Watch that keyboard!

We are using our mobile phones for more and more work-related tasks, and the bad guys know this and are getting sneakier about ways to compromise them. One way is to use a third-party keyboard that can be used to capture your keystrokes and send your login info to a criminal that then steals your accounts, your money, and your identity.

What are these third-party keyboards? You can get them for nearly everything – sending cute GIFs and emojis, AI-based text predictors, personalized suggestions, drawing and swiping instead of tapping and even to type in a variety of colored fonts. One of the most popular iOS apps from last year was Bitmoji, which allows you to create an avatar and adds an emoji-laden keyboard. Another popular Android app is Swiftkey. These apps have been downloaded by millions of users, and there are probably hundreds more that are available on the Play and iTunes stores.

Here is the thing. In order to install one of these keyboard apps, you have to grant it access to your phone. This seems like common sense, but sadly, this also grants the app access to pretty much everything you type, every piece of data on your phone, and every contact of yours too. Apple calls this full access, and they require these keyboards to ask explicitly for this permission after they are installed and before you use them for the first time. Many of us don’t read the fine print and just click yes and go about our merry way.

On Android phones, the permissions are a bit more granular, as you can see in this screenshot. This is actually just half of the overall permissions that are required.

An analysis of Bitmoji in particular can be found here, and it is illuminating.

Security analysts have known about this problem for quite some time. Back in July 2016, there was an accidental leak of data from millions of users of the ai.type third-party keyboard app. Analyst Lenny Zeltser looked at this leak and examined the privacy disclosures and configurations of several keyboard apps.

So what can you do? First, you probably shouldn’t use these apps, but trying telling that to your average millennial or teen. You can try banning the keyboards across your enterprise, which is what this 2015 post from Synopsys recommends. But many enterprises today no longer control what phones their users purchase or how they are configured.

You could try to educate your users and have them pay more attention to what permissions these apps require. We could try to get keyboard app developers to be more forthcoming about their requirements, and have some sort of trust or seal of approval for those that actually play by the rules and aren’t developing malware, which is what Zeltser suggests. But good luck with either strategy.

We could place our trust in Apple and Google to develop more protective mobile OSs. This is somewhat happening: Apple’s iOS will automatically switch back to the regular keyboard when it senses that you are typing in your user name or password or credit card data.

In the end though, users need to understand the implications of their actions, and particularly the security consequences of installing these keyboard replacement apps. The more paranoid and careful ones among you might want to forgo these apps entirely.

Practical ways towards more secure logins

Lately, numerous websites have adopted better security practices, supporting a wider variety of multiple factor authentication or MFA. I have been trying these out and for the most part they install relatively easily, although your mileage will vary. The idea is that you want something more than your username (often just your email address) and a password. No matter how complex your password, it can be circumvented by a determined hacker. And many of us (you know who you are) don’t use very complex passwords, or reuse them across various sites.

Let’s start first with the MFA tools that I want to use. First up is Google Authenticator. This is a smartphone app that generates a one-time PIN. You get to the dialog box on your website and enter the PIN and you can complete your login. Google Authenticator is dirt simple to setup: you scan a QR code that is displayed on your screen and it then shows you an entry for your website. The PIN changes every minute, so it is a lot harder to spoof than a code that is sent to your phone via text messaging.

The other tool is the Yubikey, a USB device that supports the FIDO standards from Yubico. There is a small button on the device that you press, and that sends the appropriate code to your website at the appropriate time to complete your login. They are inexpensive and now support a wide variety of website logins. Again, setup is fairly straightforward, and I just leave my key in my desktop’s USB port so I don’t have to worry about losing it.

If you use both methods (and you should, why not), this will prevent someone else from trying to login to your account, even if they know your password. Once you have completed a successful login on one device, you aren’t prompted again for the extra security.

Twitter announced this past week that they support the Yubikey, which adds to their existing support of Google Authenticator and other authenticator apps. Here are the instructions for setting it up. The interface for doing this can be found starting with this menu, under the Security heading. It isn’t all that verbose an interface, but you can choose which of the three methods (text, Yubico key, and mobile app) or all of them to use for the additional security.

Next up is my WordPress blog. If you host your blog on WordPress.org, they have long supported various MFA methods, including Google Authenticator, Authy, Duo and others. If you use WordFence Premium, you can also get the MFA protection. Speaking of WordFence, you really should use it (at least the basic version): it will tell you who is trying to break into your blog and last week I got several thousand attempts, which I think was a new record for me.

So I was more motivated to start having better protection for my login there. Since I use the basic WordFence, I looked around and found miniOrange, another plug-in that supports WordPress as well as Magento, Drupal and Joomla CMS. It works with Google Authenticator as well as its own QR code reader and soft token apps. I used the free version, but if you pay extra for a miniOrange account, you can support more than a single user as well as get additional MFA methods, including Yubikey. There are several other MFA plug-ins for WordPress, but I didn’t try them.

While I was doing these installations, my bitcoin wallet app notified me that they were requiring everyone to add MFA to their logins soon, otherwise I wouldn’t be able to transfer any funds in or out of my account. That is a smart decision, especially given the number of recent exploits in this market space. So I got Google Authenticator working on that as well.

Finally, a few weeks ago I was getting all sorts of notifications that someone was trying to login to my Facebook account, so I wanted to add both Google Authenticator and Yubikey to that login. I ran into problems: when I wanted to add the Authenticator app, Facebook turns on “Allow logins without a code for one week.” You can’t then turn this off without disabling my Authenticator app.  I am not sure this is a good idea, but when I went back to check on it for this post I couldn’t find the setting. Your dialog box when done will look like this.

As you can see, this is still not completely ready for your mom’s logins. (At least, it isn’t ready unless you want to support her when she has problems.) But you should take the time and add these tools to protect your own logins.

Fixing Facebook’s flaws

Facebook has been under fire for the past several months as Zuck does his World Apology Tour, both in DC and in Belgium giving testimony to the EU Parliament. That link takes you to a YouTube video from The Verge which shows him not answering very pointed questions from the body’s members. The EU format was very different from his US Congressional testimony in April: In Europe, the session was just an hour and a half, with much of that time taken up by Members’ speeches. In the States, he was there for a total of ten hours.  Business Insider called the EU appearance “a wash out.” That difference between the two geographies was noted by lawmakers quoted in Vox. “We are here in terms of regulation,” said Claude Moraes of the British Labour Party, gesturing upward with one hand, “And the United States is here,” gesturing downward with the other.

Sadly, the social media giant has paid lip service in protecting users’ privacy. There is this story in the NY Times about how it cooperated with the major cellphone vendors to give them access to vast amounts of private user data.

And the company hasn’t done very well towards policing its content for terrorist and hate speech. This recent post in the UK’s Independent talks about the effort that the vendor is going to try to block hate speech in Germany. The reporter takes us inside a 1200-person cubicle farm where analysts try to screen content in real time.

But to get a more complete picture, you should read this report last month from the Counter Extremism Project called Spiders of the Caliphate. It lays out a chilling analysis of how poorly Facebook has been in policing pro-ISIS propaganda. It documents how their supporters operate on that network and even leverage its features. ISIS’ online networks are growing and are used to plan and direct various terror attacks as well as to mobilize foreign supporters to fight in various places around the world. ISIS’ Facebook presence is pervasive and well organized. According to the authors, ISIS “has developed a structured and deliberate strategy of using Facebook to radicalize, recruit, support, and terrorize individuals around the world.” They found from careful path analysis that ISIS’ “Facebook networks are strong, extensive, and growing.”

The authors selected a thousand Facebook accounts that they claim are ISIS supporters, using positive language and geolocation to specific areas, usernames with pro-ISIS meaning, accounts from people that claimed they worked at ISIS or are from place names that are under ISIS control. You would expect many of these accounts to originate from the Middle East, but there also were accounts from Nepal, South Korea and South America too: ISIS has truly gone global. There were even American accounts.

They examined each account’s timeline and pattern of liking and sharing posts and then recorded the number of their friends or followers and other data. They then visualized this data using the open source network path analysis tool Gephi. While I am not an expert here, it seems their methodology is sound.

They found many disturbing things. There were 28 accounts that were used exclusively to post pro-ISIS propaganda, with some posts that have remained online for more than a year and racked up thousands of views. Also, “a group of American ISIS supporters holds weekly meetings on Facebook Live to discuss topics ranging from ISIS ideology to how to avoid detection from the FBI.” ISIS supporters live in more than 80 different countries. Most supporters had publicly visible posts, too.

Facebook’s misleading efforts to counteract terrorism

Facebook says they have worked hard to try to stem this pro-ISIS tide, but the CEP report documents how they have mislead the public and been largely ineffective. The report says that Facebook has been unable to do anything “in a manner that is comprehensive, consistent, and transparent.” Rather, it has enabled ISIS supporters to flourish and grow their social networks. Of the 1,000 accounts analyzed, less than half of them had been removed by Facebook by March 2018, and many accounts were reinstated multiple times after removal. “Perhaps most concerning is that Facebook’s suggested friends algorithm reveals how the company’s tools have aided in connecting extremist profiles and help expand ISIS networks.” The report goes further and says that Facebook executives have purposely misled policymakers and the public in terms of their cleansing of their network from pro-ISIS activities.

The post in New Europe was quite disparaging and called Zuck’s non-answers before the EU evasive and a disaster. It mentions his claim that Facebook “can flag 99 percent of the ISIS and al-Qaeda related content that we end up taking down before any person in our community flags that for us.” Clearly, that number (apart from being meaningless) is at odds with the CEP report.

One final personal note about Facebook’s inadequacies.  Two months ago, I tried to download information from Facebook and other Internet sites that they have collected about my usage, and documented the experience in my blog here. It wasn’t an easy exercise, but it was sobering to see how many advertisers had my name in their sights, and in their sites as well. None of the Internet properties make this easy for you to do, but the effort is worthwhile and another eye-opener.

The New Europe post says, “It’s not like Facebook doesn’t have the resources to do better. Facebook’s market capitalization is more than the GDP of Belgium. Until Facebook finally tells the truth, it will be difficult for lawmakers and the public to hold it, and other tech companies, accountable for the level of disturbing and harmful content that proliferates online today.” Finally, I speak to this issue of corporate and leadership integrity on Shel Holtz’ For Immediate Release podcast this week. (Skip to 12:15 if you don’t want to listen to the entire hour.)

Having better risk-based analysis for your banks and credit cards

When someone tries to steal money from your bank or credit card accounts, these days it is a lot harder, thanks to a number of technologies. I recently personally had this situation. Someone tried to use my credit card on the other side of Missouri on a Sunday afternoon. Within moments, I got alerts from my bank, along with a toll-free number to call to verify the transactions. In the heat of the moment, I dialed the number and started talking to my bank’s customer service representatives. Then it hit me: what if I were being phished? I told the person that I was going to call them back, using the number on the back of my card. Once I did, I found out I was talking to the right people after all, but still you can’t be too careful.

This heat-of-the-moment reaction is what the criminals count on, and how they prey on your heightened emotional state. In my case, I was well into my first call before I started thinking more carefully about the situation, so I could understand how phishing attacks can often work, even for experienced people.

To help cut down on these sorts of exploits, banks use a variety of risk-based or adaptive authentication technologies that monitor your transactions constantly, to try to figure out if it really is you doing them or someone else. In my case, the pattern of life didn’t fit, even though it was a transaction taking place only a few hundred miles away from where I lived. Those of you who travel internationally probably have come across this situation: if you forget to tell your bank you are traveling, your first purchase in a foreign country may be declined until you call them and authorize it. But now the granularity of what can be caught is much finer, which was good news for me.

These technologies can take several forms: some of them are part of identity management tools or multi-factor authentication tools, others come as part of regular features of cloud access security brokers. They aren’t inexpensive, and they take time to implement properly. In a story I wrote last month for CSOonline, I discuss what IT managers need to know to make the right purchasing decision.

In that article, I also talk about these tools and how they have matured over the past few years. As we move more of our online activity to mobiles and social networks, hackers are finding ways at leveraging our identity in new and sneaky ways. One-time passwords that are being sent to our phones can be more readily intercepted, using the knowledge that we broadcast on our social media. And to make matters worse, attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications.

Of course, all the tech in the world doesn’t help if your bank can’t respond quickly when you uncover some fraudulent activity. Criminals specifically targeted a UK bank that was having issues with switching over its computer systems last month, knowing that customers would have a hard time getting through to its customer support call centers. The linked article documents how one customer waited on hold for more than four hours, watching while criminals took thousands of pounds out of his account. Other victims were robbed of five and six-figure sums after falling for phishing messages that asked them to input their login credentials.

Steve Ragan in a screencast below shows you the phishing techniques that were used in this particular situation.

The moral of the story: don’t panic when you get a potentially dire fraud alert message. Take a breath, take time to think it through. And call your bank when in doubt.

 

Finding the right escape room for your group

I am a bit slow to the whole escape room phenomenon, but it seems like a great idea to me. While I am not a computer gamer, I have run sites with that editorial content and know many professional gamers as a result. I am also a big Sudoku and crossword fan, having done those puzzles for more than a decade.

The idea, if you are still not tuned in, is to bring a few friends to a facility and try to escape from a locked room within an hour. You have to solve various puzzles. Actually, you have to find the clues and then figure out the puzzle, without a lot of guidance. If you haven’t ever done a room, you first have to be very observant, looking at what objects have been placed in the room, what information is written on the walls or displayed on various monitor screens, and what objects might lead you to other things. For those of you that don’t like solving puzzles, this is probably not something you are going to like. If you do like puzzles, or if you go to haunted houses every fall (or even build your own), this is probably something you have already checked out.

While I am not a computer gamer, I recognize that many years ago I spent weeks of my life trying to solve the puzzles of Myst. Back then, I said that “Myst starts out a total puzzle, and as you gain skills and understand the sequence of play involved, you get drawn into the universe of the game and lose track of real life and elapsed time.” You can say that about many modern computer games too. The problem with this is that you only have an hour to escape your particular room, and you don’t know how many puzzles you will have along your journey.

Given that there are thousands of rooms in cities all over the world, if you want to try one out the next hurdle is going to be to find one that suits your particular skills, experience, and group. Wouldn’t it be nice if someone reviewed rooms with some sort of consistency? Fortunately, there is a site that does called EscRoomAddict. I spoke to one of their editors, named Jeremie Wood. (You can see a sample of one review here.)

The site has teams of reviewers in LA, Chicago, New York, Kansas City, Denver and Toronto, which is where they began four years ago. They have reviewed more than 400 rooms in North America. There are other sites that have reviews, but not as well organized or as consistent in their evaluations as ERA, as they call themselves. The site doesn’t pay their reviewers, but usually the room operator comps the reviewers to do the room. Many of his reviewers have played 50 or more rooms during their tenure, and Wood himself has lost count but thinks he has been party to at least 180 room reviews.

He told me based on his experience that he doesn’t think the escape room craze has peaked yet, and there are still new rooms being built. One opportunity is to try to attract more corporate customers, who use the room as a team-building exercise. And part of that effort is what motivated the founders to start ERA, so that corporate customers could find the best rooms in a particular location.

The escape room landscape is also changing. “Many of the early operators have closed, mainly because the standards for the best experience keep going up.” You might think that the best rooms are the ones that take the most money to build, but that hasn’t been his observation. “I have seen great rooms that didn’t cost much, and lousy rooms that were very expensive,” he said. ”You don’t have to spend huge amounts of cash, but you do have to know what you are doing and design something that has really great puzzles and a great story.”

One of the reasons I like the ERA site is that it attempts to have consistent review metrics for all of its room reviews. The teams from the various cities met earlier this year here in St. Louis to try to iron out consistent style and to set up minimum requirements for their reviews. The reviewers also try to take into account a wide range of puzzle solving ability in their write-ups. Each room is done by at least three different people, who then collaborate on the review, and they usually agree on their evaluation.

Having been to so many rooms, Wood told me that the average Canadian rooms are smaller and more suitable for 4 to 6 people, whereas in the States, they can hold more participants. Also, in Canada, you usually book a room exclusively for your own group, even if it is smaller than the room capacity. In the US, your team is sharing the room with others if the demand is there.

If you have particular room experiences and want to share them with my readers, please post a comment here.

Hedy Lamarr, The First Geek Movie Star

The story sounds almost like a Hollywood plot, except it is true: A young starlet doing nude scenes as a teenager, goes on to invent a critical wartime technology that is ignored by the US Navy but ultimately forms the basis of WiFi and cell phones that we use today. Of course, I am talking about the life and times of Hedy Lamarr, the subject of a 2017 documentary film called Bombshell that is available from the streaming services.

She was also the subject of a 2011 biography from Richard Rhodes. I heard Rhodes back when he was promoting his book. Rhodes is the author of many intriguing history of science works, including the story of the Manhattan Project, and his book is worth reading. So is the film, which is also based on a 1990 taped interview that was recently found.

She is a fascinating study in how someone with both beauty and brains can not necessarily make the best of both thee worlds, but was constantly reinventing herself.

The movie traces her acting career and has various clips, including scenes from the provocative film Ecstasy, the one cited earlier that began her career and was banned by Hitler eventually. Lamarr was even the basis of one character in Mel Brooks’ Blazing Saddles.

Both the film and the book show how one of Lamarr’s many inventions, which she developed with her music composer neighbor George Antheil, came about through an odd inquiry. Lamarr was interested in a boob job and Antheil had written about early efforts in that area, again presaging another important intersection of Hollywood and technology. The duo went on to get a patent for a new technique for frequency-hopping radio communications. While not taken seriously at the time, it ultimately was deployed by the military in the 1960s during the cold war. While the technique involved piano rolls, the basis of frequency hopping continues to be used as part of spread-spectrum radio communications that are in common use today. Along the way, Lamarr made many movies and married and divorced six husbands, the first of whom was a Nazi arms merchant that got her interested in developing new technology for the war effort once she fled to America. She lived to be honored by the Electronic Frontier Foundation a few years before she died in 2000.

It is hard for many of us to grok a movie star with her trips to the patent office and test tube rack in her trailer on the movie set, but she was the real deal.

Lamarr once said that “Any girl can be glamorous. All you have to do is stand still and look stupid.” She was anything but.

Keeping your home safe from the Internet of Bad Things

Back before we had nearly universal broadband Internet in our homes, the only safety electrically-powered device that we had to worry about was to replace the batteries in our smoke detectors every six months. With the Internet of Things, we now have a lot more capabilities, but a lot more worries.

Some friends of mine have 23 connected devices to their home network: a Nest thermostat, security cameras, Alexa, smart TVs, network printers, gaming systems, smart watches and their computers. I am sure I have forgotten a few others. All of them can be exploited and used for evil purposes. Think of them as that back door to your home that is wide open.

This exploit for smart TVs was a news item last year. It uses a special digital broadcast signal to gain access to your TV’s firmware. I have been trying to update my firmware for weeks with no success, but I guess hackers are more adept. Still, this is a major concern for IoT devices both in the home and in the workplace. Many device makers don’t have any firmware update mechanism, and those that do don’t make it easy or automatic for users to do it. And devices are usually not monitored on corporate endpoint protection tools, which are usually designed for Windows, Mac and Linux machines.

Part of the problem is that the number of IoT devices continues to climb, with estimates in the tens of billions in the coming years. These devices are seemingly everywhere. And they are an attractive target for hackers. Hajime, Mirai, Reaper, Satori and Amnesia are all IoT-based malware that has been seen in the past couple of years. The hackers understand that once you can discover the IP address of a device, you can probably gain entry to it and use it for evil purposes, such as launching attacks on a corporate target or to leverage access to a corporate network to steal information and funds.

So what can you do? One friend of mine is so concerned about his home network that he runs his own firewall and has two different network-attached storage devices that make copies of his data. This enables him to get rid of having any data on his computers and removes all at-risk programs on them to further secure them. That is probably more than most of us want to do, but still it shows the level of effort that you need to keep things safe.

If you aren’t willing to put this much effort into your home network, here are a few easier steps to take. First, make sure you change all of your devices’ default passwords when you first install them – if you can. Some products have a hard-coded password: if security is a concern, toss them now. Second, if you don’t have a firewall/router on your home network (or if you are using the one supplied by your broadband provider), go out and get one. They now cost less than $100 and are worth it if you can take the time to set them up properly to limit access to your networked devices. Next, make sure your Wifi network is locked down appropriately with the latest protocols and a complex enough password. If you have teenagers, setup a guest network that limits their friends’ access.

Granted, this is still a lot more work than most of us have time or the patience for. And many of us still don’t even replace our smoke detector batteries until they start beeping at us. But many of you will hopefully be motivated to take at least some of these steps.

Learning about what data your social networks keep about you

Brian Chen’s recent piece about social media privacy in the NY Times inspired me to look more closely at the information that the major social networks have collected on me. Be warned: once you start down this rabbit hole, you can’t unlearn what you find. Chen says it is like opening Pandora’s box. I think it is more like trying to look at yourself from the outside in. There is a lot of practical information and tips here, you might want to file this edition of Web Informant away for future reference when you have the time to absorb all of it.

Why bother? For one thing, the exercise is interesting, and will give you insights into how you use social media and whether you should change what and how you post on these networks in the future. It also shows you how advertisers leverage your account – after all, they are the ones paying the bills (to the news of some US Senators). And if you are concerned about your privacy or want to leave one or more of these networks, it is a good idea to understand what they already know about you before you begin a scrub session to limit the access of your personal information to the social network and its connected apps. Also, if you are thinking about leaving, it would be nice to have a record of your contacts before you pull the plug.

None of the networks make obtaining this information simple, and that is probably on purpose. I have provided links to the starting points in the process, but you first will want to login to each network before navigating to these pages. In all cases, you initiate the request, which will take hours to days before each network replies with an email that either contains a download link or an attached file with the information. You need to download the file(s) within a certain time limit, otherwise the links will expire and you will have to issue another request.

The results range from scary to annoyingly detailed and almost unreadable. And after you get all this data, there are additional activities that you will probably want to do to either clean up your account or tighten your privacy and security. Hang on, and good luck with your own journey down the road to better social network transparency about your privacy.

Facebook:  https://www.facebook.com/dyi?x=AdkA0Kau6MLj_7I0

Facebook sends you an HTML collection of various items, some useful and some not. You download a ZIP archive. There is a summary of your profile, a collection of your posts to your timeline, a list of all of your friends (including those who have left Facebook) and when you connected with them, and any videos and photos that you have posted. Two items that are worth more inspection are a list of advertisers that have your information: I noticed quite a few entries to more than a dozen different state chapters of Americans for Prosperity PACs that are funded by the Koch brothers. Finally, there is a list of your phone’s contacts that it grabbed if you ran its Messenger application, which it justifiably has been getting a lot of heat for doing. Note that this is different from your friend list.

LinkedIn:   https://www.linkedin.com/psettings/member-data

LinkedIn sends you a ZIP collection of CSV files that you can open in separate spreadsheets that contain different lists. There are your contacts (which they call your connections), your messages that you have exchanged with other LinkedIn members, recommendations that you have made and have been sent to you, and other items. Most of the files contained just a single line of data, which made looking at all of them tedious. LinkedIn actually sends you two collections of files: you should ignore the first one (which you get almost immediately) and wait for the “final” archive, which is more complete and arrives several hours later. Most of this data is rather matter-of-fact. One file contains a summary of your profile that is used for ad targeting, but there is no list of advertisers like with the other networks. Another file contains the IP addresses and dates of your last 50 logins, and another contains the dates and names of people that you have searched for on the network. What bothered me the most about my list of LinkedIn connections was the number of them differed by two percent from what is displayed on my LinkedIn home page and in the spreadsheet itself. Why the difference? I have no idea.

Google:  Takeout.google.com

Google operates somewhat differently and more opaquely than the others mentioned here. First, you go to the link above, which is a separate service that will collect your Google archive. The screen shot shows you just some of the dozens of different Google services that you can select to use in the gathering process. In my experiment this process took the longest: more than three days, whereas the others took minutes to several hours. Even before you get your archive, scanning this list and selecting which services you want included in your report is a depressingly lengthy activity.  When I finally got my archive, it spanned three ZIP files and more than 17GB in total, which is more than all the others combined.

However, that is just the beginning. When you bring up a web page that shows the various Google services, you have to separately extract the data for each service individually and each service uses it own data format that you then need to view in a particular application: for example, your calendar items are in iCal format, your email data is in MBOX format, and others are extracted in JSON format. Analyzing all this information can probably take a data scientist the better part of a few days, let alone you and I, who don’t have the tools, dedication or time. If you are thinking of de-Googling your life, you will have to do more than just switch to an iPhone and give up Gmail.

But wait, there is more: emails that you delete or find their way into your Spam folder are still part of your archive. In the Googleplex, everything is accounted for. Note that if you have uploaded any music to Google Play Music, this data isn’t part of your archive and you’ll have to download that separately.

Twitter: https://twitter.com/settings/account

Twitter will send you two files: one that is a PDF attachment that contains a list of all the advertisers that have your information, but the advertisers’ names are shown in their Twitter IDs and thus not very meaningful. The second document is an Html collection of all your tweets, and you can bring up your browser or access the data via in two formats: JSON and CSV exports by month and year. Notice that there is nothing mentioned about downloading all of your Twitter followers: you will have to use a third-party service to do this. One thing I give Twitter props for is that you have a very clear series of settings menus that might be useful to study and change as well, including connected apps and privacy settings. Facebook and LinkedIn constantly are rearranging these menus and make changes to their structure and importance, which makes them more difficult to find when you are concerned about them. But Twitter at least give you more control over your privacy settings and tries to make it more transparent.

Action items

So what should you do? First, delete the Facebook Messenger phone app right away, unless you really can’t live without it. You contacts are still preserved by Facebook, but at least going forward you won’t have them snooping over your shoulder. You can still send messages in the Web app, which should be sufficient for your communications.

Second, start your pruning sessions. As I hinted in the Twitter entry above, you should examine the privacy-related settings along with the connected apps that you have selected on each of the four networks. The privacy settings are confusing and opaque to begin with, so take some time to study what you have selected. The connected apps is where Facebook got into trouble (see Cambridge Analytica) earlier this month, so make sure you delete the apps that you no longer use. I usually do this annually, since I test a lot of apps and then forget about them, so it is nice to keep their number as small as possible. In my case, I turned off the Facebook platform entirely, so I lost all of these apps. But I figured that was better than their hollow promises and apologies. Your feelings may be similar.

Third, protect your collected data. Don’t leave this data that you get from the social networks on any computer that is either mobile or online (which means just about every computer nowadays). I would recommend copying it to a CD (or in Google’s case, several DVDs) and then deleting it from your hard drive. Call me paranoid, or careful. There is a lot of information that could be used to compromise your identity if this gets into the wrong hands.

Finally, think carefully about what information you give up when you sign up for a new social network. There is no point in leaving Facebook (or anyone else) if you are going to start anew and have the same problems with someone else down the road. In my case, I never gave any network my proper birthday – that seems now like a good move, although probably anyone could figure it out with a few careful searches.

A new way to speed up your Internet connection

How often do you comment on how slow the Internet is? Now you have a chance to do something to speed it up. Before I tell you, I have to backtrack a bit.

Most of us don’t give a second thought about the Domain Name System (DNS) or how it works to translate “google.com” into its numerical IP address. But that work behind the scenes can make a difference between you having and hot having access to your favorite websites. I explain how the DNS works in this article I wrote ten years ago for PC World.

Back when I wrote that article, there was a growing need for providing better DNS services that were more secure and more private than the default one that comes with your broadband provider. But one of the great things about the Internet is that you usually have lots of choices for something that you are trying to do. Don’t like your hosting provider? Nowadays there are hundreds. Want to find a better server for some particular task? Now everything is in the cloud, and you have your choice of clouds. And so forth.

And now there are various ways to get DNS to your little patch of cyberspace, with the introduction of a free service from Cloudflare. If you haven’t heard of them before, Cloudflare has built an impressive collection of Internet infrastructure around the world, to deliver webpages and other content as quickly as possible, no matter where you are and where the website you are trying to reach is located. If you think about that for a moment, you will realize how difficult a job that is. Given the global reach of the Internet, and how many people are trying to block particular pieces of it (think China, Saudi Arabia, and so forth), you begin to see the scope and achievement of what they have done.

I wanted to test the new 1.1.1.1 DNS service, but I didn’t have the time to do a thorough job.  Now Nykolas has done it for me in this post on Medium. He has somewhat of a DNS testing fetish, which is good because he has collected a lot of great information that can help you make a decision to switch to another DNS provider.

There are these five “legacy” DNS providers that have been operating for years:

  • Google 8.8.8.8: Private and unfiltered. Most popular option and until now the easiest DNS to remember. Their IP address was spray-painted on Turkish buildings (as shown above) during one attempt by their government to block Internet access.
  • OpenDNS 67.222.222: Bought by Cisco, they supposedly block malicious domains and offer the option to block adult content.
  • Norton DNS 199.85.126.20: They supposedly block malicious domains and integrate with their Antivirus.
  • Yandex DNS 77.88.8.7: A Russian service that supposedly blocks malicious domains.
  • Comodo DNS 8.26.56.26: They supposedly block malicious domains.

I have used Google, OpenDNS and Comodo over the years in various places and on various pieces of equipment. As an early tester of OpenDNS, I had some problems that I document here on my blog back in 2012.

Then there are the new kids on the block:

  • CleanBrowsing 228.168.168: Private and security aware. Supposedly blocks access to adult content.
  • CloudFlare 1.1.1.1: Private and unfiltered, and just recently announced.
  • Quad9 9.9.9.9: Private and security aware. Supposedly blocks access to malicious domains, based in NYC and part of the NYCSecure project.

How do they all stack up? Nykolas put together this handy feature chart, and you can read his post with the details:

As I mentioned earlier, he did a very thorough job testing the DNS providers from around the globe, using VPNs to connect to their service from 17 different locations. He found that all of the providers performed well across North America and Europe, but elsewhere in the world there were differences. Overall though, CloudFlare was the fastest DNS for 72% of all the locations. It had an amazing low average of 5 ms across the globe. When you think about that figure, it is pretty darn fast. I have seen network latency from one end of my cable network to the other many times that.

So why in my commentary above do I say “supposedly”? Well, because they don’t really block malware. In another Medium post, he compared the various DNS providers’ security filters and found that many of the malware-infested sites he tested weren’t blocked by any of the providers. Granted, he couldn’t test every piece of malware but did test dozens of samples, some new and some old. But he found that the Google “safe browsing” feature did a better job at block malicious content at the individual browser than any of these DNS providers did at the network level.

Given these results, I will probably use the Cloudflare 1.1.1.1 DNS going forward. After all, it is an easy IP address to remember (they worked with one of the regional Internet authorities who have owned that address since the dawn of time), it works well, and plus I like the motivation behind it, as they stated on their blog: “We don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.”

One final caveat: speeding up DNS isn’t the only thing you can do to surf the web more quickly. There are many other roadblocks or speed bumps that can delay packets getting to your computer or phone. But it is a very easy way to gain performance, particularly if you rely on a solid infrastructure such as what Cloudflare is providing.

Using your cellphone when overseas (2018 edition)

I just returned from a trip to Israel, and as the old joke goes, my arms are so tired. Actually, my fingers, because I have been spending the better part of two days on the phone with support techs from both AT&T and Apple to try to get my phone back to the state where it works on the AT&T network.

My SOP for travel is to use a foreign SIM card in my phone. This has several benefits. First, you don’t pay roaming charges for local in-country calls, although if you are calling back to the States, you might have to pay international long distance charges, depending on your plan. Second, if people in-country are trying to reach you, they don’t pay for any international calls either, since they are calling a local number. (Some of the networks overseas have the more enlightened method of calling party pays, but we won’t go there for now.) You also don’t use any minutes or data GB on your American cell account, which is nice if those are limited.

For the past several years, I had been using two different travel SIMs. First is one from FreedomPop, which was a very inexpensive card with monthly fees around $15 for a decent plan. I had some billing issues initially but these were resolved. It doesn’t work in Israel, so I ended up buying another SIM at the airport kiosk in Tel Aviv. My last trip in October had some major hiccups with that card, and so I decided to try a new supplier, Call Israel. They offered a plan for $50 that seemed reasonable. AT&T charges $60 a month with lower data usage for Israel. If you go elsewhere the fees could be less.

Call Israel mailed me a SIM a week before my trip, and right away I saw an issue: I was just renting my SIM card. At the end of my trip, I had to mail it back. Strike 1.

But strike 2 was a big one. I made the mistake of taking my Israel SIM out of my phone when I changed planes in Europe on the return trip, and put in my AT&T SIM card. That confused my phone and got me in trouble. When I landed in the States I spent an hour on the phone with a very nice AT&T person who verified that my phone was working properly on their network. Except it wasn’t: I could get voice service, but not broadband data service. Some parameter that the Call Israel SIM had needed was still set and messing up my phone, and there was no way that I could access that information to remove it.

I ended up speaking to Apple next, because I figured out that they could get rid of whatever it was that was blocking my data service. I had to find an older iTunes backup that I had made before I went abroad (lucky I had done so with Time Machine), and then wipe my phone clean and bring that backup to the phone. All told, several hours were wasted. I found out that there is a subtle but important difference in how iTunes and iCloud handle backups. I was fortunate to find a very nice woman from Apple who called me back as we tried various strategies, and eventually we figured out what to do. This took place over the course of a couple of days. Here is the bottom line: your phone has hundreds of parameters that determine whether it will communicate properly. Some of them aren’t accessible to you via the various on-screen controls and are hidden from your use. The only way to change them is to restore from a known working backup.

So if you are planning on being out of the country, think carefully about your options. Consider if you need a foreign SIM for a brief trip. If you can afford service from your American provider, do so. Or if you can find Wifi hotspots, you probably can do 90% of the work on your phone by setting it to airplane mode when you leave town and not turning it on until you return. Under this scenario, you would use Facetime, What’sApp and Skype for voice and texting. Does that additional 10% make the difference? If you have a terrible sense of direction and need Google Maps, for example, you will need that broadband data. Or if you are traveling with other Americans and need to meet up, you might need the cellular voice flexibility.

SIMs come in at least three different sizes, and most suppliers ship them with cardboard adapters so you can fit them in your phone’s compartment. It doesn’t hurt to check this though.

Next, don’t swap SIMs until you reach your destination. If you need to look at buying a local SIM, make sure you understand how you have to bring your phone back to its original state when you come home. Make backups of your phone to your computer, to the cloud, to as many places as possible before you leave town. If you have an iPhone, read this article on how to find the iTunes backups on your system.

Next, when you are looking for a mail-order SIM, make sure you are actually buying it and not just renting it. Check to see that it will work in all the countries on your itinerary. Or wait until you get to your destination, and buy a local SIM from a phone store or airport kiosk.

Finally, examine the calling plan for what it will entail and match it with your expected usage on texting, data, and voice volume. Examine whether your calls back to the States are included in the plan’s minutes or not. If you don’t use a lot of data, you probably can get by with a cheaper voice-only plan and finding WiFi connections.  Happy trails, and hope they don’t turn into travails.