Why You Should Use The Signal App

hackerUnless you’ve been traveling in space for the last few years, you obviously know all about the mass surveillance by the National Security Agency and Edward Snowden‘s revelations, as well as the continued acceleration in security hacks globally.

Besides using a virtual private network (VPN) when you are on public Wifi (here is why a VPN is extremely important), I’ve found the simplest method for my family, friends and even clients is to use a super-secure, open source app on our phones called Signal by Open Whispher Systems.

Even non-geeks know that email is laughingly insecure, which is why this app is so important and how I use it:

a) My bookkeeper sends me important, private information over the Signal app.

b) I have clients send me passwords and credentials for their services.

c) Several of my friends and family members I’m connected to use Signal to send me messages that need to be secure. We often share items like passwords, especially when I’m helping one of them with some website or online application requiring me to login.

c) But what really sold me on Signal was when my wife was on a recent business trip to Hong Kong. Her hotel’s Wifi was set up to disallow the use of VPNs so she was not able to set up a secure, encrypted channel. This is because of what is euphemistically called the great firewall of China which the country uses to restrict what their citizenry has access to outside of China.

So my wife and I connected on Signal and, because the system has both private messaging and voice calling, we knew we would be secure and assured that some Chinese government flunky wasn’t eavesdropping on our messages or listening-in on our calls.

As I’d mentioned, Signal boasts highly secure private messaging using end-to-end encryption. In fact, the Signal protocol (the underlying technology) is being used by WhatsApp (though there are other insecurity issues with it that make never use WhatsApp). As of this writing, all other messaging apps (yes, even Apple’s Messages) while having some security layers still are accessible by the NSA’s warrantless surveillance activities, law enforcement, or possibly a system administrator at the app company.

End-to-end encryption (especially the way Signal implements it) means NO ONE can eavesdrop on your messages. Same thing with phone calls made via Signal due to its quality. When my wife and I were talking over Signal between Minnesota and Hong Kong I was pleasantly surprised with the quality of those calls while using the app on our iPhones (Signal is available for both iPhones and Android phones). It was better than if we had been talking over mobile connections (she was on good Wifi in her hotel, but often other voice-over-internet-protocol (VoIP) phones like the insecure Skype don’t sound very good).

signal-iconOnce you start using Signal you will probably come to the realization (like most Signal users do, I suspect) that it would sure be great to be able to use Signal on the desktop. Well now you can!

Signal is now an app for Google Chrome, the browser I use every day (Note: it does require that you have already set up Signal on your smartphone). Besides the computer version of Chrome, I also have two colleagues that use Chromebooks and now can use Signal on them.

You can connect the Chrome app with your smartphone’s Signal app by opening the app and instantly scanning a QR code. Once done you are connected and can even have your smartphone’s Signal app contacts imported in to your desktop version.

This is so easy to use and so secure that there really is no reason why you shouldn’t be using Signal right now.


Tinfoil Hat & Edward Snowden

tinfoil-hatsJust after the horrific tragedy of 9/11, I began to see quite disturbing things unfolding in the U.S. in the name of “security” that was (in my, and many other’s, minds) clearly trampling on the Constitution. Most of my friends teased me for several years about wearing a “tinfoil hat” to shield my brain, but then Edward Snowden came on the scene, ensuring that the unconstitutional domestic surveillance underway by the National Security Agency (NSA) was exposed.

Photo by Laura Poitras / Praxis Films

Edward Snowden
Photo by Laura Poitras, Praxis Films, under a CC BY 3.0 license.

While I was (and am) less disturbed by some of the global spying activities the NSA is performing—other than egregious hacking of world leaders’ mobile phones and such—there is no question that making U.S. citizens aware of the extent of the domestic spying was the first wake-up call for those ignoring the signs of the obvious, disturbing and unconstitutional activities going on.

After essentially reading every single news article and snippet about what Snowden (and others, I might add) have released to date, yes I believe Snowden did the world a great service and is a patriot. No, I don’t think he will get a pardon (yet) since it’s still too early on and Congress has not yet bothered to rein in the NSA in any meaningful way with regard to domestic spying.

The U.K. news organization The Guardian has an entire section called the NSA files which is likely the most comprehensive compendium of items sparked by Snowden’s whistleblowing document release. It’s a bit daunting to wade through, so I was intrigued this morning to see that Business Insider just compiled this bullet-point list of items Snowden had provided to select journalists that were released between 2013 and 2014. It’s pretty amazing to see them listed and realizing just how profound were these leaks and, in my view, extremely important. 

Here are just a handful of those links just to get you started:

  • The NSA accessed and collected data through backdoors into U.S. internet companies, such as Google and Facebook, with a program called Prism. — June 6, 2013
  • The NSA has a program codenamed EvilOlive that collects and stores large quantities of Americans’ internet metadata, which contains only certain information about online content. Email metadata, for example, reveals sender and recipient address and time but not content or subject. — June 27, 2013
  • Internal NSA document reveals an agency “loophole” that allows a secret backdoor for the agency to search its databases for U.S. citizens’ email and phone calls without a warrant. —Aug. 9, 2013
  • The NSA broke privacy rules thousands of times per year, according to an internal audit. —Aug. 15, 2013
  • Expanding upon data gleaned from the “black budget,” the NSA is found to be paying hundreds of millions of dollars each year to U.S. companies for access to their networks. — Aug. 29, 2013

Read more here at Business Insider


Why the “Wireless Passcode” AT&T?

UPDATE on April 2, 2016

attIt’s been quite awhile since I’ve had to call AT&T but I wanted to ask a question today since my wife is headed to Puerto Rico and was wondering if there was a roaming charge when she was in this unincorporated U.S. territory.

Calling in to customer service surprised me since I asked her, “Does AT&T charge roaming for mobile use in Puerto Rico?” but the rep wouldn’t answer until I gave her my name (since she could see my mobile number) and then the surprise: “What is your wireless access code?”


I had no idea what this was and she explained that we couldn’t do anything over the phone without it, or in-store if I didn’t have a government issued photo ID with me. I WAS JUST NEEDING AN ANSWER TO A SIMPLE QUESTION for God’s sake. But no matter, we were stuck so I hung up and figured “the Google” would satisfy my needs.  [Read more…]


John Oliver on Encryption

John Oliver’s show Last Week Tonight talks about the Apple/FBI controversy and that strong encryption poses problems for law enforcement, but is weakening it worth the risks it presents? It’s…complicated.


Seriously Minneapolis StarTribune? “U.S. security at stake as Apple defies order”

Click for an update - 4:04pm
iphone-in-handTo say I was stunned reading this editorial in this morning’s Minneapolis StarTribune is an understatement. I rarely get fired up enough to write a letter to the editor, but this time I felt compelled since they got this so wrong and I’m embarrassed for them that they published this editorial.

I just sent them my rebuttal and I reprint it below with the StarTribune’s paragraphs in italics and green. Also, since the StarTribune apparently did little-to-no research, I’ve provided them with helpful links.

Curiously the StarTribune changed the linkbait-like editorial title in the online version by toning it down, perhaps realizing that characterizing it as “Apple defies order” is wrong: National security is at stake in Apple’s faceoff with feds.

U.S. security at stake as Apple defies order

Apple Inc., the world’s largest info-tech company, now stands in defiance of a federal court order, saying it will fight attempts to force it to help the FBI crack the iPhone of a San Bernardino terrorist involved in a major attack on U.S. soil that left 14 dead and 22 injured. Apple says the government is overreaching and would be setting a dangerous precedent.

The company is wrong on both counts, but the world of encrypted information is a complex one. It is worthwhile to proceed carefully, because this could prove to be a critical showdown in the growing clash between privacy and national security.

Your editorial, “U.S. security at stake as Apple defies order” was one of the most stunningly naive positions I’ve read yet when it comes to the controversy over Apple’s stand on weakening the encryption of one, single iPhone. A weakening that would instantly open a Pandora’s box of cyber threat problems of which you are obviously clueless and seemingly dismissed out-of-hand.

First, it should be noted that the government negotiated for two months with Apple executives. When those talks fell apart, Justice Department officials turned to a federal judge, who ordered the company to create a way to bypass the security feature on the phone. The FBI had obtained a warrant to search the phone and, not incidentally, the consent of the employer that had issued the phone to Syed Rizwah Farook.

First off, it should be noted that the FBI permitted San Bernardino officials to change the password on the terrorist’s iCloud account (rebutted by FBI, now blaming official) and only then, obviously realizing their mistake, requested Apple’s help. Had they not done so Apple has stated publicly it would have been possible to obtain the shooter’s iCloud backup data. Since this mistake was made, the FBI then negotiated with Apple to recover what they could. Discovering that doing so was not possible, and subsequently failing in convincing Apple to create software to weaken iOS (the operating system that controls the iPhone and iPad) so they could break into the device without having it ‘wiped’ by its ten password attempt limit, the FBI then obtained a court order hoping to force Apple to create a method to do so.

Apple has complied with what Justice officials characterize as “a significant number” of government requests in the past, including unlocking individual phones. Apple CEO Tim Cook has become increasingly concerned about customer privacy, particularly after 2013 revelations by whistleblower Edward Snowden about massive government surveillance operations. The company has continued to tighten its security systems and decided to no longer maintain a way into individual phones. Farook’s iPhone 5c was among those with a 10-tries-and-wipe feature that essentially turns it into a brick if too many false passwords are entered. Newer operating systems employ ever-more-sophisticated security features.

The government’s authority to get private information, such as texts, photos and other stored data, through a warrant is not at issue. The key here is whether the government can compel a private company to create a means of access that the company contends will weaken its premier product.

Cook maintains that creating a “master key” to disable security on Farook’s phone ultimately would jeopardize every iPhone. With more than 100 million in use across the country, that is no small threat. There are, however, technology experts who say Apple could create a bypass — allowing for what’s called a brute force hack — without affecting other phones.

With respect to your position on Apple’s creating this sort of “bypass” for this single iPhone, all while acknowledging this is not a “small threat” for the 100 million iPhones already in existence, you then opined, “There are, however, technology experts who say Apple could create a bypass” “without affecting other phones.” This is your supposed justification for minimizing the threat of putting in a backdoor (or what you euphemistically characterize as a “bypass”) for those 100 million+ iPhones already in existence? Who are these so-called “experts” anyway?  [Read more…]


Mac Ransomware is Close & You’re at Risk

macuserAs Mac users, most of us have been quite smug about the fact that our operating system isn’t as vulnerable to trojans, malware and ransomware as those other guys running Windows. While mostly still true, the growing popularity of Macs means that we users of OS X are A LOT more at risk than ever before.

The first Mac OS X ransomware has been demonstrated by a Brazilian cybersecurity researcher Rafael Salema Marques (see Mabouia, the first crypto-ransomware for Macs arrives). Since the concept is now out, it’s just a matter of days or weeks before we see some malware like it in the wild. The security software and services firm, Symantec, has confirmed the concept is real and would work.

[Read more…]


Backing Up Your Digital Life


You are probably like me when it comes to backing up computers and digital devices: It is SUCH a pain-in-the-butt that only the terrified-of-disaster actually take any action. Make sure you look at the Newegg deal at the bottom of this post (and no, I’m not an ‘affiliate’ and get nothing from Newegg for linking to the deal).

Fortunately I’ve never had a house fire but have experienced multiple hard drive failures over the years. Only once, 10 years ago, did I have a hard drive crash to the point where it was unrecoverable. Ever since I’ve been of the mindset that hard drive failures and disasters are not a matter of “if” but rather “when”.

During that 10 years, however, I’ve heard so many personal stories of drive failures (or stolen drives), house or business building fires, a laptop accidentally being dropped overboard while on a cruise ship (and it contained vital, one-of-a-kind business planning documents), that I get after friends, family, and colleagues to backup; backup; and backup!

mom-n-kidAfter hearing one of those stories this past April, I wrote Your Mom DEMANDS That You Backup Your Computer! to see if it would kickstart conversations. It did, but specifically the two friends I was hoping would backup their mission-critical files, tens of thousands of one-of-a-kind digital photos, and other irreplaceable digital stuff….did nothing.

What happens if you have a fire in the house? Or the fireman spray water all over your office—even though the fire hasn’t yet reached in to it—and effectively ‘drowns’ your computer and drives?

Basically you’re screwed. Unless… [Read more…]


Never, Ever, Send Confidential Stuff via Email

Do you send private, confidential or secure information inside an email? Don’t. Never. Ever.

You might already know that emailing from a public Wifi hotspot is a huge problem since it is so incredibly insecure (see my post You’re in Danger on Public Wifi! for more). Since all of your information passes in the clear, it’s trivial for someone to snag it and read it or download the attachments.

The kicker? Email heading across the internet, sitting on a mailserver, or being retrieved by someone else in a non-secured way means that your private, confidential, secure information is also exposed.

Two reasons you should care about your email getting hacked.

[Read more…]


NSA: Why are you not focused on protecting the nation?

nsa-logoReading the German publication Der Spiegel’s article called Prying Eyes: Inside the NSA’s War on Internet Security this weekend, like them I was struck by something that has been on my mind for over ten years. Why does the U.S. intelligence services, and specifically the National Security Agency (NSA), do more to protect the nation?

What came out in the Edward Snowden revelations was that the NSA is, without question or doubt, working feverishly to crack all encryption and are also working hard to build a quantum computer that will crack the little unbreakable encryption we still enjoy today.

Any of us in information technology, web or mobile app creation, and any sort of data security at all, know that if something has been cracked—regardless if it’s some kid in Norway or a state-based intelligence service—it is only a matter of time before the blackhat hackers discover it and exploit the crack.

[Read more…]


You’re in Danger on Public Wifi!

wifi-publicIllustration by Kristina Collantes

If you ever connect to a public Wifi hotspot, you owe it to yourself to spend 4-5 minutes and read this article by Maurits Martijn called, “Maybe It’s Better If You Don’t Read This Story on Public WiFiWe took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”

I want to make thousands of copies of that article and give them to every single person I see in every public Wifi location everywhere!

Let me say it as emphatically as I can if you’ve read this far: You are an idiot if you connect to any public Wifi without running a virtual private network (VPN) connection (like the one I use, Private Internet Access for $39.99/year for 5 devices). If you don’t it’s not “if” you will get hacked, but rather “when” it will happen to you.

To show you how pervasive and simple it is to hack your laptop, smartphone or tablet when you connect willy-nilly to some public Wifi hotspot, let me give you a glimpse at what I can only describes as a…

The Wifi Pineapple, a $99.99 black box

The Wifi Pineapple, a $99.99 black box
which makes it trivial for a hacker to steal you!

Because I’ve technically known the risks for nearly ten years, I’ve been paranoid about public Wifi locations since 2005 and wrote about being “naked in a coffee shop” here, here and here. But to show you how brain-dead-simple it has become to BE a hacker, wait until you read about a black box called the Wifi Pineapple you can buy, for $99.99, which lets anyone who has one:

  • Run a man-in-the-middle attack, essentially spoofing a public Wifi connection and even impersonating the actual, real network connection (whether open or secured). How many times have you connected to Wifi that said “Coffee Shop Guest” or “Free Public Wifi”? Sometimes they’re real, mostly they are not. You can almost never be certain.
  • The attacker can monitor all network traffic flowing between an Internet gateway and the connected clients (like your laptop, smartphone or tablet!) as well as manipulate this data in transit such as through captive portals, DNS spoofing, IP redirection and even the substitution of executables in transit (so that file you’re downloading might be coming off of the attacker’s laptop!).

There’s alot more you can do with this device and Hak5, the group that makes it, is certainly gleeful about all the rogue crap it can do:

“…the WiFi Pineapple is more than a platform – it’s a community for creativity. Rickrolling clients, powering off WiFi drones mid-flight, tracking commercial airliners and logging WiFi connections are only some of the creative things being done within the WiFi Pineapple community.”

On the Hak5 forums they even have a section entitled, “WiFi Pineapple University” to help users teach users about this ‘fun’ little box.

The good news? If you run a VPN and inadvertently connect to “Coffee Shop Guest” and it’s actually a spoofed connection through one of these black boxes, the hacker would only see encrypted traffic! Everyone else’s internet traffic—Facebook login, bank password, credit card data—would mostly be going in the clear. (Note: I know that an actual SSL connection would encrypt traffic in the browser, and so do most smartphone and tablet apps, but more sophisticated hackers can even spoof SSL connections so that your browser thinks it is securely connecting…but it is not).

I must admit that, even though I’m more appalled by the activities of our government and mass surveillance of U.S. citizens in what I believe is a direct violation of our Constitution, boxes like this one target individuals with a lot to lose. It’s not right and not fair and I hope I never catch someone using one in a public place or…