On the Ethics of Ad-Blocking

As the saying goes, if you’re not paying for the product, then you are the product. The business model for most of the Internet revolves around advertising – which in and of itself is not a bad thing. It may be an annoying thing, but passive advertising isn’t actually harmful. Passive advertising is placing ads where people can see them. And savvy marketers will place their ads in places where their target audiences tend to spend their time. If you’re targeting middle-aged men, you might buy ad space on fantasy football or NASCAR web sites, for example. If you’re targeting tween girls, you might buy ad space on any site that might feature something about Taylor Swift or Justin Bieber. And if it stopped there, I don’t think many of us would object – or at least have solid grounds for objection. After all, this advertising is paying for the content we’re consuming. Producing the content costs money – so someone has to pay for it or the content goes away.

Unfortunately, online marketing didn’t stop there. On the web, competition for your limited attention has gotten fierce – with multiple ads on a single page, marketers need you to somehow focus on their ad over the others. And being on the Internet (and not a printed page), advertisers are able to do a lot more to grab your attention. Instead of simple pictures, ads can pop up, pop under, flash, move around, or float over the articles you’re trying to read. Worse yet, ad companies want to be able to prove to their customers that they were reaching the right people and that those people were buying their product – because this makes their ad services far more valuable, meaning they can charge more for the ads.

Enter the era of “active advertising”. It has now become very hard to avoid or ignore web page and mobile ads. Worse yet, the code that displays those ads is tracking where you go and what you buy, building up profiles on you and selling those profiles to marketers without your consent (and without most people even realizing it). Furthermore, those ads use precious data on cell phones and take a lot of extra time to download regardless of what type of device you use. And if that weren’t bad enough, ad software has become so powerful, and ad networks so ubiquitous and so commoditized, that bad guys are now using ad networks to distribute “malware” (bad software, like viruses). It’s even spawned a new term: malvertising.

Over the years, browsers have given users the tools they need to tame some of these abuses, either directly in the browser or via add-ons. It’s been a cat-and-mouse game: when users find a way to avoid one tactic, advertisers switch to a new one. The most recent tool in this toolbox is the ad-blocker. These plugins allow the user to completely block most web ads. Unfortunately, there’s really no way for ad blockers to sort out “good” advertising from “bad” advertising. AdBlock Plus (one of the most popular ad-blockers) has attempted to address this with their acceptable ads policy, but it’s still not perfect.

But many web content providers need that ad revenue to stay afloat. Last week, Wired Magazine announced that they will begin to block people that use ad-blockers on their web site. You will either need to add Wired.com to your “whitelist” (allowing them to show you ads) or pay them $1 per week. They state clearly that they need that ad revenue to provide their content, and so they need to make sure that if you’re going to consume that content that you are paying for it – either directly ($1/week) or indirectly (via ad revenue).

So… what’s the answer here? As always, it’s not black and white. Below is my personal opinion, as things stand right now.

I fully understand that web sites need revenue to pay their bills. However,the business model they have chosen is ad-supported-content, and unfortunately the ad industry has gotten over-zealous in the competition for eyeballs. In the process of seeking to make more money and differentiate their services, they’re killing the golden goose. Given the abusive and annoying advertising practices, the relentless and surreptitious tracking of our web habits, the buying and selling of our profiles without our consent, and the lax policing that allows malware into ads, I believe that the ad industry only has itself to blame here. We have every reason to mistrust them and every right to protect ourselves. Therefore, I think that people are fully justified in the use of ad-blockers.

That said, Wired (and other web sites) also have the right to refuse to let us see their content if we refuse to either view their ads or pay them money. However, I think in the end they will find that people will just stop coming to their web sites if they do this. (It’s worth noting that some sites do well with voluntary donations, like Wikipedia.) Therefore, something has to change here. Ideally, the ad industry will realize that they’ve gone too far, that they must stop tracking our online pursuits and stop trafficking in highly personal information without our consent.

The bottom line is that the ad industry has itself to blame here. They’ve alienated users and they’re going to kill the business model for most of the Internet. They must earn back our trust, and that won’t be easy. Until they do, I think it’s perfectly ethical (and frankly safer) to use ad-blocking and anti-tracking tools.

Below are some of my favorite plugins. Each browser has a different method for finding and installing add-ons. You can find help here: Firefox, Safari, Internet Explorer, Chrome.

  • uBlock Origin – ad-blocker
  • Privacy Badger – anti-tracking plugin
  • HTTPS Everywhere – forces secure connections whenever possible
  • Better Privacy – another privacy plugin, slightly different from Privacy Badger

If you would like to get more involved, you might consider contributing to the Electronic Frontier Foundation.



Second Edition in the works!

I was approached by the continuing education group at Duke University to give a lecture on computer security and privacy, which I did last October. It was quite the hit and I will now be teaching a 6-week course for Duke on the same topic, starting mid-April of 2016! I’m very excited!

I’m planning to use my book as a text book for this class. And even though it’s only a year old, there have been many developments that I need to address (not the least of which are Windows 10 and OSX El Capitan). So I believe it’s time to finally put out an update to Firewalls Don’t Stop Dragons! I’ve already started work on this and hope to have it published in a couple months! Stay tuned…

Gone Phishin’ (LostPass)

LastPass is the password manager I recommend in my book and to anyone who asks. While there are a handful of good products like it, to me LastPass has a rock-solid security story and all the features anyone could want.

You may have heard last week about a threat to LastPass called “LostPass” on the news. Well, actually, you probably didn’t – the mainstream press doesn’t cover this stuff much. But I’m going to cover it anyway because it demonstrates one of the most troublesome security problems we have today: phishing. Unfortunately, this has nothing to do with a rod and a reel and whistling the theme to The Andy Griffith Show. Phishing is a technique used by scammers to get sensitive information from people by pretending to be someone else – usually via email or a web page (or both). Basically, they trick you into thinking you’re dealing with your bank, a popular web site (PayPal, eBay, Amazon, etc), or even the government. Sometimes they entice you with good stuff (winning a prize, free stuff, special opportunity) and sometimes scare you with bad stuff (freezing your account, reporting you to some authority, or telling you that your account has been hacked). But in all cases, they try to compel you to give up information like passwords or credit card numbers.

Unfortunately, it’s extremely easy to create exact duplicates of web pages. There’s just no real way to identify a fake by looking at it. Sometimes you can tell by looking at the web site’s address, but scammers are very good at finding plausible web site names that look very much like the real one they’re impersonating.

In the case of “LostPass”, a research demonstrated that they could act as a “man in the middle” to steal your LastPass login and password – even if you use two-factor authentication (which I strongly recommend). LastPass is a browser plugin that watches what web pages you’re on, and when it detects a login web form, it offers to automatically fill in your ID and password. This researcher was able to create a malicious web page that could log you out of LastPass and then pop up a dialog asking you to log back in – but not the real LastPass dialog! Instead, it was a fake. So you would enter your email address and password, then it would store this juicy info. It now had the keys to the kingdom! It had access to your entire LastPass vault! All your passwords, secure notes, credit cards!

To keep you from getting suspicious, it would actually then turn around and use the email and password you gave it to actually log into LastPass. This is the “man in the middle” part – to you, it pretends to be LastPass; to LastPass, it pretends to be you. If you had two-factor authentication turned on, it still did you no good. LastPass would tell the malware to prompt the user for the two-factor auth token, and the malware would turn around and ask you for that token – again, placing itself in the middle.

So, should you be worried? Should you abandon LastPass? Yes and no, in that order. Phishing is a problem for ALL browser-based plugins, including those of other password managers. Phishing is a major problem for everyone who uses email or web browsers. So in that sense, you should be worried about it. In a minute, I’ll give you some tips for protecting yourself.

This researcher picked on LastPass because he perceived it to be the top dog in password managers, not because it was the only one susceptible to this attack. He also contacted LastPass well before he released his research (as any good security researcher would do), and LastPass was able to patch their software before he even announced this problem. That is – if you’re using LastPass, you’re already safe from LostPass, as long as you’re updating your browser plugin. LastPass reacted properly to this, from what I can see, and has mitigated this particular risk (and ones like it). LastPass, in my experience, has taken all security concerns very seriously and is constantly updating its software to react to even potential risks. So I feel very comfortable continuing to recommend it.

How can you protect yourself from phishing attacks? Here are some tips:

  1. Never give out sensitive info in email. This includes credit card numbers, passwords, and social security numbers. Any reputable organization will never ask for this via email.
  2. Don’t click on links or buttons in emails. If the email is fake, they will take you to a fake or malicious web site – one that may look exactly like the real one. Instead of clicking the links provided, just go to the site “manually” – that is, type in the main web site address by hand (or Google it) and then log into your account or whatever from there.
  3. Don’t fall for scare tactics. It’s common for scammers to tell you that something bad will happen or has already happened, and you MUST click here NOW to fix it. For example, your PayPal account has been frozen and you need to click this link now to log in and set things straight. Instead, go to your web browser, type in “paypal.com” and log in. If there’s really a problem, you’ll see it immediately when you log in.
  4. Help protect others by using strong, unique passwords on your email accounts. Hackers love to get into your email account and your email address book to send emails to everyone you know. These people (presumably) trust you and will be more likely to click on bad links.
  5. Use LastPass and keep your browser plugin up to date. They are adding new features to help prevent phishing attacks.

Using Credit Freeze for Self Defense

Identity theft is arguably one of the worst things that can happen to a person, financially. When someone steals your identity, they can basically do anything you can do – including obtaining loans or credit cards in your name. And when the spending spree is over, you are left holding the bag. If it’s not bad enough that they’ve taken your money and left you with a huge bill, it may also have a major negative impact on your credit report. It can be very difficult and time consuming to undo all this damage.

In order to open a new loan or credit card in your name, the criminals have to pass a credit check through one of the big three credit bureaus: Experian, Trans-Union and Equifax. Therefore, if you can somehow stop the credit check from passing, you can prevent the bad guys from getting a new line of credit in your name.

The easiest way to do that is to “freeze” your credit – basically you tell the credit bureaus to put a halt on all credit checks until you tell them otherwise. This obviously only works if you yourself don’t need to have your credit checked. If you’re about to get another credit card (including store cards) or need to finance something (car, house, appliances, etc), then you’re going to need to run a credit check. Also, some other activities will trigger a credit check, such as background checks, opening a new financial account, or even signing up for a new utility (cable, for example).

Freezing your credit has absolutely no impact on your credit score. You have to do it with all three credit companies and there is a small fee involved usually (up to $10). There’s also a fee to “thaw” your credit, so you don’t want to do this often.

Basically, if you rarely if ever need to open new lines of credit, you should go ahead and put a freeze on your credit. It does no harm and can save you a ton of heartache. I recommend reading this Clark Howard article. It has all the details on how to freeze your credit with each of the three credit companies.


If you’d like more info on credit freezes, check out this Federal Trade Commission web site:


If you’d like to stop getting “pre-screened” and “pre-qualified” credit card offers in the mail (which can sometimes be stolen and used to open credit in your name), see this FTC web site. It will tell you how to opt out. It’s a bit of a pain, but well worth it.


Windows 10 Privacy Issues

If you use a Windows computer at all, you’ve probably seen that annoying little pop-up message that keeps reminding you that Windows 10 is coming. Windows 10 is a free upgrade for most people and Microsoft is clearly banking on most people taking the Trojan horse free software. Microsoft is also counting on most people to just use the “express install” option – that is, take all the Microsoft-chosen default settings. I’m here to tell you: DON’T DO THAT.

Microsoft has really gone overboard with privacy-threatening features in this release, and it appears that most of them are on by default. When I write the second edition of my book, I’ll have a full explanation of how to guard your privacy on Windows 10. But here are some quick recommendations.

NOTE: If you can wait to install Windows 10, then by all means wait. We will learn more things about it in the coming weeks and months, and security and privacy experts will get a chance to learn what’s really going on and hopefully figure out how to fix the problems. And if there’s enough uproar, perhaps Microsoft will even dial back on some of these privacy-invading features. But if you can’t wait, or if you’ve already installed it, here are a few key tips.

  1. Don’t use the Express Install option. Customize your install and read over every option.
  2. Don’t sign into Windows with your Microsoft account. This allows Microsoft to associate all sorts of info and activities with you, and share it with others. Just use a local account.
  3. Don’t use Cortana. Yeah, it’s really cool, but by enabling this one feature, you open yourself up to all sorts of spying by your operating system and Microsoft. Until they can address security and privacy concerns, this feature is just too scary.
  4. Don’t use WiFi-Sense. This is a new feature which conveniently lets you share your WiFi password with people you know. This means syncing them to the cloud, which to me invites security risks that aren’t worth the convenience.

Here are some more articles you might want to check out.


It’s time to just ditch Adobe Flash. Here’s how.

Uninstall Flash Player

In my book, I made it clear that the Flash Player (that little browser plugin that you’re constantly having to update due to new security bugs) is one of the prime targets of hackers. In the last week, in the wake of the Hacking Team being hacked, there have been no fewer than 3 “zero day” flaws exposed in Flash (unfixed bugs that allow hackers to exploit your system).

So, it’s time to throw in the towel. It’s time to just remove Flash from your system. It’s not worth the risk. Most web sites have abandoned Flash, and after this latest security debacle, that trend it surely going to accelerate. Most web sites will work just fine without Flash – and if not, there are workarounds (see below).

Mac users see this article; Windows users see this article.


I personally prefer the Firefox web browser, but I use Chrome as a backup in certain cases – usually when my rather Draconian security settings on Firefox break some web site and I can’t figure out how to unbreak it. Chrome actually bundles Flash directly into the browser and goes out of its way to try to “sandbox” Flash (preventing it from reaching out into things it shouldn’t be touching). So the workaround is to use Chrome in those cases where you simply have to use Flash. That is, even if you uninstall Flash using the above directions, it will still be embedded into the Chrome browser, so you can still use it. NOTE: Chrome is not necessarily a safe way to use Flash, either, but it’s probably the safest option you have (short of using a virtual machine).


LastPass data breach

LastPass has notified its users that it experienced some “suspicious behavior” on their servers and they believe that “email addresses, password reminders, server per user salts, and authentication hashes were compromised”. They also made clear that “we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed”.

I encourage you to read the full blog post, along with the updates. They do a very good job of answering the burning questions, so I won’t repeat that all here. You can also get another view from this Sophos post and even deeper info from this Krebs On Security post, if you’re interested.

For those of you who are not cryptographers, when they say “server per user salts” and “authentication hashes”, what they’re talking about is the munged version of your master password that they save. It’s important to realize that they don’t store your actual master password – they save a unique, irreversible version of your password – because saving the actual password is horribly insecure. This is covered in my book, but basically you enter your password and it’s “salted” and “hashed” to arrive at some other, completely different and unique value. This is compared to the version that they salted and hashed before, and they should match. But the key is that given the salt (which is a fancy name for a random number) and the hash, you can’t work backwords to get the actual password. Okay, you can, but if you have a strong password, it would literally take years on a supercomputer. So if you change your master password anytime soon, you’re safe. The best they could do is figure out your old password, which no longer works (because you changed it).

This is why it’s absolutely crucial that you have unique, strong passwords for everything. If you reused your LastPass master password on any other site (which you should never do), then you need to change the password there, too. The whole point of using a password manager is to generate ridiculously strong and completely unique passwords for everything – you don’t have to remember them, so why not? The only password you need to know is your master password. If you need help with this, you can watch my short YouTube video on how to choose a good master password.

So what do we take away from this? First of all, we should just all assume that this is going to happen repeatedly. Every one of these sites is a prime target for hackers, and they will eventually get in and steal passwords (hopefully salted and hashed). If you have a strong, unique password for every site, then it will take the bad guys a long time to crack it. And if and when they do, it won’t give them access to any other account – because you have different passwords for every site.

The other thing this underscores is the importance and utility of two-factor authentication. If someone steals and cracks your password, they’re still screwed – because they don’t have the second factor. This gives you time to change the password once the breach is announced. Unfortunately, not all sites have two-factor authentication yet, but incidents like this are prompting many sites and services to adopt it. When they do, sign up.

And finally, it proves once again that passwords suck. But it’s still the best option we have today. Various efforts are under way to come up with new authentication schemes, but beware of anything that uses biometrics (that is, “something you are”). Biometrics are really more like a user name than a password. You don’t want your password to be something you can’t change, from a privacy perspective if nothing else. The most interesting technology I’ve seen so far is called SQRL (pronounced “squirrel”), which has the advantage of never needing to store your credentials on a web server somewhere – that is, there’s nothing for hackers to steal.

Many people will now be asking: should I abandon LastPass? In short, I would say no. LastPass appears to have done everything right here, and I still think it’s the best option out there for most people. There are other password managers that don’t store your password database in “the cloud”. This means that if you want to access your passwords from multiple devices and places, that it’s up to you to copy and/or synchronize the password database yourself (using something like DropBox or iCloud Drive). I find that to be too cumbersome for most people, but it’s doable. If you would like to look at this option, check out 1Password. It’s more expensive, but it’s probably the best alternative to LastPass that doesn’t have your password database stored on the provider’s servers.

The more incidents like this that we have, the more attention the topic will receive and the more people will realize that they need to take charge of their own security.

Long time no hear

Sorry for the long break between posts. Lots going on for me right now. I would encourage you to have a look at my Twitter feed to keep track of key updates. It’s about the only thing I’ve kept up on lately.



Book review: Data and Goliath (Bruce Schneier)

I finally got around to finishing Bruce Schneier’s latest bestseller: Data and Goliath. I’ve read a few of Bruce’s books over the years (and own most of the rest, waiting patiently to be read). I’ve watched Bruce on many TV news segments, lectures, interviews, and web videos. I follow his blog and Twitter posts. I’ve even had the pleasure of emailing him from time to time. Some day I’d love to meet the guy. So… what I’m trying to say here is: fair warning, I’m a bit of a Bruce Schneier fan boy.

However, I feel this is completely justified. I tend to have the most respect for the even-keeled, professorial types – the ones who are passionate about what they do and highly knowledgeable about their field, but at the end of the day are most concerned with getting it right and avoiding hyperbole. That’s a small camp of people, but Bruce is definitely in it.

Bruce’s latest book is at once timely and timeless. The topics of computer security and online privacy are obviously hot right now in the wake of the Snowden revelations, but Bruce makes it clear that this stuff has been going on for a very long time now and will only get more important in the coming decades. I think Bruce was moved to write this book much as I was to write mine – people need to understand what’s going on here, but the fact of the matter is that they just don’t. At the end of the day, it’s up to us to demand change. Left to their own devices, corporations and governments will not cede the power that comes from massive data collection and mass surveillance.

Data and Goliath is remarkably comprehensive and well researched. Bruce draws on many sources – not just the Snowden documents (to which I believe he has had full access, at least for a time) but also from many insiders and security researchers, in addition to decades of experience.

In the first section, Bruce explains how we got where we are and what’s really going on. It was staggering to see it exhaustively cataloged. The enormity of the problem we face and the depth to which surveillance has already permeated our society is truly alarming. Even though I was aware of most of these things at one time or another, even I found myself shaking my head while reading this litany. One of the key take-aways from this section is how all of this data is used in concert to create a shockingly complete picture of each person’s life – not just digital life, but real life. Correlating all of these data streams results in something quite a bit larger than just the sum of its parts – which is something that I feel is lost on most people, but crucial to understand.

Bruce explores the harm that is already being done by this mass surveillance and data collection, and explores the very real future dangers in the second section of the book. Again, this is something that I believe everyday people just aren’t grasping. Too many people blow it all off thinking they have nothing to hide, so who cares? Everyone should care. I can’t do it justice in a paragraph – you’d think I was just being paranoid and blowing it out of proportion. Bruce walks you through why this all matters, with real-life examples, and clearly explains the deep impacts it is already having on our democracies.

Finally, Bruce wraps up the book with a wide range of things that we can and should be doing. What I love about Bruce’s approach is that it’s not all-or-nothing. Surveillance and espionage and even mass data collection all have their place in a civil society. Where many people get it wrong, I think, is to go to one extreme or the other. There is absolutely a sane, practical, and healthy middle ground to be found here. Targeted surveillance, when governed by transparent laws and reviewed by impartial third parties, makes perfect sense and has a place in democratic society. Collecting mass quantities of anonymous data can provide huge benefits for everyone – from medical research to traffic avoidance. It’s not always what we’re doing, it’s how we’re doing it. Still, Bruce comes down solidly on the side of an individual’s right to privacy and that computer security is essential for everyone. He just points out, very clearly, that that stance does not interfere with protecting ourselves from criminals and terrorists. That’s a false choice.

This book does not go into any detail, really, on how to protect yourself at a personal level – he even says that that would take an entire book (like, oh, say, I don’t know…. MY book). It does, however, explore many legal frameworks and “bill of rights” type proposals that are already on the table from around the world. Bruce also makes many solid and well-crafted proposals for approaching these problems – while many are politically difficult, they’re eminently rational and workable.

At the end of the day, though, it’s really up to us, as a people, to decide that we value our privacy and demand action – not just for ourselves, but truly for our society as a whole. The first step is to get educated… and if you had to pick just one book to read, Data and Goliath would be an excellent choice.

miniLock: how to send and receive encrypted files easily

For over two decades, the prevailing utility for sending and receiving encrypted files was PGP (Pretty Good Privacy) – including the popular free and open-source implementation GNU Privacy Guard (GPG). In order to use PGP, you needed to use a software tool to create at least one pair of encryption keys: one public (which you give away freely) and one private (which you guard very carefully). People use your public key to encrypt something and then send it to you via email or whatever. You then use your closely-guarded private key to decrypt it.

The problem, though, is that PGP is complicated and normal people just don’t have the patience for it. It’s also tricky to integrate PGP into things like email clients, especially web-based clients. And having to manage these keys is a real pain – they’re quite large and ugly. Here, for example, is one of my PGP public keys:


Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org



If the computer that stores my private key dies, then I can no longer decrypt anything that was sent to me. Worse yet, if that computer is lost or stolen, then anything ever encrypted with it is vulnerable.

There’s a new kid on the block called miniLock which has three very important improvements over PGP:

  1. The private key is generated using an email address and a long passphrase. You no longer have to worry about storing and potentially losing your private key, you recreate it as needed from something you can easily remember.
  2. The public key is much, much shorter – only 44 characters long. This may seem bad since we know that shorter keys make for weaker encryption, but miniLock uses a different form of cryptography that can use smaller keys with the same level of security.
  3. Under the covers, miniLock uses a new(er) type of encryption called elliptic curve cryptography which allows for much smaller keys.

For comparison, here is my public miniLock key (or “miniLock ID”):



That’s it! These keys are so short that you can easily send them to others, even tweet them.

This tool is brand new and hasn’t even officially been released yet, let alone fully vetted by the crypto experts. But it’s got a lot of potential and may finally allow regular people to use truly-secure, end-to-end encryption for all sorts of communication.

Until encryption is easy and built in to everything, it won’t be used. We have to find ways to make it much more accessible – and miniLock is a valiant attempt.