Best and Worst Tech Gifts for 2017

The holiday season is upon us, and that means people will be scrambling to find the best presents for their friends, family and loved ones. Geeky gadgets are always popular, but not just for the recipients! The Internet of Things (IoT) has been a major boon for hackers and marketers, as well. So let me help you identify the best and worst tech gifts for this season…

Worst Gift: DNA Analysis Kit

DNA analysis kits have gotten very popular: send away a little swab of your mouth and get back a detailed analysis of your heritage. Some tests even claim to provide you with health information. I’m not here to judge those aspects, however (for that, you can check this article). I’m here to explain why these services could present a privacy nightmare. First of all, there may be relatives out there that you don’t want to know about – or have them know about you. I’ve personally heard a horror story about a paternity secret that was kept for decades – and would have remained a secret had this test not been run. (The analysis kit was given as a gift, by the way).

But beyond that, you also have to realize how much deeply personal information is contained in your DNA – and we’ve seen how even the most secure organizations have failed to keep their secrets safe. It’s well worth nothing that the privacy policies for companies like Ancestry.com and 23andme.com are pretty creepy. We’re just beginning to discover how to read our gene sequences and these services can continue to analyze that data forever. The privacy policies seem to allow them to share your data with others, as well. Even if they claim to share your data anonymously, it’s your DNA… it is you. I wouldn’t count on it remaining anonymous. Maybe some day these companies will manage to offer a truly secure and private service, but right now I would take a pass on this.

Don’t Skimp on IoT Devices

The Internet of Things is the new frontier of techie gadgets – taking something that used to just sit there and happily do its job, and connecting it to the Internet so your smartphone can talk it from anywhere on the planet. Thermostats, light bulbs, refrigerators, outlet switches, web cams, even toasters. Unfortunately, these devices (like most tech devices) need to be as cheap as possible. And one of the easiest places to save some money is on security. Most consumers are clueless, so why bother? My main advice here is to avoid no-name brands or super-cheap products from overseas. Bigger, established companies with reputations to protect are more likely to go the extra mile on security. If they screw up (and every company will at some point), more expensive products from established brands are more likely to fix or replace their products.

Avoid Antivirus Subscription Services

If you’re giving someone a computer, I would not bother to buy them a subscription to an antivirus service. I wrote about it extensively here, but in summary, these products tend to be overly aggressive and can actually do more harm than good. Windows computers come with Defender, which is free and plenty good for most people. For Macs, try the free home versions from Sophos or Avira. But your best protection is just safe surfing habits.

Protecting Your Network

The main gate to your home network castle is your WiFi router. Many Internet Service Providers (ISP’s) now provide you with a combination modem and WiFi router, but I would forego their box and buy your own. Buy a brand name router like DLink, TPLink, Netgear or ASUS. I’m not saying these brands are 100% secure – nothing is 100% secure – but they’re likely to fix their bugs in a timely manner. Be sure to register your device so that you will get emails when critical fixes are available. Here are some quick tips to make sure your WiFi router is secured:

  • Set a password for WiFi access – this means turning on WPA2 encryption. Make sure the password is not easy to guess. Write it down somewhere safe.
  • Enable the guest network. All modern routers should offer this option. It lets you keep your home computers, tablets and smartphones separate from less secure devices. Put your IoT devices on the guest network and have all your visitors use this network, as well (their devices could be infected without their knowledge).
  • Change the router’s admin password! It comes with a default password that is well known.
  • Set your router’s DNS to use Quad9 (see this article for more info).

This article has several other tips for locking down your IoT devices, including your router.

Protect Your Precious Data with Redundancy

Everyone should be backing up their files – certainly anything they can’t replace like family photos, home videos, historical documents, etc. For these special digital files, we should all be following the 3-2-1 rule: three copies of every file – the original plus two backups, one of which should be offsite. So ideally, you would have a cloud backup service and a little USB external hard drive for local backups. I personally like Backblaze for most people – it’s dead simple to use and the cost is very reasonable.

Power in the Darkness

I would recommend that everyone with a desktop computer have it hooked up to a good Uninterruptible Power Supply, or UPS. This is basically a big battery that will keep your computer running for a short time when you lose power. It’s not really about being able to use the computer when the lights are out, it’s about giving your computer time to shut down gracefully. Yanking the power from a running computer is really harsh and it could even corrupt your hard drive. Make sure to also connect your computer to the UPS via the included USB cable. This allows the UPS to tell your computer “hey, power is going away soon, shut down now!”

It’s also very handy to have for your Internet modem and WiFi router – allowing you to use the Internet even when the power is off (using battery-operated devices like smartphones, tablets and laptops). You can find some great recommendations on UPS’s here.

Give the Gift of Privacy

Our level of privacy is quickly eroding, and much of this is done willingly these days by using “free” web services that support themselves by capturing and selling your personal info. Besides choosing the best web browser and plugins, there are two services everyone should strongly considering using: end-to-end encrypted email and a virtual private network.

Truly Private Email

Most of us use one of the prominent free email services. And why not? The service is excellent and it costs nothing… except your privacy. Google is not giving away gmail altruistically. They’re collecting vast amounts of information on you and using that info to target you with advertising. What could I find out about you by scanning all your emails? Probably quite a bit. And even if they say they will never abuse your data, that doesn’t mean hackers won’t just steal it. If you’re ready to put a stop to this rampant data mining, then you’re going to have to pony up and pay for your email. There are several secure email services out there now, including Tutanota, Hushmail, Mailfence, and others – but I personally like ProtonMail. It’s easy to use, reasonable priced and they’re expanding their services all the time. You can try their free tier first to see if you like it.

Blinders for Prying Eyes

Virtual Private Networks allow you to shield your Internet traffic from prying eyes – whether it be everyone else in the coffee shop or airport, or your Internet Service Provider (who now has no restrictions on snarfing up your data for profit). Choosing a VPN service can be tricky, however. I would avoid free services and find a reputable, long-lived company that focuses on privacy. TunnelBear is a great choice for most people, but ProtonMail now includes a VPN service that you can use if you pay for their email already. EncryptMe and VyperVPN are also good.

Give the Gift of Knowledge

Last but certainly not least, I personally like to read books when I want to learn about something. Forewarned is forearmed! Here are some great stocking stuffer ideas:

  • Data and Goliath by Bruce Schneier. Bruce is a world-renowned security expert, but he’s also a very good writer. This book does a very good job at explaining why data privacy is so important and how our corporations and governments are holding way too much power of us. (Full review here.)
  • Little Brother by Cory Doctorow. This book is short and entertaining fiction, but it’s also a treatise on the importance of security and privacy in the digital age. This book is even free, if you want to download the PDF.
  • Firewalls Don’t Stop Dragons by me! The entire purpose of my book is to help people protect themselves. The book covers all the tips above, and over 100 other tips, complete with easy step-by-step instructions and pictures, covering Mac, PC, iOS and Android.  If you’re giving someone a new computer, tablet or smartphone, it’s a great companion gift.

 

Fixing the Apple Root Bug (Permanently)

It’s been a pretty bad week for Apple software, both for their macOS computer software and their iOS smartphone and tablet software. But today I’m going to focus on a truly horrendous software bug that somehow slipped through Apple’s normally stellar quality control process. This one screw up could allow someone to quickly and easily take over your Macintosh computer – potentially even remotely. It’s like leaving the master key to a building on the front doormat. Not under the doormat, mind you – on top of it, with a label saying “master key”. So without further ado, let’s tell you how to fix the Apple root bug, for good.

What is the Apple Root Bug?

Apple’s macOS software – the operating system for its Macintosh computers – is based on the Unix operating system. Unix and its various Linux variants all come with a standard administrator account called “root”. This account can do absolutely anything. It has the highest possible level of permissions and privileges – it’s the “superuser”. This account is extremely powerful and Apple normally disables this by default.

But a recent update to Apple’s latest OS (High Sierra, or 10.13) somehow allowed access to this super user account with no password whatsoever. That’s right. You could successfully log into a Mac with user ID “root” and leave the password field empty. There was basically zero security on the most powerful user account on the system. In most cases, this would require physical access to an unlocked Mac, if you have remote access enabled, then you could log in remotely, as well. That’s about as bad as it gets, folks.

It’s Fixed. No Wait, It’s Broken Again.

To Apple’s credit, they released an emergency fix for this bug within about 24 hours (Security Update 2017-001). If you had your auto-update enabled, this fix was even  installed for you. That’s great. All software companies will have bugs from time to time,  so what really counts is how they respond. Apple responded quickly with a fix. Yay!

This fix was obviously rushed out because in addition to fixing the root bug, it broke Apple’s file sharing feature. While that’s bad, it’s still a good trade off. But it gets worse. A day or two later, Apple released a new full update to macOS (10.13.1) that reintroduced the same root bug! I’ve seen some reports that say if you just reboot your Mac, the root bug will be fixed again… but that’s silly. There’s a real fix that will be permanent…

Fixing the Root Bug Permanently

The underlying issue here is that the root account apparently has no password or somehow a fail-safe mechanism was broken that allowed failed logins to succeed… I’m not sure. But if you just explicitly set the root user’s password, the problem goes away. So how do you do that?

First of all, be sure that a) you generate a strong password for this account and b) you store this password away somewhere. It’s okay to write this on a piece of paper, as long as you put that paper somewhere safe. (Consider using a password manager to both generate and store the password.)

You can set the root password in at least two ways. The official way, according to Apple, is to do the following (using the instructions here):

  1. Enable the root account
  2. Change the root account password
  3. Disable the root account

However, I find that too cumbersome. There’s a simpler way and it feels a lot cooler: use the Terminal application.

  1. Launch the Terminal application from your Applications > Utilities folder. You will get a text-based window with a little “$” prompt.
  2. In the terminal, you will need to switch to “superuser”. Type “sudo su” and hit Return. Then enter the password for your current account (you have one, right?):
    • $ sudo su
    • Password: (your password)
  3. Now you should be logged in under the root account, and you’ll have a new prompt. To change the root password, type “passwd” and enter the new password (twice).
    • # passwd
    • Changing password for root.
    • New password: (enter something you’ll remember)
    • Retype new: (type it again)

This should fix the problem once and for all. Again, make sure you keep that password somewhere safe!

Evading Malware with Quad9

Evading malware can be difficult these days. The bad guys are very clever and surfing the Internet involves several complicated technologies. Software is rife with bugs and traps are ready and waiting for any slip-up you might make. I posted a detailed article on choosing the most secure web browser setup recently that you should have a look at, but today I’m going to talk about something much simpler and more fundamental: choosing your Domain Name Service, or DNS.

Brief Overview of Internet Routing

Whenever you type in a web address like “google.com” or “amazon.com”, you are giving your web browser a domain name. Domain names are easy for humans to remember, but the Internet actually routes traffic based on IP addresses. So the very first thing your web browser does is convert that domain name to an IP address using a Domain Name Service. Your DNS provider is usually just given to you by your Internet Service Provider (ISP) like Comcast, Spectrum, or Verizon. Though you can choose whatever service you want, most people never change the default.

Enter Quad9

A new DNS provider called Quad9 has been created by a consortium of concerned companies, including law enforcement, in an effort to stem the tide of malware and botnets. This non-profit organization was founded not only to enhance security but also to protect privacy. (There’s still a long way to go before it’s totally private, though). Quad9 will actively block your web browser, your apps, and even Internet-connected devices from talking to known-bad servers, using a list that is updated multiple times per day. This can save you from phishing sites, malvertising, and botnet control servers. It’s important to note that this service will not perform any other filtering. That is, it’s specifically avoiding censorship issues and focusing solely on evading malware.

Evading Malware using DNS

To use the Quad9 service, you just need to change a simple setting on your computer, and the Quad9 web site has two videos to help you do it (one for Mac, one for Windows). If you want to kick it up a notch, you can set your DNS service right on your home’s router to use 9.9.9.9 (four 9’s, or “quad” 9). Most devices will defer to the router’s choice of DNS provider by default. But you can effectively change this setting for every device on your home network in one fell swoop.

Locking Down the Internet of Things (IoT)

With all the news of the Reaper malware that’s infecting Russia and Ukraine, and reminders of the disaster of last year’s Miria botnet, it’s a good time to review basic home network hygiene and best practices for securing the Internet of Things (IoT).

What is the Internet of Things (IoT)?

The Internet of Things, or IoT, is a hot marketing buzzword these days, but what does it really mean? Internet of Things refers to the recent phenomenon of connecting regular, everyday “dumb” devices to the Internet in order to enable cool new features. One of the most popular examples is the Nest Thermostat. Nest (who was bought by Google for $3.2B) created a ‘smart’ replacement for the dreary household HVAC thermostat. Not only was it beautiful and easy to use, it had built-in WiFi and could communicate with Nest’s Internet service. With the help of a smartphone app, Nest owners could monitor and even control the temperature of their homes from anywhere on the planet. Over the last few years, billions of devices have joined the Internet of Things: TVs, garage door openers, baby monitors, watches, appliances, and even light bulbs.

An Army of Robots

What might not be immediately obvious is that every one of these products is also a computer. While computer chips have found their way into all sorts of modern products, putting those computers on a network takes things to an entirely new level. Computers are hackable because they run software, and all software has bugs. But if that computer is not on a network, you have to be have physical access to hack it. Not so with IoT.  Cybersecurity professionals love to say that the “S” in “IoT” stands for security – meaning it has none – and it’s not far from the truth. Cost is a huge issue for most of these devices, and adding proper security adds a lot of cost – both in development and testing, but also hardware cost (faster CPUs, more memory, etc).

So what do you get with a massive influx of insecure computers on the Internet? A hacker’s dream come true. The security flaws in these products are widely known by the hacking community. Also, most of these devices have a special web page where you can configure them. And while most are protected with a user ID and password, these credentials are almost always set to default values, which are also well known. It’s trivial to write malware to exploit these weaknesses and gain control of these IoT devices. And when you have an army of devices you can control from anywhere on the Internet, you have what we call a botnet (shorthand for a ‘network of robots’). Hackers use these innocent-looking devices to do their bidding. One of the more common uses is to direct an unsurmountable wave of requests at some target web site to bring it to its knees – called a Distributed Denial of Service (DDoS) attack. That’s how the Mirai botnet took down a large portion of the Internet last Fall, and the Reaper botnet is poised to wreak similar havoc in the near future.

How Not to be Bot

So what are we to do? How do we keep our wonderful Internet of Things devices from being subverted and conscripted into a botnet? The primary thing we need to all do as consumers is to demand security for all our Internet-connected products. Do your homework, read the labels, compare products based on security and privacy features. Support regulatory or even voluntary initiatives to improve security and provide more transparency. We could really use some sort of Underwriters Laboratory for cyber security and privacy, providing independent analysis and a standardized product ratings. But until then, we need to do what we can on our own.

  • Change default passwords. If your device has any sort of administrative interface (probably a web page), change the default login password. Write it down or use a password manager.
  • Update the firmware. Not all IoT devices can be updated, which is a massive problem. But if your device has a way to update it’s firmware (which is what we call software that runs on these appliance-type devices), you must to keep it up to date. The admin web page should have a help/info link that will tell you how to check for updates and install them.
  • Register your devices. You should go ahead and register these devices online and get on the email lists. This is probably the most reliable way to get notified of bugs that need to be fixed. Yes, this will expose you to marketing crap. You can try to limit the spam by updating your ‘marketing preferences’ to only include security updates.
  • Dumb down your devices. If you don’t use the Internet features on your device, then don’t put it on the network at all. For example, most TVs today have an Internet connection because they come with built-in Netflix apps and such. But if you don’t use those features (for example, you use a FireTV, Apple TV or Roku), then you have no reason to plug into into your network or enable WiFi.
  • Unplug unused devices. If you have a device you no longer use (or trust), just get rid of it. Or if you use it only rarely, unplug it until you need it. For example, I have a web cam I use to watch my house when we travel. I only plug it in when we actually travel.
  • Quarantine your devices. Compromised devices on your network are basically beachheads for hackers within your home network. You can mitigate these risks by putting your IoT devices on your guest network. Don’t have a guest network? Most modern WiFi routers have this capability and it’s easy to set up. It’s a separate network for untrusted devices (including your guest’s devices, hence the name).
  • Restart your devices. Some of the malware that infects IoT devices can be cleansed just by powering the device off and back on. Unfortunately, unless you can update the software, it will still be vulnerable to re-attack.

As always, you can find these and over 100 more tips in my book. I also covered the topic of Internet of Things in a wonderful interview with John Graham-Cumming (CTO of Cloudflare) – check it out!

Equifax Hack: Protecting Against Identity Theft

You’ve probably already heard about the massive data breach at Equifax, one of the three major US credit bureaus. The company says that up to 143 million people may be affected, which is almost half of the entire population of the United States. The stolen data may include names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In other words, just about everything you might need to commit identity theft. Equifax has a “potential impact” web site that will supposedly tell you if you were affected, but there have been mixed results in practice. If you were affected, it will send you to enroll in their TrustID credit monitoring service. And then tell you to come back in a few days to do it. They are frankly not handling this well, and the law suits are already coming.

Step One: Mitigating Identity Theft

So what should you do? I would go ahead and take the free monitoring service, when it becomes available. It can’t hurt (and shouldn’t prevent you from participating in a class action suit). But there are two other things you should consider strongly: either a credit freeze or a fraud alert.

A credit freeze will prevent any new requests for your credit history, which should stop anyone (including yourself) from getting a new credit card or opening a loan in your name. You will have to do this by contacting each of the three major bureaus (Equifax, Experian and TransUnion) and it will cost between $5-10 each. However, credit histories are used for many other purposes. So it might also interfere with applying for a new job, signing up for new service (e.g., phone, cable, utilities), or even the above-mentioned credit monitoring. You can always ‘thaw’ your credit and re-freeze it, but you will have to pay again.

The simpler option is a fraud alert, which is totally free but less effective. A fraud alert will simply require credit institutions to do a little more verification before allowing credit to be opened in your name. For example, they may call you if you have a phone number on file. Unlike the credit freeze, you only need to contact one of the three agencies and they are required to tell the other two. However, it only lasts for 90 days, though you can renew it as many times as you like. (If you can prove you have actually been a victim of identity theft, you can get a 7-year fraud alert.) I would do this immediately, and then after signing up for Equifax’s free monitoring service, you can consider implementing a full credit freeze.

Step Two: Basic Security Hygiene

Your next steps should be to beef up your general security – things you should already be doing, but things that become much more important in the wake of this horrific data breach.

  1. Use strong, unique passwords for your important accounts (financial, email and social media). Do not repeat passwords! To help with this, use a password manager like 1Password, LastPass, KeePass, etc.
  2. Set up and use two-factor authentication for these same accounts. This means you’ll have to enter a password and a one-time PIN code. (This is usually only for the first time you log in from an unknown location.) You can search for your service here and get quick links to help.
  3. Get your free annual credit reports from each credit bureau. I would recommend spreading them out – do one every four months, rotating through each of the three services. Set a repeating annual calendar reminder for each one, maybe Experian in January, Equifax in May and TransUnion in September.
  4. Keep a close eye on your credit card, bank and other financial statements for suspicious activity.

Stay tuned… I’m sure there will be more on this soon. My radio show and podcast will delve into this a bit further later this week.

UPDATE: This is another excellent article on credit freezes and fraud alerts.

UPDATE 2: Great article on the broader issues for democracy and privacy. The above is about you; this article is about everyone. The market is not able to fix these problems, it’s going to require legislation – and that means you need to be informed and lobby your  representatives.

Beware Hype and Click-Bait

(It’s been a while since I’ve written a full blog post. I’ve been putting most of my efforts into my weekly newsletter – be sure to subscribe to get weekly tips and news on cyber security and online privacy.)

Headline Hyperbole

This week, we saw the following headline from The Guardian: “WhatsApp vulnerability allows snooping on encrypted messages”. This story was immediately picked up by just about every other major tech news web site, with headlines that were even more dire:

  • A critical flaw (possibly a deliberate backdoor) allows for decryption of Whatsapp messages (BoingBoing)
  • WhatsApp Apparently Has a Dangerous Backdoor (Fortune)
  • WhatsApp encrypted messages can reportedly be intercepted through a security backdoor (Business Insider)

I swear there were others from big-name sites, but I can’t find them – I think they’ve been deleted or updated. Why? Because this story (like so many others) was completely overblown.

Which brings us to the point of this article: our online news is broken. It’s broken for much the same reasons that the media is broken in the US in general – it’s all driven by advertising dollars, and ad dollars are driven by clicks and eyeballs. (See also: On the Ethics of Ad-Blocking). But the problem is even more insidious when applied to the news because all the hyperbolic headlines and dire warnings are making it very hard to figure out which problems are real – and over time, like the boy who cried wolf, it desensitizes us all.

WhatsUp?

Let’s take this WhatsApp story as an example. The vague headline from The Guardian implies that WhatsApp is fatally flawed. And the other headlines above are even worse, trotting out the dreaded and highly-loaded term “backdoor”. Backdoor implies that someone at WhatsApp or Facebook (who bought WhatsApp) has deliberately created a vulnerability with the express purpose of allowing a third party to bypass message encryption whenever they wish and read your private communications.

The first few paragraphs from the article seem to confirm this. Some excerpts:

  • “A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.”
  • “Privacy campaigners said the vulnerability is a ‘huge threat to freedom of speech’ and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.”
  • “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access”

Now let’s talk about what’s really going on here. It’s a little technical, so bear with me.

The Devil In The Details

Modern digital communications use what’s called public key encryption. Unlike private key systems (which have a single, shared key to both encrypt and decrypt data), public key systems use two keys:

  1. Public key: Freely given to everyone, allows a sender to encrypt a message
  2. Private key: Fiercely protected and never shared, used to decrypt received messages that were encrypted with the public key

If you had a single, shared key, then you would have to find some secure way to get a copy of that key to your intended message recipient. You can’t just email or text it, or even speak it over the phone – that could be intercepted. The public key system allows you to broadcast your public key to the world, allowing anyone to send you an encrypted message that only you can decrypt, using your closely-guarded private key. In this same fashion, you use the other person’s public key to respond. This is insanely clever and it’s the basis for our secure web.

As is usually the case, the devil is in the details when it comes to crypto systems. The underlying math is solid and the algorithms have been rigorously tested. Where these systems break down is in the implementation. You can have an unbreakable deadbolt on your front door, but if you leave the key under your door mat or there’s a window right next to the lock on the door that can be broken… you get the idea.

Here’s the problem with how WhatsApp implemented their encryption. The app will generate public and private keys for you on the fly, and exchange public keys with the person you’re communicating with – all in the background, without bothering you. That’s fine – so far, so good. But let’s say Alice sends a message to Bob while Bob is offline. WhatsApp on Alice’s phone has used Bob’s last known public key to encrypt these messages, and they’re waiting (either on Alice’s phone or maybe on WhatsApp’s servers) for Bob to come online to be sent. In the meantime, Bob has dropped his phone in the toilet and must get a new one. He buys a new phone, reinstalls WhatsApp, and WhatsApp is forced to generate a new public/private key pair. When he comes online, Alice’s copy of WhatsApp figures out that the public key it has for Bob is no longer valid. And here’s where things fall apart. WhatsApp will then get Bob’s new public key and re-encrypt the pending messages, and then re-send them.

Bug or Feature?

That’s it. That was the fatal flaw. The “backdoor”. Did you catch it?

If you missed it, don’t feel bad. This stuff is complicated and hard to get right. The problem is that Alice was not warned of the key change and (crucially) was not given the opportunity to validate Bob’s new key. So, theoretically, some third party – let’s call her Mallory – could somehow force Bob to go offline for a period of time and then pretend to be Bob with a new device. This would trick Alice’s copy of WhatsApp to re-encrypt the pending messages using Mallory’s key and send them to Mallory. So, if you’re following along, what that means is that Mallory could potentially receive the pending messages for Bob. Not past messages. Just the pending ones, and potentially ones in the near future –  at least until Bob comes back online.

This key change is part and parcel of how modern public key crypto messaging works. The only possible fault you can find here with WhatsApp is that they don’t (currently) enable changed key warnings by default and they don’t block re-sending of pending messages until the user (in this case Alice) reviews the new keys and approves the update (ie, satisfies herself that it’s really Bob who is sending the new key).

Is that a “backdoor”? No. Not even close. It was not maliciously and secretly implemented to allow surreptitious access by a third party. Furthermore, if Alice turns on the key change warning (a setting in WhatsApp), it would allow her to see when this happens – a big no-no when it comes to surveillance. Is it a vulnerability or bug? No, not really. It’s a design decision that favors convenience (just going ahead and re-sending the messages) over security (forcing Alice to re-authenticate a recipient every time they get a new device, reinstall WhatsApp, or whatever). You can argue about that decision, but you can’t really argue that it’s a bug – it’s a feature.

UPDATE: The EFF has an excellent article on this with a very similar description. However, it also mentions a new effort called Key Transparency by Google which looks promising.

Remove Profit from the Press

So now let’s return to the big picture. Online news sites produce free web content that we consume. But producing that content costs money. In today’s web economy, people just expect to get something for nothing, which makes it almost impossible for sites to rely on a subscription model for revenue – if you ask people to pay, they’ll just go to some other site that’s free. So they turn to the de facto web revenue model: advertising. The more people who view the ads on your web site, the more money you get. And therefore you do whatever you can to get people to CLICK THAT LINK – NOW!! (This is called click bait.) It’s the same influence that corrupted our TV news (“if it bleeds, it leads”).

Some things should just not be profit-driven. News – in particular, investigative journalism – is one of those things. The conflict of interest corrupts the enterprise. TV news used to be a loss leader for networks: you lost money on news with the hopes of building loyalty and keeping the viewers around for the shows that followed.

Maybe that ship has sailed and it’s naive to believe we can return to the days of Walter Cronkite or Edward R Murrow. So what are we to do? Here are some ideas (some of which came from this excellent article):

  1. Subscribe to local and national newspapers that are doing good work. If you don’t care to receive a physical paper, you can usually get an on-line or digital subscription.
  2. Give money to organizations that produce or support non-profit investigative journalism. You might look at ProPublica, Institute for Non-Profit News, The Investigative Fund, NPR, and PBS. This article also has some good ideas.
  3. Share news responsibly. Do not post sensationalistic news stories on your social media or forward hyper-partisan emails to everyone you know. Don’t spread fake news, and when you see someone else doing this, (respectfully) call them out. Not sure if a story is real? Try checking Snopes.com, Politifact, or FactCheck.org. This article also has some great general advice for spotting fake or exaggerated news.
  4. When you do share news stories, be sure to share the original source whenever possible. This gives credit where credit is due (including ad revenue). If you found a derivative story, you may have to search it for the link to the original source.
  5. Use ad-blockers. This may seem contrary to the above advice, but as I mentioned in this blog, right now the ad networks are being overly aggressive on tracking you around the web and are not policing their ads sufficiently to prevent malware. It’s not safe to blindly accept all ads. You can disable the ad-blocker on individual web sites that you wish to support – just be aware of the risk.

 

Second interview: IoT

My second interview has posted on the George Orwell 2084 site – this one about the Internet of Things, or IoT. As they say, the “S” in “IOT” is for security. In this interview, we talk about the impact that these newly-connected “smart” devices are having on our lives, particularly with respect to our overall security – including some simple things we can all do to mitigate the threats. Check it out!

Interview on George Orwell 2084: Gooligan

Check out my radio/podcast interview with David Boron at George Orwell 2084. We talked about the Gooligan malware for Android, which has infected over 1 million Android phones so far and is making lots of money for the hackers.

Look for another interview in the near future about the Internet of Things and how the insecurity of these devices is a major threat.

If you are worried, you can go to Check Point’s Gooligan web site to check. (Check Point is the company that discovered this malware.)

Ditch Yahoo. Use ProtonMail. [updated]

I’ve been a Yahoo Mail user for 19 years. My Yahoo user ID has only 4 characters in it. It’s been my public (read spam) email address since 1997. I’m sure it’s the longest actively-used email account I’ve ever had. But now it’s time for me to move on. You should, too. Here’s why, and how…

How NOT To Handle Security

Yahoo announced recently that there was a massive breach in 2014 of many of its users’ accounts. While initial reports estimated 500 million users were compromised, it could actually be much worse. (If you haven’t changed your Yahoo password in the last two years, you should do so now.)

Password database breaches are going to happen. Security is hard and nothing is ever 100% secure. But we can and should judge a company by how seriously they take their users’ security and how they react when bad things happen.

While we’re pretty sure the breach occurred two years ago, it’s not clear yet that Yahoo knew about it before July of this year. However, Yahoo didn’t tell anyone about it until after the story broke elsewhere, two months later. It’s also been reported that Yahoo execs had a policy of not forcing users to reset passwords after a data breach because they didn’t want to lose customers. It’s also obvious that Yahoo prioritized shiny new features over security and privacy.

The Last Straw

That’s all pretty bad, but it gets worse. In a separate report shortly after this breach was announced, it was revealed that Yahoo allowed and perhaps helped the NSA or FBI to build a real-time email search program for all its customers, enabling mass surveillance in a way that was previously unprecedented.

Either of these scandals alone would be unacceptable, and should give any Yahoo user a valid reason to abandon their services – but taken together, it almost mandates it. This is a clear case where we, as consumers, need to show Yahoo that this is not acceptable, and do it in a way they will understand: close your Yahoo account and move to another service.

Ditch Yahoo

I’m not going to lie…. if you actually use your Yahoo account (like I do), this is not going to be fun or easy. But if you really care about your security, and security in general, you need to let Yahoo (and the other service providers) know that you take these horrendous security failures seriously. To do that, you have to hit them where it hurts: money. In your case, that means abandoning their services. Ditching Yahoo will not only make yourself safer, it will hopefully drive other service providers to improve their own security – which helps everyone.

I would say that you have at least three levels of options here, in increasing order of effectiveness (in terms of protesting Yahoo’s behavior):

  1. Stop using Yahoo email and all its other services
  2. Archive your Yahoo email locally and delete everything from their servers
  3. Delete your Yahoo account entirely

To stop using your Yahoo email, you will need to change everywhere you used your Yahoo email account and migrate to a new email service. LifeHacker has some tips that will help, but read through the rest of this article before choosing your new email provider.

To really rid yourself of Yahoo completely, you also need to abandon all their services: Flikr, Tumblr, fantasy sports, Yahoo groups, Yahoo messenger, and any of the dozens of other services.

Your next step is to archive all your old Yahoo email. These emails may contain valuable info that you’ll some day need to find: important correspondence, account setup/recovery info for other web sites, records of purchases, etc. If you’ve used an email application on your computer to access Yahoo (like Outlook or the Mail app on Mac OS), you should already have all your emails downloaded to your computer. But you might also want to consider an email archiving application: Windows users should look at MailStore Home (free); Mac users might look at MailSteward (ranges from free to $99).

Once you’ve safely archived everything, you should delete all your emails from Yahoo’s servers. Why? Well, if nothing else, it should prevent successful hackers from perusing your emails for info they could use against you (identity theft, for example). Assuming Yahoo actually deletes these emails, it may also keep Yahoo (or the government) from digging through that info.

You should reset your Yahoo password to a really strong password (use a password manager like LastPass). I would highly recommend setting up two-factor authentication, as well.

As a final step, you can completely close your Yahoo account. Note that this may not actually delete all your data. Yahoo probably retains the right to save it all. But this is the best you can do.

If you find that you are just too invested in Yahoo to completely abandon your email account (and I’ll admit I may be in that camp), you can set up email forwarding. This will send all of your incoming Yahoo email to a different account. (It’s worth mentioning that it looks like Yahoo tried to disable this feature recently, probably in an effort to prevent the loss of users.)

Use ProtonMail

While GMail and Outlook are two popular and free email providers, you should take a hard look at newer, more security- and privacy-conscious services. I would personally recommend ProtonMail. They have a nice free tier of service that includes web access and smartphones apps for iPhone and Android. If nothing else, grab your free account now to lock in a good user name before all the good ones are taken. Tell your friends to do the same. Just adding new free users will help the cause, even if the accounts aren’t used much.

But I’d like to ask you to go one step further: I encourage you strongly to sign up for one of their paid tiers of service, even if you don’t need the added features. The only way we’re going to force other service providers to take notice and to drive change is to put our money where our mouths are. Until it becomes clear that people are willing to pay for privacy and security, we’ll be stuck with all the ‘free’ services that are paid for with our personal info and where security is an afterthought.

Update Dec 14 2016:

Yahoo has just announced another breach, this time over 1 billion accounts hacked (maybe more). DITCH YAHOO!!

protonmail

(This article is adapted from a few of my previous weekly security newsletter articles.)

Our Insecure Democracy

I happen to be a rather political person, but I try to keep my politics out of my work in the security and privacy arena because these issues must transcend politics. Our democracy in many ways depends on some basic level of computer security and personal privacy. In no place is this more obvious than the security and privacy of the voting booth.

With the 2016 US election fast approaching, it’s important to call attention to the sorry state of affairs that is the US voting infrastructure. There are plenty of other problems with the US election system, but there’s hardly anything more fundamental to our democracy than the method by which we vote. (I’ll be focusing on the US election system, but these principles should apply to any democratic voting system.)

At the end of the day, the basic requirements are as follows (adapted from this paper):

  1. Every eligible voter must be able to vote.
  2. A voter may vote (at most) one time.
  3. Each vote is completely secret.
  4. All voting results must be verifiable.

The first requirement may seem obvious, but in this country it’s far from guaranteed. For many reasons, many eligible and willing voters either cannot vote or have serious obstacles to voting: inability to get registered, lack of proper ID, lack of nearby voting sites, lack of transportation, hours-long waits at polling places, inability to get out of work, and so on. Voting should be as effortless as possible. Why do we vote on a Tuesday? We should vote on the weekend (Saturday and Sunday). For people that work weekends, they should be given as much paid time off as necessary to vote. We should also have early voting and support absentee voting.

The second requirement has become a hot-button political issue in this country, though in reality, in-person voter fraud has been proven again and again to be effectively non-existent. We’ve got this covered, folks. We don’t need voter ID laws and other restrictions – they’re fixes for a problem that doesn’t exist, and they end up preventing way more valid voters from voting than allowing invalid voters to vote (see requirement #1).

Now we get to the meat of the matter, at least in terms of security and privacy. The third requirement is that every vote is completely secret. Most people believe this is about protecting your privacy – and to some extent, this is true. You should always be able to vote your conscience without worrying how your boss, your friends, or your spouse would react. You should be to tell them or not, lie or tell the truth – there should be no way for them to know. However, the real reason for a secret ballot is to prevent people from selling their vote and to prevent voter intimidation. If there is no way to prove to someone how you voted, then that vote can’t be verifiably bought or coerced. I think we had this pretty well figured out until smartphones came along. What’s to prevent you from taking a picture of your ballot? Depending on what state you live in, it may be a crime – but as a practical matter, it would be difficult to catch people doing this. However, I’m guessing this isn’t a big problem in our country – at least not yet.

Which brings us to the fourth and final requirement: verifiability. This is really where the current US voting system falls flat. In many states, we have voting systems that are extremely easy to hack and/or impossible to verify. We live in the era of constantly connected smartphones and tablets – a touchscreen voting system just seems like a no-brainer. But many electronic voting systems leave no paper trail – no hard copy of your vote that you can see, touch, feel and verify, let alone the people actually counting and reporting the vote tallies. The electronic records could be compromised, either due to a glitch or malicious tampering, and you probably wouldn’t even know that it happened. But regardless of how you enter your vote, every single vote placed by a voter must generate a physical, verifiable record. That may seem wasteful in this digital age, but it’s the only way. There must be some sort of hard copy receipt that the voter can verify and turn in before leaving the polling place. Those hard copy records must be kept 100% safe from tampering – no thefts, no ballot box stuffing, no alterations. And every single election result should include a statistical integrity audit – that is, a sampling of the paper ballots must be manually counted to make sure the paper results match the electronic ones. If there is any reason to doubt the electronic results, you must be able to do a complete manual recount. That’s the key.

Unfortunately, according to that same MIT paper, we have a hodge-podge of voting systems across the country, many of which have at least some areas where they use electronic voting systems (Direct Reporting by Electronics, or DRE) without a paper trial (Voter Verified Paper Audit Trail, or VVPAT).

voting systemsThis map pretty much says it all to me. It’s time that we adopt national standards for our voting infrastructure. You can leave it up to each state to implement, if you’re a real “states rights” type, but honestly I think we should just hand this over to the Federal Election Commission and have a single, rock solid, professionally-vetted, completely transparent, not-for-profit, non-partisan voting system. Of course, we’d need to revamp the current FEC – give it the budget, independence and expertise they need to do their job effectively. It should be staffed with non-political commissioners (never elected to office and no direct party affiliation) and they should be completely free from political and financial influence. This is much easier said than done, but if we can just agree that our democracy is more important than any party or ideology, just long enough to do this, then maybe we can make it happen. Of course, there’s no way any of this will happen before this year’s elections, but we should be able to get this in place for 2018 if we start now.

What can YOU do? As always, get educated and get involved. Write your congress person and vote for people that have vowed to reform our election and voting systems. If nothing else, give money to organizations that are doing the right things, and ask your friends and family to do the same. I’ve given some examples below for you to consider. Note that it’s very hard to find completely unbiased organizations because these issues have been so politicized and our country right now is very polarized. But whatever your political leanings, you can’t have a true democracy if you can’t have fair, open, and verifiable elections.

If you’re interested, here are a couple more good articles to check out.

UPDATE: Another interesting story on the security of our voting system.