largely because all of these browsers are constantly rolling out new security-related features, fixing security-related bugs, and generally trying to claim the title of ‘most secure’. That’s a good thing – they’re competing to be the best, and so we all win. There are dedicated hacking contests to reveal bugs in browsers, but it’s hard to say whether the number of bugs found in these contests really reflect the security of the browser. How likely were bad guys to find these bugs? How severe are the bugs? What about the bugs they didn’t find? These hack-a-thons also don’t address factors like how quickly the browser maker fixes their bugs and whether the browser is smart enough to self-update (because if you don’t have the latest version, you don’t have the bug fixes). It’s really hard to compare the relative security of web browsers (see this article to understand what I mean).

However, if I had to pick a winner here, I’d probably have to choose Chrome. Google is doing some fantastic work in the realm of computer and web security. Furthermore, they’re using Chrome’s dominance to prod web sites to be more secure, as well. That said, I think Firefox and Safari are also fairly secure browsers. And you could argue that because Firefox is open-source, it can actually be audited by cybersecurity experts – unlike the other three major browsers. Ideally, this vetting leads to less bugs.

Choose Your Weapon: Privacy

Unlike security, there are significant and important differences between the four major browsers when it comes to privacy. And this (to me) is the real differentiating factor.

While Google has been a true leader in terms of security, they’re pretty much the worst in terms of privacy. They’re whole business model revolves around advertising (Google makes about 90% of its money from ads). And that leads to an enormous conflict of interest when it comes to protecting your personal data and web surfing habits. Apple has gone out of their way to basically be the anti-Google, making it a point of pride to collect as little data on their users as possible (and causing a collective freak-out by advertisers). But Firefox is also doing some great work in this area. In the coming months, Firefox will enable some wonderful anti-tracking technologies of their own.

So who’s the winner in terms of privacy? Today, I’d say it’s a toss-up between Firefox and Safari, with Chrome being dead last. Internet Explorer and Edge are somewhere in between, but with Microsoft’s recent penchant for collecting user data, I would put it closer to Chrome.

And the Winner Is…

Based on everything I’ve read, I personally choose Firefox as my main browser. No browser is 100% secure and it’s very hard for even the most erstwhile browser to completely protect your privacy. But I think Firefox, on balance, is the best of the bunch. Browsers are constantly adding new features, so I will have to revisit this periodically (and I will update this article accordingly).

That said, there is at least one reason to also have Chrome installed on your system. And we’ll talk about that below.

Beyond the Big Four

There are actually several other web browsers you might want to consider. This article covers some of them, but I’ll just mention three.

The fifth most popular browser is Opera, and many people enjoy using it. If you’re not satisfied with any on my list, you might give it a try. Opera is fast and works on both Mac and PC.

The Brave browser is an open-source browser built for privacy, with built-in ad blocking and tracking protection. However, in a move to try to acknowledge the need for ad-based revenue, it also has a mechanism to insert its own ads, which opens up a lot of issues. I would wait and see on this one.

Lastly, the Tor browser is all about privacy – in fact, it tries to achieve true anonymity (though that is extremely difficult in practice). It’s based on Firefox and builds in several kick-butt privacy tools that are too technical to sum up here. But if you really need to surf privately, you should give Tor a serious look.

Less Is More

Modern browsers all have the ability to add more functionality through plugins or add-ons. These extensions can both significantly raise and lower your level of security and privacy. So no discussion of browser security would be complete without discussing them. Let’s start with the plugins you should remove.

First and foremost, delete Adobe Flash. Flash was created years ago to enable all sorts of fun things – animations, video or audio, and online games. But Flash is horrendously buggy and mostly obsolete. So just remove it. (Note that the Chrome browser actually has Flash built-in and Google ensures that it’s up to date – so if you find a web site that requires Flash, you can use Chrome for that site… and then go back to Firefox!)

In the same vein, I would delete both Java and Silverlight plugins, if you have them. They’re buggy and mostly unnecessary.

Finally, go through all your browser plugins and just remove (or disable) any that you don’t need. Every one of those add-ons is a potential security or privacy risk.

If you later find that you do need any of these plugins, you can always just reinstall them… with the following major caveat…

DANGER! Beware Plugin Requests!

If you ever get a pop-up from a web site saying that you need some plugin in order to do something, never ever follow their link to install it!! This is an extremely common and effective way to install malware. When you see a pop-up like this, close it and then go directly to the site for this plugin and install from the source. A Google search should take you to the right place, if you don’t know where to go.

Plugins for Better Privacy and Security

The one plugin you should add to your browser to increase your security is a password manager like LastPass. Not only will a password manager help you to create strong and unique passwords for every web site, they will not be fooled by fake (“phishing”) web sites.

In terms of enhancing your privacy, Firefox and Safari already have a lot of built-in features to prevent tracking. However, there are a handful of add-ons I strongly recommend you install. It’s safe to add them all, they play nicely with each other.

  • uBlock Origin. This is a very good ad blocker, which protects you from tracking and malvertising. (Don’t get “uBlock” – you want “uBlock Origin”.)
  • Privacy Badger. From the wonderful folks at the EFF, this plugin watches for suspicious tracking behavior and blocks it – it even learns over time to get better.
  • HTTPS Everywhere. Also from EFF, this plugin ensures that any site you visit that can support encrypted communication will do it by default.
  • Decentraleyes. Kinda hard to explain briefly, but this plugin helps to limit your downloading of several common web page resources that could be used to track you when you request them.

To install a plugin, find your browser’s menu option for plugins, add-ons or extensions. You can search for the above plugins and install them directly into your browser.

Smartphone Privacy: Reining in Nosy Apps

Every application you install on your smartphone comes with a set of permissions – a list of things it would like to access. This includes things like your camera, microphone, location, contact list, photos, calendar and more. While these functions allow your apps to do amazing things, they can also compromise your privacy. These permissions are usually established when you install the app or first use it. Many of us don’t even give this a thought and just click “yeah, sure, whatever” (I’m pretty sure that’s what the button says). But have you ever stopped to question these requests? For example, should you really grant a Sudoku app access to your contact list? Or a dating app access to all your photos? It’s not uncommon for apps to request way more access than they truly need – maybe to enable some social features you don’t care about or perhaps even to gather intel on you that they might sell to third parties (like marketing companies).

Software developer Felix Krause recently published an article on how permissions in iOS apps (iPhone, iPad) can be easily abused, allowing them to take pictures or video with the front or rear camera, record audio, and even use facial recognition. Of course, you had to have given this app permission to do these things at some point. Maybe it even made sense for that application to have those permissions. But the point he’s making is that these apps can use those permissions for more than the obvious purpose. Furthermore, there may be no obvious way to know when the app is accessing these things.

Need to Know Basis Only

The bottom line is that you should only grant permissions that make sense for the given app’s real purpose, and that you should restrict those permissions as much as possible. For many iOS apps, you can grant permission to these sensitive functions and data only when the application is in use (it’s the foremost app, the one you can see). When the application is not in use (in the background), their access is cut off (or at least severely restricted). For example: why would you want to grant Google Maps access to your location when you’re not actually using it? What else might Google use that location data for? (You know that Google is an advertising company, right?)

Privacy Over Permission

Obviously, for Google Maps to work, it needs your location. And many other apps have a valid need for access to your camera, microphone, photos and so on. But you should question every one of those permissions and dial them back to the bare minimum.

This is fairly straightforward on Apple devices. You simply go to Settings, and then Privacy. There you will find the various privacy-related functions and features, and by clicking on each one you can see which applications can access them. You can then select “always”, “never” or (in some cases) “while using”. Dial them back as far as you can – you can always change it later if you find it’s necessary. This article has some more info, if you need more help. On the whole, Apple does a good job giving users power over their privacy.

Android apps were notorious for being all-or-nothing with requested permissions. However, in Android Marshmallow, Google allowed for finer-grain control. Android 6 gave users the ability to revoke permissions after initial install. The Android interface is often customized by the phone manufacturers and cell phone providers, so it’s harder to give blanket instructions on how to change app permissions on any Android phone. Generally, you go to Settings, then Apps. When you open any individual app and look at App Info, you should find the app’s permission settings. For more info, you can see this article or this one straight from Google.

Locking Down the Internet of Things (IoT)

With all the news of the Reaper malware that’s infecting Russia and Ukraine, and reminders of the disaster of last year’s Miria botnet, it’s a good time to review basic home network hygiene and best practices for securing the Internet of Things (IoT).

What is the Internet of Things (IoT)?

The Internet of Things, or IoT, is a hot marketing buzzword these days, but what does it really mean? Internet of Things refers to the recent phenomenon of connecting regular, everyday “dumb” devices to the Internet in order to enable cool new features. One of the most popular examples is the Nest Thermostat. Nest (who was bought by Google for $3.2B) created a ‘smart’ replacement for the dreary household HVAC thermostat. Not only was it beautiful and easy to use, it had built-in WiFi and could communicate with Nest’s Internet service. With the help of a smartphone app, Nest owners could monitor and even control the temperature of their homes from anywhere on the planet. Over the last few years, billions of devices have joined the Internet of Things: TVs, garage door openers, baby monitors, watches, appliances, and even light bulbs.

An Army of Robots

What might not be immediately obvious is that every one of these products is also a computer. While computer chips have found their way into all sorts of modern products, putting those computers on a network takes things to an entirely new level. Computers are hackable because they run software, and all software has bugs. But if that computer is not on a network, you have to be have physical access to hack it. Not so with IoT.  Cybersecurity professionals love to say that the “S” in “IoT” stands for security – meaning it has none – and it’s not far from the truth. Cost is a huge issue for most of these devices, and adding proper security adds a lot of cost – both in development and testing, but also hardware cost (faster CPUs, more memory, etc).

So what do you get with a massive influx of insecure computers on the Internet? A hacker’s dream come true. The security flaws in these products are widely known by the hacking community. Also, most of these devices have a special web page where you can configure them. And while most are protected with a user ID and password, these credentials are almost always set to default values, which are also well known. It’s trivial to write malware to exploit these weaknesses and gain control of these IoT devices. And when you have an army of devices you can control from anywhere on the Internet, you have what we call a botnet (shorthand for a ‘network of robots’). Hackers use these innocent-looking devices to do their bidding. One of the more common uses is to direct an unsurmountable wave of requests at some target web site to bring it to its knees – called a Distributed Denial of Service (DDoS) attack. That’s how the Mirai botnet took down a large portion of the Internet last Fall, and the Reaper botnet is poised to wreak similar havoc in the near future.

How Not to be Bot

So what are we to do? How do we keep our wonderful Internet of Things devices from being subverted and conscripted into a botnet? The primary thing we need to all do as consumers is to demand security for all our Internet-connected products. Do your homework, read the labels, compare products based on security and privacy features. Support regulatory or even voluntary initiatives to improve security and provide more transparency. We could really use some sort of Underwriters Laboratory for cyber security and privacy, providing independent analysis and a standardized product ratings. But until then, we need to do what we can on our own.

  • Change default passwords. If your device has any sort of administrative interface (probably a web page), change the default login password. Write it down or use a password manager.
  • Update the firmware. Not all IoT devices can be updated, which is a massive problem. But if your device has a way to update it’s firmware (which is what we call software that runs on these appliance-type devices), you must to keep it up to date. The admin web page should have a help/info link that will tell you how to check for updates and install them.
  • Register your devices. You should go ahead and register these devices online and get on the email lists. This is probably the most reliable way to get notified of bugs that need to be fixed. Yes, this will expose you to marketing crap. You can try to limit the spam by updating your ‘marketing preferences’ to only include security updates.
  • Dumb down your devices. If you don’t use the Internet features on your device, then don’t put it on the network at all. For example, most TVs today have an Internet connection because they come with built-in Netflix apps and such. But if you don’t use those features (for example, you use a FireTV, Apple TV or Roku), then you have no reason to plug into into your network or enable WiFi.
  • Unplug unused devices. If you have a device you no longer use (or trust), just get rid of it. Or if you use it only rarely, unplug it until you need it. For example, I have a web cam I use to watch my house when we travel. I only plug it in when we actually travel.
  • Quarantine your devices. Compromised devices on your network are basically beachheads for hackers within your home network. You can mitigate these risks by putting your IoT devices on your guest network. Don’t have a guest network? Most modern WiFi routers have this capability and it’s easy to set up. It’s a separate network for untrusted devices (including your guest’s devices, hence the name).
  • Restart your devices. Some of the malware that infects IoT devices can be cleansed just by powering the device off and back on. Unfortunately, unless you can update the software, it will still be vulnerable to re-attack.

As always, you can find these and over 100 more tips in my book. I also covered the topic of Internet of Things in a wonderful interview with John Graham-Cumming (CTO of Cloudflare) – check it out!

Privacy First: Apple Strikes Another Blow

Full disclosure: I’m an Apple user and have been for decades. But one of the reasons I’ve been such an ardent Apple fan is that I’ve always felt like they had my back. I’m not sure how much of this is altruistic – but you can argue that the actual reasons might be more compelling (if more cynical): it’s their business model. Apple is a hardware company. They make computers, phones, tablets, and other devices. The software that comes with those devices is almost entirely free and is used to increase the value of the hardware. Most people still think of Google as a search engine company. If you happen to know that Google makes the Android smartphone operating system, then you might think of them as a hardware and software maker, too. And they are. But Google makes about 90% of their revenue from advertising.

Why does that matter? Because this means that Google’s primary product is you. They want to know all about you (and I mean all about you) so they can sell highly-targeted ads. Google may be extremely keen to protect your privacy… from everyone but Google. While Apple certainly has access to your personal information, and they even have a small ad business, they appear to be taking great pains to avoid abusing their position, drawing a stark contrast with Google and others. They actually appear to care about protecting your privacy and see this as a key marketing differentiator.

Apple Fires Another Shot Across the Bow

Apple was the first browser-maker to block third-party cookies by default about 6 years ago, which caused a huge fuss. Google was even caught circumventing this and ended up paying a $22M fine (which is, of course, nothing to Google).

And now Apple is at it again: daring to protect its users’ privacy using a new technology called Intelligent Tracking Prevention (ITP). This feature, built into Apple’s Safari browser, adds some common sense limits on the scope of web tracking. The details are rather arcane (if you want to give it shot, try this article), but the upshot is that Apple is actually proactively trying to protect its users’ privacy without breaking the way the web works (at least not the parts that users care about). It’s not preventing you from seeing ads. It’s not even preventing you from being tracked. It’s just putting some strict time limits on how long you can be tracked, depending on the user’s apparent actual interest in the product or web site. Sounds reasonable, doesn’t it?

Let Me Get My Tiny Violin

Not to web advertisers. They’re collectively freaking out, calling it “sabotage”. But let’s just be clear here that people never asked to be tracked. Advertisers love to claim that their targeted ads are so amazingly beneficial that removing them is actually harming the people they’re tracking. From an open letter to Apple from several ad agencies:

Apple’s unilateral and heavy-handed approach is bad for consumer choice and bad for the ad-supported online content and services consumers love. Blocking cookies in this manner will drive a wedge between brands and their customers, and it will make advertising more generic and less timely and useful. Put simply, machine-driven cookie choices do not represent user choice; they represent browser-manufacturer choice.

There are several problems with this statement. First, ITP doesn’t block ads and it doesn’t even prevent tracking – it just puts a time limit on tracking. Second, making ads more generic just takes things back to the ways ads were before tracking (ie, less creepy) – which is how advertising worked for decades or even centuries. Finally, users rarely bother tweaking any settings – even if they know and understand how tracking works, many people simply can’t be motivated to change their default browser preferences. It’s the Tyranny of the Default. People don’t actively say “I want to be tracked! Where is the setting that allows that? I want to make sure it’s enabled!” But sadly they also don’t do anything to stop being tracked.

Time for a Change

So kudos to Apple for trying to strike a balance and sticking up for their users. But I’m honestly more pleased that this has once again raised the issue of privacy and tracking. Most people just aren’t aware of the degree to which they’re being tracked, nor have they probably considered the consequences for themselves and for society in general. It’s going on constantly, right under our noses, and the results have so far been kept largely secret. (If you want to get just a taste of what these marketers know about you, check out aboutthedata.com from Acxiom or My Account from Google).

We got here because people don’t want to pay for web content – which led us to the ad-based web. We can debate the ethics of ad-blocking, but we really just need a new revenue model for the web that doesn’t incur horrendous privacy issues (for example, the new Brave web browser and micropayments).

[NOTE: Check out this week’s podcast where I go more in-depth on how and why we’re tracked, and what you can do to protect your privacy.]

Terms of Service: What Did I Just Sign?

Somewhere along the line, corporations decided that they needed to tack licensing agreements (terms of service) onto just about every product produced. We’ve gotten to the point where we just ignore them and click “Agree” or rip off the little sticker that says something about “by removing this sticker you agree to…. ” blah, blah, blah. Too long; didn’t read (abbreviated “TL;DR”.) The lawyers who write these agreements know we don’t read them. You would not be blamed for believing that they intentionally make these agreements long and hard to read so that we don’t read them.

And yet, does it really matter? When was the last time you looked back and said to yourself “man, I wish I hadn’t clicked ‘Agree’…”. Probably never. That’s because in many cases you’re signing away something you’ll probably never notice: your right to privacy or your right to sue.

Informed Consent

The bottom line, though, is that in order to have a productive debate on these issues, we have to be informed consumers. For market forces to work, we have to be able to easily compare this product with that product, and that should include the legally binding agreements attached to these products and services. And on a deeper level, we also need to be informed citizens so that we can vote for representatives that promise to protect our rights.

To that end, let me introduce you to a cool new web site: ToS;DR (that’s short for “Terms of Service; Didn’t Read”). The site cuts through the lengthy, obfuscating language and summarizes the key elements of these Terms of Service and End User License Agreements. They even have a simple report card grading system to help you quickly assess a given service, though I would still read the individual ratings because each of us will care about different things. You can even help them to keep the ratings up to date.

A Cure for Your Apathy

If you still find yourself unconcerned, then I highly encourage each of you to watch the documentary called Terms and Conditions May Apply (which can be found on Netflix and Amazon Prime Video). You can find more privacy information and links on my Resources page.

Equifax Hack: Protecting Against Identity Theft

You’ve probably already heard about the massive data breach at Equifax, one of the three major US credit bureaus. The company says that up to 143 million people may be affected, which is almost half of the entire population of the United States. The stolen data may include names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In other words, just about everything you might need to commit identity theft. Equifax has a “potential impact” web site that will supposedly tell you if you were affected, but there have been mixed results in practice. If you were affected, it will send you to enroll in their TrustID credit monitoring service. And then tell you to come back in a few days to do it. They are frankly not handling this well, and the law suits are already coming.

Step One: Mitigating Identity Theft

So what should you do? I would go ahead and take the free monitoring service, when it becomes available. It can’t hurt (and shouldn’t prevent you from participating in a class action suit). But there are two other things you should consider strongly: either a credit freeze or a fraud alert.

A credit freeze will prevent any new requests for your credit history, which should stop anyone (including yourself) from getting a new credit card or opening a loan in your name. You will have to do this by contacting each of the three major bureaus (Equifax, Experian and TransUnion) and it will cost between $5-10 each. However, credit histories are used for many other purposes. So it might also interfere with applying for a new job, signing up for new service (e.g., phone, cable, utilities), or even the above-mentioned credit monitoring. You can always ‘thaw’ your credit and re-freeze it, but you will have to pay again.

The simpler option is a fraud alert, which is totally free but less effective. A fraud alert will simply require credit institutions to do a little more verification before allowing credit to be opened in your name. For example, they may call you if you have a phone number on file. Unlike the credit freeze, you only need to contact one of the three agencies and they are required to tell the other two. However, it only lasts for 90 days, though you can renew it as many times as you like. (If you can prove you have actually been a victim of identity theft, you can get a 7-year fraud alert.) I would do this immediately, and then after signing up for Equifax’s free monitoring service, you can consider implementing a full credit freeze.

Step Two: Basic Security Hygiene

Your next steps should be to beef up your general security – things you should already be doing, but things that become much more important in the wake of this horrific data breach.

  1. Use strong, unique passwords for your important accounts (financial, email and social media). Do not repeat passwords! To help with this, use a password manager like 1Password, LastPass, KeePass, etc.
  2. Set up and use two-factor authentication for these same accounts. This means you’ll have to enter a password and a one-time PIN code. (This is usually only for the first time you log in from an unknown location.) You can search for your service here and get quick links to help.
  3. Get your free annual credit reports from each credit bureau. I would recommend spreading them out – do one every four months, rotating through each of the three services. Set a repeating annual calendar reminder for each one, maybe Experian in January, Equifax in May and TransUnion in September.
  4. Keep a close eye on your credit card, bank and other financial statements for suspicious activity.

Stay tuned… I’m sure there will be more on this soon. My radio show and podcast will delve into this a bit further later this week.

UPDATE: This is another excellent article on credit freezes and fraud alerts.

UPDATE 2: Great article on the broader issues for democracy and privacy. The above is about you; this article is about everyone. The market is not able to fix these problems, it’s going to require legislation – and that means you need to be informed and lobby your  representatives.