It’s time to just ditch Adobe Flash. Here’s how.

Uninstall Flash Player

In my book, I made it clear that the Flash Player (that little browser plugin that you’re constantly having to update due to new security bugs) is one of the prime targets of hackers. In the last week, in the wake of the Hacking Team being hacked, there have been no fewer than 3 “zero day” flaws exposed in Flash (unfixed bugs that allow hackers to exploit your system).

So, it’s time to throw in the towel. It’s time to just remove Flash from your system. It’s not worth the risk. Most web sites have abandoned Flash, and after this latest security debacle, that trend it surely going to accelerate. Most web sites will work just fine without Flash – and if not, there are workarounds (see below).

Mac users see this article; Windows users see this article.


I personally prefer the Firefox web browser, but I use Chrome as a backup in certain cases – usually when my rather Draconian security settings on Firefox break some web site and I can’t figure out how to unbreak it. Chrome actually bundles Flash directly into the browser and goes out of its way to try to “sandbox” Flash (preventing it from reaching out into things it shouldn’t be touching). So the workaround is to use Chrome in those cases where you simply have to use Flash. That is, even if you uninstall Flash using the above directions, it will still be embedded into the Chrome browser, so you can still use it. NOTE: Chrome is not necessarily a safe way to use Flash, either, but it’s probably the safest option you have (short of using a virtual machine).


LastPass data breach

LastPass has notified its users that it experienced some “suspicious behavior” on their servers and they believe that “email addresses, password reminders, server per user salts, and authentication hashes were compromised”. They also made clear that “we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed”.

I encourage you to read the full blog post, along with the updates. They do a very good job of answering the burning questions, so I won’t repeat that all here. You can also get another view from this Sophos post and even deeper info from this Krebs On Security post, if you’re interested.

For those of you who are not cryptographers, when they say “server per user salts” and “authentication hashes”, what they’re talking about is the munged version of your master password that they save. It’s important to realize that they don’t store your actual master password – they save a unique, irreversible version of your password – because saving the actual password is horribly insecure. This is covered in my book, but basically you enter your password and it’s “salted” and “hashed” to arrive at some other, completely different and unique value. This is compared to the version that they salted and hashed before, and they should match. But the key is that given the salt (which is a fancy name for a random number) and the hash, you can’t work backwords to get the actual password. Okay, you can, but if you have a strong password, it would literally take years on a supercomputer. So if you change your master password anytime soon, you’re safe. The best they could do is figure out your old password, which no longer works (because you changed it).

This is why it’s absolutely crucial that you have unique, strong passwords for everything. If you reused your LastPass master password on any other site (which you should never do), then you need to change the password there, too. The whole point of using a password manager is to generate ridiculously strong and completely unique passwords for everything – you don’t have to remember them, so why not? The only password you need to know is your master password. If you need help with this, you can watch my short YouTube video on how to choose a good master password.

So what do we take away from this? First of all, we should just all assume that this is going to happen repeatedly. Every one of these sites is a prime target for hackers, and they will eventually get in and steal passwords (hopefully salted and hashed). If you have a strong, unique password for every site, then it will take the bad guys a long time to crack it. And if and when they do, it won’t give them access to any other account – because you have different passwords for every site.

The other thing this underscores is the importance and utility of two-factor authentication. If someone steals and cracks your password, they’re still screwed – because they don’t have the second factor. This gives you time to change the password once the breach is announced. Unfortunately, not all sites have two-factor authentication yet, but incidents like this are prompting many sites and services to adopt it. When they do, sign up.

And finally, it proves once again that passwords suck. But it’s still the best option we have today. Various efforts are under way to come up with new authentication schemes, but beware of anything that uses biometrics (that is, “something you are”). Biometrics are really more like a user name than a password. You don’t want your password to be something you can’t change, from a privacy perspective if nothing else. The most interesting technology I’ve seen so far is called SQRL (pronounced “squirrel”), which has the advantage of never needing to store your credentials on a web server somewhere – that is, there’s nothing for hackers to steal.

Many people will now be asking: should I abandon LastPass? In short, I would say no. LastPass appears to have done everything right here, and I still think it’s the best option out there for most people. There are other password managers that don’t store your password database in “the cloud”. This means that if you want to access your passwords from multiple devices and places, that it’s up to you to copy and/or synchronize the password database yourself (using something like DropBox or iCloud Drive). I find that to be too cumbersome for most people, but it’s doable. If you would like to look at this option, check out 1Password. It’s more expensive, but it’s probably the best alternative to LastPass that doesn’t have your password database stored on the provider’s servers.

The more incidents like this that we have, the more attention the topic will receive and the more people will realize that they need to take charge of their own security.

Book review: Data and Goliath (Bruce Schneier)

I finally got around to finishing Bruce Schneier’s latest bestseller: Data and Goliath. I’ve read a few of Bruce’s books over the years (and own most of the rest, waiting patiently to be read). I’ve watched Bruce on many TV news segments, lectures, interviews, and web videos. I follow his blog and Twitter posts. I’ve even had the pleasure of emailing him from time to time. Some day I’d love to meet the guy. So… what I’m trying to say here is: fair warning, I’m a bit of a Bruce Schneier fan boy.

However, I feel this is completely justified. I tend to have the most respect for the even-keeled, professorial types – the ones who are passionate about what they do and highly knowledgeable about their field, but at the end of the day are most concerned with getting it right and avoiding hyperbole. That’s a small camp of people, but Bruce is definitely in it.

Bruce’s latest book is at once timely and timeless. The topics of computer security and online privacy are obviously hot right now in the wake of the Snowden revelations, but Bruce makes it clear that this stuff has been going on for a very long time now and will only get more important in the coming decades. I think Bruce was moved to write this book much as I was to write mine – people need to understand what’s going on here, but the fact of the matter is that they just don’t. At the end of the day, it’s up to us to demand change. Left to their own devices, corporations and governments will not cede the power that comes from massive data collection and mass surveillance.

Data and Goliath is remarkably comprehensive and well researched. Bruce draws on many sources – not just the Snowden documents (to which I believe he has had full access, at least for a time) but also from many insiders and security researchers, in addition to decades of experience.

In the first section, Bruce explains how we got where we are and what’s really going on. It was staggering to see it exhaustively cataloged. The enormity of the problem we face and the depth to which surveillance has already permeated our society is truly alarming. Even though I was aware of most of these things at one time or another, even I found myself shaking my head while reading this litany. One of the key take-aways from this section is how all of this data is used in concert to create a shockingly complete picture of each person’s life – not just digital life, but real life. Correlating all of these data streams results in something quite a bit larger than just the sum of its parts – which is something that I feel is lost on most people, but crucial to understand.

Bruce explores the harm that is already being done by this mass surveillance and data collection, and explores the very real future dangers in the second section of the book. Again, this is something that I believe everyday people just aren’t grasping. Too many people blow it all off thinking they have nothing to hide, so who cares? Everyone should care. I can’t do it justice in a paragraph – you’d think I was just being paranoid and blowing it out of proportion. Bruce walks you through why this all matters, with real-life examples, and clearly explains the deep impacts it is already having on our democracies.

Finally, Bruce wraps up the book with a wide range of things that we can and should be doing. What I love about Bruce’s approach is that it’s not all-or-nothing. Surveillance and espionage and even mass data collection all have their place in a civil society. Where many people get it wrong, I think, is to go to one extreme or the other. There is absolutely a sane, practical, and healthy middle ground to be found here. Targeted surveillance, when governed by transparent laws and reviewed by impartial third parties, makes perfect sense and has a place in democratic society. Collecting mass quantities of anonymous data can provide huge benefits for everyone – from medical research to traffic avoidance. It’s not always what we’re doing, it’s how we’re doing it. Still, Bruce comes down solidly on the side of an individual’s right to privacy and that computer security is essential for everyone. He just points out, very clearly, that that stance does not interfere with protecting ourselves from criminals and terrorists. That’s a false choice.

This book does not go into any detail, really, on how to protect yourself at a personal level – he even says that that would take an entire book (like, oh, say, I don’t know…. MY book). It does, however, explore many legal frameworks and “bill of rights” type proposals that are already on the table from around the world. Bruce also makes many solid and well-crafted proposals for approaching these problems – while many are politically difficult, they’re eminently rational and workable.

At the end of the day, though, it’s really up to us, as a people, to decide that we value our privacy and demand action – not just for ourselves, but truly for our society as a whole. The first step is to get educated… and if you had to pick just one book to read, Data and Goliath would be an excellent choice.

Book review: No Place To Hide by Glenn Greenwald

I finally finished reading “No Place To Hide: Edward Snowden, the NSA, and the U.S. Surveillance State” by Glenn Greenwald. Glenn, a respected and fiercely independent journalist, along with CITIZENFOUR documentarian Laura Poitras (winner of an Oscar this year), were the two people Ed Snowden sought out to handle the release of the documents he took from the NSA, detailing the massive surveillance regime of both the United States (NSA) and Britain (GCHQ).

This book has four distinct stories to tell. The first two chapters detail how Ed was able to contact Glenn and Laura and manage to convince them that he was for real, and then the harrowing tale of how they met him in China and walked away with tons of classified documents that detailed the vast array of surveillance tools and programs used by the NSA and GCHQ. These two chapters read like a spy novel – a real page-turner. And yet, they’re just the setup for the real meat of the book. (I can’t wait to see CITIZENFOUR.)

The next three chapters cover three very distinct aspects of the situation. The third chapter, aptly named “Collect It All”, goes into detail on the surveillance techniques and processes, outlining the astounding depth and breadth of what these agencies are capturing. You’ve read a little of this in the mainstream press, but until you see these details laid out, you just can’t appreciate what’s really been going on. I actually found this chapter to be a little too heavy on the details – at times it was a little dry – but frankly there’s just no other way to convey the enormity of these surveillance programs.

The fourth chapter called “The Harm of Surveillance” does a fantastic job of explaining why constant, clandestine scrutiny and observation have such a profoundly adverse affect on the human psyche and democracy in general. This chapter methodically debunks the classic rebuttals to the worry over Big Brother such as “I’m not doing anything wrong so I have nothing to hide” or “if they want to listen to my boring life, then they’re welcome”, including some poignant references from U.S. history. It explains how the constant threat of being watched and overheard has a chilling effect not only on dissidents and adversarial journalists, but also on everyday citizens (the concept of the Panopticon that I covered in my book, as well). I think this may well be the most important chapter of the book for the average reader – to understand clearly why it’s actually counterproductive to trade privacy for “security” – in fact, it’s a false choice. These programs are a two-way mirror, allowing those in power to see everything that the governed are doing while blocking the governed from seeing what their elected representatives are up to. (You can also see a great TED talk from Glenn on this topic, but it doesn’t diminish the value of reading this chapter.)

The final chapter, “The Fourth Estate”, comes off as a bit of rant against many modern journalists and their organizations, often by name. This is understandable given the harsh treatment Glenn and his partner have received from many of his “colleagues” and the governments of the United States and Britain. However, he’s absolutely right in calling out the failing of U.S. political journalism and how cozy mainstream journalists, editors, pundits and producers have become with the people and institutions they are claiming to be holding accountable. If I were in his position, I would have a very hard time not taking it all personally… well, because a lot of it has been very personal. But the important takeaway is not how Glenn in particular was treated, but how the media have abdicated their solemn duty to be a check on these powers, to be adversarial when necessary, to be stand up for truth and justice, to challenge authority and power, to see the bigger picture and put things in proper historical context.

Bottom line: I heartily recommend this book for everyone. I wish some of the personal aspects would have been saved for a second book because it can be too easy to view his analysis as sour grapes. I happen to agree that he, his partner, Laura and Ed are being wrongly persecuted and maligned – but addressing these grievances in the book taints the more general arguments he makes. But look past that – just because he’s pissed off doesn’t make him wrong – he’s not wrong. This is an important book and essential reading for anyone who believes in true democracy (and the 1st and 4th amendments to the U.S. Constitution).

truly secure mobile communication (for free)

It’s been almost two years now and the bombshells from the Snowden leaks are still falling. If we didn’t believe it before, we must all now acknowledge that we simply cannot trust that our regular mobile communications are secure – that includes phone calls as well as text messaging. While I believe in my heart that companies like Apple are trying to minimize illicit access to these communications, their system and their software are closed and proprietary – and therefore, we can never be truly sure.

The only solution to this is 100% transparency: the software must be open for inspection and auditing. It’s the only way we can know what’s going on behind the scenes.

And thankfully, Open Whisper Systems has come to the rescue! Over the past few years, they have developed some fantastic apps for truly secure phone calls and text messaging – all completely open source. Co-founded by security researcher Moxie Marlinspike, these tools are the real deal – praised by both Edward Snowden and the EFF.

Originally developed as two separate tools for Android called RedPhone and TextSecure, they have since been combined into a new app called Signal for iPhone/iPad. (The Android apps will eventually be consolidated under the same name.) These apps will allow you to make truly secure phone calls and send text messages that simply cannot be cracked – anywhere around the world, for free. It doesn’t get much better than that. You use your existing phone number to register, making it easy to add your friends and family at contacts.

You can read all about how to install and set up these apps here:

Here’s the important part: we should ALL immediately download, install, and use these apps. And we need to encourage everyone we know to do the same. The only way this works is if everyone does it. And I mean everyone. Your mom. Your neighbor. Your kids. Your friends. Everyone. It’s not about having something to hide. You’re a human and privacy is a human right. When we’re being watched, we act differently (see this TED talk if you’re skeptical). The only way we can fight back against dragnet surveillance and avoid the Panopticon is to “go dark” – all of us. If you need more convincing, check out this wonderful essay by Bruce Schneier.

I’ll give you one more reason to download and use these apps: you will be registering your concern for privacy and showing support for groups that are taking steps to preserve this most basic of human rights.

Strong Encryption is Essential for All

(I was going to add this to the book at the last minute, but decided to make it a blog post instead.)

Some politicians and many top people in the intelligence community are railing against the enhanced security measures coming into the mainstream as a result of the Edward Snowden bombshells. They say that communications are “going dark”, preventing the “good guys” from finding the “bad guys”. For example, the director of the FBI has proclaimed that by encrypting the contents of their iPhone, Apple is allowing its customers to place themselves “above the law” – the implication being that you have no right to privacy, at least not where law enforcement is concerned. Basically, the law enforcement and intelligence agencies would like privileged access to all encryption – a “back door”. They feel that their need to snoop on everyone in hopes of ferreting out the few bad guys trumps any individual’s privacy. They claim that there are checks and balances in place, and that these back doors will not be abused. Though we, as ordinary citizens without security clearances, will have no way to audit them, it’s okay because they will audit themselves.

What you may not know is that this battle has been raging for decades. During the Cold War, strong encryption was classified as a “munition” and was highly restricted – though at the time, encryption was really only used by the military, so no one really noticed. Later, as financial institutions and big businesses began to need strong encryption for their digital data and transactions, the government began to issue licenses for using this technology on a case-by-case basis. However, with the advent of the personal computer and electronic commerce in the 1990’s, it became clear that everyone needed access to this essential technology. This cause was championed by a group of people who called themselves “cypherpunks” and is documented in the book “Crypto”, by Steven Levy. In the end, they convinced the US government that access to strong encryption was essential, and the restrictions were lifted.

At the time, it was viewed as a major victory. However, in the background, the intelligence agencies simply changed tactics – instead of trying to restrict the use and export of strong encryption, they decided to actively try to undermine and weaken the technology – allowing them to break it. This was revealed by Edward Snowden in a huge pile of documents that he turned over to reporters in early 2013.

The intelligence and law enforcement communities believe that somehow they can create a back door that only they can enter. But the truth is that if you weaken something, then anyone can exploit that weakness, and that puts us all at risk. It would be like forcing lock makers to design locks that can easily be picked using a supposedly secret technique. There’s just no way to guarantee that that technique will not be discovered and exploited by someone else, particularly if it becomes known (or even suspected) that such a technique exists.

We can and should debate where the line should be drawn between the need for privacy in a democracy and the need for special, highly restricted access by law enforcement. But deliberately hobbling encryption technology is not the answer and puts everyone at risk.