Browser extensions are fraught with danger — which is why I rarely use them — especially those extensions that request your permission to:
- Access your data for all websites
- Access browser tabs
- Access recently closed tabs
- Read and modify bookmarks
- Download files and read and modify the browser’s download history
- Input data to the clipboard
- Display notifications to you
- Read and modify browser settings.
I mean…seriously!?! There is not a snowballs-chance-in-Hell that I would ever give permission to a browser extension to rummage around in my browser and change things, possibly add malware code in to my computer or device’s memory (i.e., the clipboard), as well as essentially look over my shoulder while I use that browser!
As you may have already guessed, I’ve been wary of browser extensions for a long time. I wrote about how dangerous browser extensions are back in 2011: Why We Need a Google Condom for Chrome Extensions and again in 2017: Why Browser Extensions Are Dangerous but there are an increasing number of security experts now recommending caution on your use of browser extensions. One such expert is the cyber investigator Brian Krebs who writes the excellent Krebs on Security blog. His latest post was just published on March 3, 2020 and gives great advice and reasoning behind limiting the browser extensions you install: The Case for Limiting Your Browser Extensions.
Add to that my specific intention to limit (or completely stop) tracking as best I can — which is why I’ve moved from Google’s Chrome to Firefox as my default browser — is why I am not just concerned about malware and rogue extensions, I’m more concerned about third-party trackers and the companies that enable them to flourish to our detriment.
A CRACKDOWN ON EXTENSIONS
Fortunately there is a move by major browser companies (i.e., Google with Chrome and Mozilla with Firefox) to crack down on rogue and dangerous extensions. Ars Technica had this article published January 30, 2020: More than 200 browser extensions ejected from Firefox and Chrome stores:
The crackdowns highlight a problem that has existed for years with extensions available from both Mozilla and Google. While the vast majority are safe, a small but statistically significant sample engage in click fraud, steal user credentials and install currency miners, and spy on end users—in at least one case, millions of users, some of whom were inside large companies and other data-sensitive networks.
WHAT IF THE EXTENSION IS FROM A TRUSTED COMPANY?
“When you use the Websites or Products, we automatically gather information made available by your web browser (such as Microsoft Edge or Google Chrome), Internet service provider (such as Comcast or Time Warner), and device (such as your computer, phone, or tablet), depending on your settings for each. For example, we may collect your IP address, information about the operating system or type of device you use, the date and time you access the Websites or Products, and the location of your device.
Generally, the information addressed under this section is anonymous and does not, standing alone, directly identify you; however, it could possibly identify you when associated with other information. For example, if a third party were to see your IP address, they would not automatically know your name—yet your name could be associated with your IP address by your Internet service provider if you are the named accountholder.“
You could argue that the above is boilerplate and all organizations do some form of this type of data aggregation. But when that data is has specific intents like the following, it shows how they intend to use your data AND allow it to be shared by third parties:
“What about Third Party practices?
Third Party Cookies and Web Beacons: Advertising agencies, advertising networks, and other companies (together, “Third Parties”) who place advertisements on the Websites and on the Internet generally may use their own cookies, web beacons, and other technology to collect information about individuals. Except as expressly provided herein, we do not control Third Parties’ use of such technology and we have no responsibility for the use of such technology to gather information about individuals. It is up to you to familiarize yourself with the privacy practices of such Third Parties.”
Remember this quote when something like this useful extension is free, “You are not the customer. You are the product.”
WHAT EXTENSIONS CAN YOU SAFELY INSTALL?
“…a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser. To the advertiser, it’s like you suddenly disappeared.“
Though Firefox’s new privacy and anti-tracking capabilities are excellent, Privacy Badger completes the capability I seek to make tracking and surveillance even harder for the hundreds of third-party trackers out there. Firefox’s creation organization, Mozilla, also has a rigorous vetting process for extensions and has a short list of verified extensions that do not violate their Recommended Extensions program guidelines.
Here is the best article from Mozilla that I’ve seen yet on how to determine whether or not a browser extension is worthy of (and safe to) install. but if you already know these tips (or have read Brian Krebs’ article above), at least pay attention to wise advice like this from Dan Goodin, the writer of the previously linked-to article from Ars Technica:
“There’s no sure-fire way to know if an extension is safe. One general rule is that there’s safety in numbers. An app with millions of installs is likely to receive more scrutiny from researchers than one with only a few thousand. Another guideline: apps from known developers are less likely to engage in malicious or abusive behavior. The best rule is to install extensions only when they truly provide value. Installed extensions that are used rarely or not at all should always be removed.”
TechCrunch reported today that US attorney general William Barr says Americans should accept security risks of encryption backdoors and this idea is a very, very bad one. There is NO FUCKING WAY that I will allow my devices to have a backdoor in them … ever … and please note: this is NOT about me maintaining my social media, email or chat privacy. This is about protecting MY data and MY personal and client accounts.
If the U.S. Department of Homeland Security, Medicaid, Army, Office of Personnel Management, Department of Defense — and companies with their business and reputations at stake — can’t keep hackers out of their systems, how will the government protect a backdoor?
Check out this list of breaches on Wikipedia which starts out with this in the opening paragraphs, and scroll down to see how many companies and governmental organizations have been breached:
It is estimated that in the first half of 2018 alone, about 4.5 billion records were exposed as a result of data breaches. In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.
If a backdoor is legislated to be put in our smartphones, tablets and computers, I can absolutely guarantee that it will get out in to “the wild” and be used by blackhat hackers, regardless of what NON-TECHIES like Barr and Trump spout off about in rallies or articles.
Like CGPGrey has said, “There’s no way to build a digital lock that only angels can open and demons cannot. Anyone saying otherwise is either ignorant of the mathematics or less of an angel than they appear.” I submit that most leaders are not only ignorant of both the math and why it is not technically feasible to put a backdoor in to encryption, they only care that we can keep governmental (and hacker!) prying eyes out of our most sensitive information.
One glance at my iPhone shows that there are numerous apps that could destroy me financially and potentially provide access to my LastPass password manager … allowing subsequent access to nearly 2,000 passwords for clients and every website I’ve signed in to in the past. For example these apps being compromised:
- Charles Schwab with access to my entire portfolio
- Wells Fargo with access to my wife and my accounts
- My Bitcoin wallet
- My Apple Wallet with multiple credit cards and Apple Store cards with money in them
- Signal communication app — which protects our communications when my wife, kids or myself are traveling overseas
- My LastPass app with connections to my password vault…
- …and too many more.
I could go on and on but let me have John Oliver amusingly inform you about the realities of having the government put a backdoor in and defeat encryption:
Congressional “theater” is happening right now and our ‘Congress Critters’ are all seemingly outraged at the privacy violations by Facebook, Google, and all the other tech companies we all use every day. Some even want to break them up as do various Democratic presidential candidates.
But I’d like you to notice that there is not a *peep* from any of them about all the other tracking companies out there, especially ones like Palantir.
Those tracking or “secondary surveillance network” companies are the REAL privacy threats. Literally everything you do digitally is tracked including:
- Buying anything either online or offline as your credit card data can be purchased by tracking companies and combined with other data
- Emailing and texting metadata is captured (the content is protected as a warrant is needed to search within an email)
- Moving around with your smartphone in your pocket provides tracking data of your movements
- Everything you do (or your devices do automatically) through your internet service provider is tracked now that net neutrality is dead (ISPs can sell your data)
- Everywhere your face is “recognized” by a camera connected to an increasing number of systems without any regulation since your public persona can be photographed
- And much more.
Want to See How Bad It Is?
Palantir is one company that has always scared the beejeezus out of me out of me as I’ve personally analyzed this completely opaque and secretive organization. But it wasn’t until I read this article Revealed: This Is Palantir’s Top-Secret User Manual for Cops did I say HOLY SHIT THIS IS BAD!
Turns out Motherboard obtained this Palantir user manual through a public records request, and it gives unprecedented insight into how the company logs and tracks individuals and their system goes far beyond what I ever imagined as a worst-case scenario:
“Palantir is one of the most significant and secretive companies in big data analysis. The company acts as an information management service for Immigrations and Customs Enforcement, corporations like JP Morgan and Airbus, and dozens of other local, state, and federal agencies. It’s been described by scholars as a “secondary surveillance network,” since it extensively catalogs and maps interpersonal relationships between individuals, even those who aren’t suspected of a crime.”
In addition, this article 300 Californian Cities Secretly Have Access to Palantir shows how hard various law enforcement and other agencies are hiding the fact that even use Palantir:
Motherboard obtained documents via public record requests which reveal that the scope of Palantir’s influence in California is significantly larger than previously documented. Payment records indicate that between January 2012 and March 2017, about three hundred cities, collectively home to about 7.9 million people, had access to Palantir’s Gotham service through the Northern California Regional Intelligence Center (NCRIC), which is run through the Department of Homeland Security.
Why use Palantir’s Gotham service instead of licensing the software outright?
Gotham is one of Palantir’s two services, and the other service is Palantir Foundry. These 300 police departments could request data from Palantir, and an NCRIC agent would retrieve this data and provide it to local police. Per this arrangement, none of these departments have to disclose the fact that they have access to Palantir.
Read these articles and go scan the manual and you’ll see that it is trivial for any user of their system — whether directly with Palantir or one of their “service” companies — to obtain a HUGE ARRAY OF PERSONAL DATA on any one of us!
Again, notice how Palantir is not even in the conversation any Congress Critters or presidential candidates are having? Also, where is the mainstream media in all of this?
These secondary surveillance network/tracking companies are already out of control. Congress must act now but they won’t unless you tell them to do so and vote accordingly going forward.
Want to know more and/or take action like I have?
Ask your Congressperson and Senators to pay attention to and regulate these tracking/secondary surveillance network companies:
- More on Palantir
- More on Secondary Surveillance Networks
- Find your member of Congress and contact him or her:
Since I care (as we all should) about privacy, security, government surveillance, third-party trackers, and all the other downsides that have already happened to this thing we love called the internet, WE ALL need to stand up and make our voices heard about the recent bill passage to gut net neutrality. That's why I just donated (and have continued to donate) to the Fight for the Future cause and will be watching the livestream next Tuesday, June 11th, to see what is happening and to leverage social media to bring attention to it.
One year ago, Big Cable’s dream came true: they killed net neutrality, giving ISPs like Comcast, Verizon, and AT&T control over what we see and do online. Millions of people demanded that Congress restore net neutrality. In response, the House of Representatives passed the landmark Save the Internet Act. But Senate Majority Leader Mitch McConnell — who has taken over $1 million in campaign donations from Big Cable — is refusing to allow his branch of Congress to vote on this popular bill. So on June 11th, net neutrality supporters in the Senate will try to force a vote using a procedure called “Unanimous Consent.”
How can you help?
We’re organizing an epic livestream so that millions of everyday people just like you can watch their lawmakers, and hold their lawmakers accountable for their actions … or inaction. Fill out the form above and tell Congress why you support net neutrality. We'll make sure your comment gets hand-delivered to Congress, and we'll be reading our favorite comments during the livestream on June 11th. You can also spread the word on social media to make sure everyone knows what's happening.
Watch the livestream on June 11th
My wife and I had a terrifying loss of power in our new 2019 Honda Clarity yesterday AND we were in rush hour traffic on CA-73 (a toll-road that runs from Newport Beach to I-5 in Laguna Niguel, California) driving along at 70MPH.
Here is what happened and how we discovered afterwards that this is an isolated, but seemingly common, quite dangerous issue with the Honda Clarity PHEV.
LOSS OF POWER IN RUSH-HOUR TRAFFIC
It’s late afternoon yesterday (May 31, 2019) and we are headed home from an appointment up in Huntington Beach, CA. We are driving on CA-73 in the Clarity’s HV Mode. When the battery drops to two bars — the baseline where the car’s computer stops the drainage from the battery to power the car — the engine is supposed to kick-in but it began REVVING and then lost ALL POWER.
Since we were going up a hill, the Clarity immediately dropped from 70mph to 40mph in seconds and kept dropping. Pushing the accelerator to the floor did nothing except redline the engine and it gave NO POWER TO THE WHEELS TO MAKE THE CAR GO.
Due to the rush-hour traffic on all sides (and cars coming up behind us at 70mph or greater), we *barely* are able to make it to the shoulder with cars honking and speeding around us! It was a truly terrifying experience. No matter what I did, I couldn’t get the car to power itself. I had to turn the car off, then back on, put it in “Sport” mode, and then we were able to drive it like it should work when the battery is depleted.
Just so you know, the Clarity Plug-In Hybrid has 3 modes: ECON, Sport and HV. ECON is battery-only. Sport is what you’d expect: it uses the battery and ICE (Internal Combustion Engine) to power the car simultaneously. HV mode uses the engine and the electric motor to power the Clarity as efficiently as possible in order to achieve the highest possible MPG.
In seconds I was switching between these modes in an attempt to get SOME power to safely get the car to the shoulder. My wife suggested turning on the hazard flashers which I did, and fortunately several cars slowed down so we could coast over to the side of the road and turn the car off.
After the adrenaline rush subsided, I was stumped that the car wasn’t smart enough to either warn me or, more importantly, to simply self-correct and not put us in to such a dangerous situation.
FOUND OUT I’M NOT THE ONLY ONE
Returning home, I find DOZENS of postings showing this is an issue many people have experienced. I concur with most that this is a DANGEROUS situation and HONDA HAS BEEN SILENT on this major issue.
I’ve found about 15 places where people have described the exact issue we experienced, but some also discuss other situations where the car had this revving-no-power problem (revving is also euphemistically called “angry bees”) even without a depleted battery. At CarComplaints.com there are several, including many like these:
January 15, 2019: “3 days after purchase I was driving on an interstate when the car suddenly lost all power. I managed to pull to a slow lane but the lack of power continued for another 5 minutes. It had been running on battery just prior and I had 2 bars of power left. The outside temperature was about 15 degrees. The internal combustion engine began to race but only began to give adequate power to the wheels after 5 minutes. A terrifying experience. Honda checked out the car and said nothing was wrong. I am hearing of other cases being reported like mine.”
Steve Borsch note: This is what happened to us, but the outside temperature was approximately 67 degrees. In the next two CarComplaint’s posts I’ve bolded specific items of note:
January 09, 2019: “Car revs up when driving down the highway but drops speed to 10mph. It has done this 2 times once in town and once on US-23 while driving 70mph. There are several complaints about the car doing the same thing to other Clarity owners and this is a highly dangerous situation that Honda should take care of! Reineke Honda in Findlay Ohio had my car for about 3 weeks and while test driving it the car did the same thing for the service manager Mike Stevens. They took a control box off a brand new Clarity per Honda’s suggestion and I am driving the car and had no new problems so far. They were not sure this would fix the issue but so far it hasn’t happened again. This is a dangerous failure in the car and I am lucky I wasn’t driving in Columbus, Ohio the 2nd time the car did it or I would have been rear ended! Honda needs to make sure this problem is fixed!!!”
February 09, 2019: “On approx 6 occasions, when EV power is used up, the car switches to ICE mode with issues. When traveling up hill, it feels like the transmission is not engaging. The vehicle losses power, and does not accelerate. The ICE revs extremely high without speed gain. Have also experienced a downhill situation with nearly full EV in EV mode. Vehicle feels like it disengages drivetrain. When pressing the accelerator, there was no response. One feels helpless when this occurs. Most of the time, the car had switches from EV to HV automatically, without issue. But, the above phenomena has happened 6 times in the last year this is unsafe. The vehicle was sold as an EV, with a gas engine to take over when EV runs out. At no time was there any explanation regarding potential situations that would cause the vehicle to become unsafe and lose power. One should not have to ensure reserve EV power for potential power loss situations. When these situations have occurred, upon shutting off the car and exiting, there is a strong smell of burning rubber and other material similar to transmission and brakes, or hot metal. Clearly something is overheating, and if the vehicle was not shutdown and allowed to cool, a reasonable person might conclude that significant damage to the engine, electric motors, EV battery, or transmission would take place. I am no longer driving the vehicle as a pure EV for city driving. The fear of power loss without control is extremely upsetting, and consequently, not getting the value of vehicle. My spouse will not drive the vehicle as driver or passenger if the trip is to exceed 20 miles in one direction. My gas savings has dropped considerably as I am unable to risk running out of EV before my trip ends. This vehicle has been taken to the dealer 3 times, and inspected by Honda of America. They deny there is anything wrong with the vehicle.“
WHAT’S NEXT, HONDA?
What do I do next? More importantly, what do YOU do next, Honda? Almost all postings I’ve read say that dealer investigations turn up nothing and are a waste of time. I suspect it’s because the fundamental software code is at fault, something a dealer cannot fix.
HONDA: This is clearly a software issue since the switchover from HV Mode’s battery/engine, to only the engine, does not happen correctly. You must fix this before someone (or multiple people) die in a horrific crash and you are found to be at fault for not addressing this issue.
WHERE IT HAPPENED: Here is where it happened to us yesterday — we were headed southbound on CA-73 up a hill and the ‘shoulder’ we had to pull over on was on a bridge over El Toro Road, with cars racing by at top speed:
WHY A TWEET AND THIS POST: The primary reason I tweeted Honda today and am writing this post (and will tweet it too), is to document what happened, where it happened, and to have an audit trail in case something happens to me or my family while driving this car … or Honda does nothing to fix this issue and puts an unknown number of Clarity PHEV owners in continued jeopardy.
Last evening I saw this article link from Steiger Legal, on a blog run by Swiss lawyer Martin Steiger, in which he published a damning allegation that my beloved ProtonMail, the end-to-end encrypted email provider, was:
Email service provider ProtonMail, based in Switzerland, offers assistance for real-time surveillance: Voluntarily!
Steiger goes on with writing a factually incorrect article about ProtonMail on his blog, alleging, among other things, that “ProtonMail voluntarily offers assistance for real-time surveillance.”
Fortunately ProtonMail responded with, in part, this clear statement:
So that there can be no ambiguity: ProtonMail does not voluntarily offer assistance as alleged. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in all criminal cases. Furthermore, ProtonMail’s end-to-end encryption means we cannot be forced by a court to provide unencrypted message contents.
That’s crystal clear in my view. Just to restate that last sentence, even if a prosecutor was able to scrape metadata about which user emailed to another person(s), the contents of the email could not be decrypted by ProtonMail and provided (and a government or intelligence service could not as well without massive computing power and a lot of time!
Hi Steve, these allegations are false, and have also been refuted by the Swiss public prosecutor earlier this week. We have responded on our blog here with more details: https://t.co/xdz2xfF4pu
— ProtonMail (@ProtonMail) May 31, 2019
I then responded and apologized for being rash and not investigating fully before tweeting:
Thank you for the clarification! Had not yet read the HN thread nor your post. Should have gone there first … apologies for that.
Note: With all the recent breaches and revelations that mobile apps are “phoning home” with metadata, my paranoia is accelerating. https://t.co/7XAkEEKD8B
— Steve Borsch (@sborsch) May 31, 2019
The “recent breaches” and “phoning home” items I referred to in my reply to ProtonMail were:
- Brian Krebs’ scoop that First American Title company exposed 885 million Americans home purchase documents (Note: They were my title company when we bought and closed on a new house out here in California only six months ago).
- Washington Post article about how their privacy experiment showed 5,400 hidden app trackers guzzled our data — in a single week on the reporter’s iPhone.
Is it no wonder I rushed-to-judgement for a secure email service I rely upon to keep my emails to family and friends — and the PDFs, Word docs, and Excel spreadsheets with vital data in them — secure from prying eyes?
Thank you, ProtonMail team, for helping to keep us safe and secure!
Remember when Apple’s Tim Cook wouldn’t put in a backdoor to iOS so the FBI could gain access to the San Bernardino terrorist’s iPhone? THIS IS WHY!
If the NSA can’t control software as destructive as this, how can any government guarantee a compromised operating system won’t get in to the wild? (One guess: they cannot and Tim Cook was 100% right).
Read this article in The New York Times as it tells the story of the NSA’s software loss well.
We must have end-to-end encryption on our devices. Period.
It happened again this morning: A friend reached out to tell me their PC’s 1TB hard drive had crashed and could I help? Of course you guessed it, they did not have it backed up, the drive was toast, and they have either lost everything or could pay close to $2,000 to have the drive recovered!
I have a hard time feeling any sympathy for them, especially since he and I have discussed backup numerous times. I’ve always encouraged him to buy one of inexpensive backup drives that exist, which makes backing up so simple that anyone can do it, even him. So I’ll implore you to backup just like I did him but he is serious about it now after it is too late: PLEASE back up all of your systems and, especially, your main PC or Mac. It’s not IF your hard drive will fail, but rather WHEN it will fail.
WHY I DON’T BACKUP TO CHEAP DRIVES
For me, however, a cheap backup drive won’t do it which is why I use the ioSafe G3 drives:
The ioSafe Solo G3 is fireproof and waterproof external hard drive engineered to keep data safe during fires and floods and to protect to from theft. Designed for optimal reliability, the G3 hard drive is the easiest way to protect your photos, videos, documents and other irreplaceable data.
I’ve written about these drives before here and here and I own two of them. My iMac has a 1TB solid state drive in it and I have one external 3TB ioSafe G3 drive which is nearly full of music, photos, and files. Both my iMac’s drive and my external 3TB drive are encrypted with FileVault, so I needed a 4TB external drive to use for a Time Machine backup drive. So I purchased that second ioSafe drive — this time in a 4TB size — to back them both up (and yes, everything is encrypted there too).
In fact, today I ordered another ioSafe G3 drive but this time in a 6TB configuration. Why? Because my Time Machine backups only go back 30 days and I want them to go at least 30 days further back and maybe longer, so an extra 2TBs of storage will enable me to do that (and I’ll wipe my 4TB drive and connect it to my wife’s iMac).
WHY I DON’T BACKUP TO THE CLOUD
Consider me paranoid, but unless I control the private encryption key I don’t feel my data is safe. Anyone with that key can unlock my data and view it (e.g., Dropbox can, in theory, read all of your files).
The only one I would consider is SpiderOak’s personal One backup plan, a solution that encrypts your data before it is backed up and sent to their servers. As good as SpiderOak is, there are a few “fatal flaws” I see with using it (or any cloud service) as my primary backup solution:
- My data is in the cloud on someone else’s servers.
- It takes forever to transfer large data files so backing up is time consuming. Moving huge files can also hammer on your internet service provider’s data caps (which are becoming more common now that TV streaming is ubiquitous and used by more people than ever before) so you’ll have to pay more for data.
- The 5TB service I’d need is $29 per month ($348 per year) which would buy an ioSafe G3 drive itself!
WHY I USE IOSAFE DRIVES & BELIEVE THEY’RE THE BEST
Look … you can go ahead and backup to cheap drives. But lets say your house catches on fire and the fire department arrives to put it out. If the area near your computer burns your PC is melted and so are your backup drives and everything will be lost. Even if it doesn’t burn and melt, the water used to put out the fire will most likely compromise the backup drives and make them unrecoverable.
The features that make it “the best” backup solution money can buy include:
- The ioSafe drives can withstand temperatures up to 1550°F for 30 minutes per ASTM E119 (PDF).
- They can be completely submerged in fresh or salt water up to a 10′ depth for 72 hours (which is so much more than a firehose would douse them with in a house fire).
- The drives can be secured to either the floor or a hard-to-move object to prevent the drive, and the data it holds, from being stolen (I bolted my drives to my desk when our house was up for sale so no one could grab one and run off with it!).
- These drives are very, very quiet and, with USB 3, they are fast.
- They are a “set it and forget it” backup solution. If you have a Mac, use Time Machine to back up your computer. If you have a Windows PC, buying an ioSafe drive includes a license to Genie Timeline Professional: easy to use backup software for Windows that can protect your data with military-grade 256-AES encryption.
Living here in southern California makes drives like these even MORE important for my wife and for me. With earthquakes, wildfires, and more humans than most places on earth (so more likelihood of theft), having these drives as my backup solution give me peace of mind.
HOW AND WHERE TO BUY
Though you can buy these drives directly from ioSafe, here are a few places to pick up a 2TB, 3TB or 4TB drive less expensively:
- Amazon has the G3 2TB for $315.00
- Amazon has the G3 3TB for $349.99
- If you are a Costco member, you can pick up an ioSafe G3 4TB drive for $349.99
WHATEVER YOU DO … BACK UP!!
“Borsch, you’ve told me I need to back up … I get it!” OK, OK … but I thought my buddy didn’t want to hear me pontificate about backing up either and he didn’t … and now he’s lost all his photos, videos, emails and other data.
Don’t be like my buddy … back up now.
Disclaimer: I receive absolutely nothing from ioSafe or anyone else for my enthusiasm for their incredible hard drives. Yes, I do think they’re the best and just want everyone to back up!
As I’ve been dubbed “Mr. Security” by my friends, family and clients (I pay significant attention to, and use, cybersecurity, privacy and software measures) but my pleadings with them to be secure often are ignored…until they get hacked. Then they plead with me to help them out and get their digital life on track. Usually it’s too little, too late, and the work to recover is enormous.
You should care deeply about your digital life and its security, especially since the risk of getting hacked is exploding! The World Economic Forum in its 2018 report (PDF) said blackhat hackers are gaining the upper-hand in cyber warfare…and they are coming after you…and even the experts can’t keep up:
“Offensive cyber capabilities are developing more rapidly than our ability to deal with hostile incidents.”
Here’s the good news: if you haven’t yet been hacked it’s likely you will at some point, so lets get you cyber secure NOW!
I was delighted this morning to discover this Security Checklist, “An open source checklist of resources designed to improve your online privacy and security. Check things off to keep track as you go.”
The Security Checklist is very comprehensive, easy to follow, and one you should look at and implement as quickly as possible. It gives you the “why” and specific resources to use for each category, making this pretty brain-dead-simple to follow and implement:
- Password Manager
- Create a strong device passcode
- Use two-factor authentication
- Set up a mobile carrier PIN
- Encrypt your devices
- Freeze Your Credit
- Use 126.96.36.199 for DNS resolution
- Use a VPN
- Cover your webcam
- Use a privacy-first web browser
- Use a privacy-first search engine
- Review app permissions on your devices
- Review your social media privacy settings
- Educate yourself about phishing attacks
For years I’ve been a staunch supporter and trusted Google, loved their services like Google Suite, Gmail, Google Voice, and others, all while admiring their machine learning and artificial intelligence research. One thing I specifically trusted was Google’s Don’t Be Evil motto which was baked in to their Code of Conduct for the company.
Then, back in May, I became troubled when they removed Don’t Be Evil and replaced it with Do The Right Thing. At the time I joked with a friend of mine asking him, “Is ‘do the right thing’ for us, or for Google?”
It appears the motto change was focused on Google.
The biggest shift away from that “Don’t Be Evil” motto that Google has ever done just happened. Though this thread started on Hacker News a few weeks ago, a cryptographer and professor at Johns Hopkins University whose blog I follow, Matthew Green, wrote a post entitled, Why I’m Done with Chrome. In it he said:
A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.
Green also sees this move as having serious implications for privacy and trust. Do you think!?! My trust-level in Google has plummeted. So much so that I have now shifted 100% back to Mozilla’s Firefox browser and away from Chrome. I will no longer use Chrome until they change the way they infiltrate my privacy.
SO WHAT EXACTLY DID GOOGLE DO?
Google’s recent update to Chrome (browser version 69) has done something unprecedented in their history:
a) Once you login to Chrome as a user, Google can (and does) track EVERYTHING you do in the browser. Every site you view, every login. The change? If you login to any Google service in the Chrome browser, Google will log you in to that browser to give them access to everything you’re doing within Chrome.
c) Google is increasingly using “dark pattern” user interfaces in their services to hide or obfuscate what something does when you check, uncheck or choose an option. In ExtremeTech’s article Chrome 69 Is a Full-Fledged Assault on User Privacy, they describe how Google’s dark pattern user interfaces obscure their intent to get you to enable them to do the right thing for Google:
These changes are all part of what’s known as a dark pattern. If a pattern is defined as a regularity in the world (designed or naturally occurring) that repeats in a predictable manner, a dark pattern is an attempt to trick users by designing interface options that look like the options users expect to see.
I, for one, don’t want to research, study or figure out how a company I trust might be trying to trick me in to do something that is in THEIR best interest…and not mine. I’d rather pay for offerings and am growing tired of “being the product“.
- GOOGLE NEWS COVERAGE: FIND IT HERE (yes, I’m aware of the irony)
- THE VERGE: Google criticized for Chrome change that logs users in without telling them The latest version of the browser, Chrome 69, is pushing users into sharing more data, say critics
- WIRED: A Seemingly Small Change to Chrome Stirs Big Controversy
- THREAT-POST: Google’s Forced Sign-in to Chrome Raises Privacy Red Flags
- INQUIRER: Chrome 69 secretly logs you in to Chrome Sync when you visit a Google site
- SECURITY RESEARCHER S. BÁLINT: Chrome is a Google Service that happens to include a Browser Engine