Going to a protest? Here is your digital privacy survival kit

If you are thinking of attending a protest, take a few moments to review the EFF’s recommended strategies for protecting your digital assets and privacy in this blog post. It is  both an interesting document and a sad testimonial to the state of our present day that the document had to be written at all.

Here is the issue: police are increasingly counting on protesters’ cell phones to be used as evidence, so information on them — your contacts, your photos, your text messages — can be used against you. And not just during protests, either: border crossings can be problematic too. So as the scouts say, be prepared.

The suggestions span the gamut from things to do before you attend a protest, what to do during the protest, and what to do if you are arrested and if your phone and other digital devices are seized. EFF recommends leaving your regular phone at home and buying a burner that just has the Signal messaging app on it; Signal provides end-to-end message encryption, something that I spent some time thinking about. I put together a series of recommendations for business IT managers about how to enable and use this feature across other messaging services for SiliconANGLE earlier this summer.

One of the aspects of Signal is that you can use it to scrub the metadata from your photos. This is important if you intend to post any of the pictures online. You can also take screenshots of your photos if you don’t care about image quality.

There are other helpful suggestions too, such as taking pictures without unlocking your phone, and disabling the facial or fingerprint ID feature, in case a law enforcement officer forces you to unlock it. They explain: “Under current U.S. law using a memorized passcode generally provides a stronger legal footing to push back against a court order of compelled device unlocking/decryption.” They explain the difference between encrypting the data on the phone and encrypting an external SD memory card might require two different steps. And there are numerous suggestions on how to turn off location tracking, Bluetooth, and other radios. That may only be a temporary solution, however: once you turn these radios back on, your phone may send the stored data once you reconnect. The best solution is to turn your phone off entirely.

Finally, they sum everything up with this piece of advice: “It’s important to carry the bare minimum of data with you, and use the strongest level of encryption, when going into a risky situation like a protest.”

SiliconANGLE: California stays ahead on state privacy protection

California has become the latest state to enact a special law regulating how consumers can remove themselves from data brokers. The Delete Act was passed this week and it’s now up to Governor Gavin Newsom to sign it into law. But it has already led to similar laws and bills being proposed in other states in next year’s legislative sessions.

My summary of the past summer’s privacy laws enacted across the country, what makes California stand out, and the problem with data brokers all can be found in my latest piece for SiliconANGLE here.

SiliconANGLE: Beware of insecure networked printers

Despite promises of a paperless office that have origins in the 1970s, the printer is still very much a security problem in the modern office.

And even if Microsoft Corp. will succeed in its efforts to eradicate the universe of third-party printer drivers from its various Windows products, the printer will still be the bane of security professionals for years to come. The problem is that the attack surface for printer-related activities is a rich one, with numerous soft targets.

Taking care of insecure printers isn’t easy, here is a trip down memory lane for my latest post for SiliconANGLE.

Me and my Ecobee

For the past month, I have been messing around with an Ecobee “smart” thermostat for my condo’s heat pump. The reason for the quotes will become clear as you follow along in my journey.

I live in a high-rise condo and it was time for the regular servicing of our heat pump, if by regular you mean a spousal request that I should finally get the AC tech out to tend to it. The tech came, said everything was looking good but that you might want to get a new thermostat, for reasons that I don’t recall now. That provided enough motivation for me to start down my Ecobee journey, which is the brand that the tech recommended.

My electric utility was offering half off if I bought it through them. They also had free Nest thermostats, which my tech said I should steer clear of. Given that they were free I figured that something was wrong with them. So I got the mid-priced model and it arrived a few days later. It did take three phone calls to find the webpage to order the thing, let’s just put that there in terms of pain points.

Now, I have to say right up front that I am not a handy guy. Generally, I know my limitations. I was going to give the Ecobee a try, until I saw that I had to deal with putting a bunch of tiny wires in the right places. (You can see what I mean in the photo above. The putty around the edges is to block out airflows from behind the wall, which was suggested by the hot line folks.) I put in a call to my AC repair folks, who happily charged me more than I paid for the device to come install it with tech #2 (a different guy from the first one). Some drilling was involved. I made the right choice not to fly solo on this install.

I was impressed with the level of support from Ecobee: their smartphone app will take you step by step through the initial installation and also help troubleshoot any problems. There is also a phone hotline that is answered promptly and by native English speakers who have tremendous patience to deal with your issues, and I had plenty. One concerned the fact that the temperature reported by the thermostat was off by four degrees with a thermometer that we were using to verify that it was working. After several calls to the hot line, they told me that I could adjust the temperature with a “fudge factor” (that wasn’t the term they used but that is what it was) so they could match.

But we also had another problem, which the kind folks at Ecobee put the blame squarely on my heat pump. It turns out the water drain from the unit would clog up, but only after the unit would operate for an hour. Another visit from the AC tech, at least this one was free where tech #2 (the same guy who installed the thermostat) found the problem.

So I think we finally have all systems go. One issue that still remains is that the Ecobee has three different ways to control its operation: a touch screen on its front panel, a web page or via its smartphone app. All three have slightly to majorly different user interfaces. Some things are quickly accessed with one or the other interface, which doesn’t make it spousal friendly. But one nice thing is that you can control it when you aren’t home, which is helpful in debugging problems and also when you are on vacation and want the home cooled or heated to your requirements before you walk in the door.

Do I regret buying the Ecobee? No. I regret that it takes an IT guy 10 phone calls and an outlay of cash to get professional help to get it operational. Hence why I put the “smart” in quotes: maybe if it was used by a “smarter” home owner I would feel differently. Now if only I could get my “smart” TV to work the way I want it to.

NYC subway adventures in zero-factor authentication

Most of you know by now the meaning and importance of MFA, having multiple pathways to authenticate yourself for your various logins. But here is a story that is somewhat chilling: thanks to the NYC subway authority MTA, someone who knows your credit card number could track your movements about the system, thanks to their implementation of zero factor authentication.

Before Joe Cox, the business journalist who now writes for 404media (I know, miserable branding IMHO), wrote a story about this, you could bring up a page on the MTA’s website, enter the card number and you could see a week’s history of the station entry and exit times for each station you swiped your contactless fare card (or Apple or G payments on your phone). Well, you used to be able to do this, until Cox’s story ran exposing this vulnerability. Then the MTA wisely took this down a day after the story ran, saying they were evaluating the “feature.” Well, it is a feature for your estranged spouse (or someone who is looking to do you harm) to track your movements and establish a pattern of life. For the vast majority of us, it is a major-league problem and privacy disaster. Credit card numbers are remarkably easy to obtain.

Now, I call this somewhat ironically zero factor authentication, although sadly many security vendors are now using this term to refer to ways to authenticate your account without using passwords, which technically it is. But There Is No Authentication Involved Here Folks.

Contactless cards — and the phone-based payment apps — are a big convenience. You don’t have to touch any public turnstiles or fumble with putting your card inside those pesky slot readers upside down and backwards. But the MTA went overboard and for some reason was completely brain-dead when they turned this “feature” on.

SIliconANGLE: Meta’s Facebook finally supports end-to-end message encryption

The importance of end-to-end encryption of digital messages is getting new attention with the announcement that Meta Platforms Inc.’s Facebook will partly add the feature to its Messenger product now, and eventually for all use cases such as group chats by year-end.

It’s an important step, since E2EE, as it’s known for short, is a critical method of providing secure communication that keeps outside parties from accessing data while it’s transferred between systems or devices. But the announcement isn’t the whole story, either, because Facebook is playing catch-up with many of its competitors, such as Signal and Telegram, which have offered E2EE messaging products for years now.

You can read my analysis for SiliconANGLE here.

Evaluating password managers, again

There are two things you need to know about me, if you haven’t already caught on reading my screeds all this time:

  • I am very concerned about my infosec, to the point where I continuously evaluate new ways to protect myself. This means I go down a lot of rabbit holes and kiss a lot of frogs. Or whatever trite phrase you’d like.
  • I am extremely cheap when it comes to adding monthly subscriptions to do the above. Thus, I tend to be more interested in the free tiers, and carefully weigh the pros and cons of bumping up to something more expensive.

So let’s talk about the basket of services that include a password manager, an encrypted email provider, and an email alias provider. Before a few weeks ago, this looked like the following:

Zoho Vault – This is entirely free, and is an excellent password manager, works across desktops, mobiles and browsers. For some reason, this app isn’t on many people’s radar, which is a shame because I like the other Zoho apps too and think they are a standup company. I switched over to Zoho after getting tired dealing with all the Lastpass breaches. Importing (from Lastpass) and exporting my password collection is simple, with one caveat that I will get to in a moment.

33mail.com – for mail aliases. I have the free Lite version, which has a 10MB bandwidth limits on how much email they will forward to you. I have hit that a few times, and their cheapest paid pricing tier is $1/month. It is easy to create an alias (you just type it into the website’s subscription form that you want to use) and your emails now come filtered through their service. Why would you want to use this service? If you don’t like giving out your “real” email address, this adds an extra layer of control and you can quickly turn off the flood of messages.

ProtonVPN. I have been using the free version with a few minor issues, mostly when I travel or take up residency in some coffee shop. Unlike Brian Chen, I don’t want to build my own VPN (I just don’t trust myself). Speaking of VPNs, I wrote a piece for SiliconANGLE which takes a look back at the history of VPNs, and how they have changed roles, ironically thanks to the pandemic and the way we now work most remotely. .

ProtonVPN just came out with a new pricing scheme and a new password manager app, and so in the interests of the First Directive, I wanted to try them out. Thanks to my friendly PR person, who gave me a press upgrade to their unlimited plan. This is $10/month if you buy a year-long package. This includes several of their services, including encrypted email and their password manager. The VPN on its own is $6/month.

My tl;dr is that the Proton password manager is still too early to rely on, and I am back to using Zoho Vault in production. My reasons:

  1. Importing my password collection from Zoho to Proton was a nightmare that took a series of false starts and several emails to resolve my issues. Yes, they have some imports that have been put up, but not Zoho’s. I had to create a CSV and use Excel to edit the collection. Yuck.
  2. It doesn’t have a lot of features, as witnessed by this roadmap of what is to come. Not having a desktop app means if you are trying to enter a password outside of your browser, you will have some effort involved.

I still like Proton as a company: they care about their users’ privacy and security and try to be as transparent as possible, as that roadmap post shows.

Department of Self-promotions

Speaking of SiliconANGLE, I wrote a bunch of stories this week that you might be interested in reading, including about new Google Workspace security features, Proton’s VPN service, and trends in malvertising.

A cautionary tale about elections security

If you believe the 2020 elections experienced massive fraud, or that electronic voting machines were running some software from space, then please skip this post. If you believe otherwise, then I would urge you to read my thoughts.

I was party to a massive elections fraud back in the 1970s, when I lived and worked for the city of Albany NY. Albany at the time (and still today!) was under the grip of a powerful Democratic machine, and as a city employee I was told as election day approached that I will vote, and that I will vote the Democratic party line. If I didn’t show up, or if I strayed into supporting GOP candidates, I would lose my job. Whether or not everyone’s votes were being monitored, I wasn’t going to risk it, especially as this was my first job out of college. I can’t prove anything, and my recollection might be fuzzy, but there was no denying that the city spent decades in the iron grip of this political machine.

I am telling you this because I have spent a lot of time researching voting fraud over the past several years, and can tell you that our elections have come a long way since my Albany days. I based this on first-hand knowledge, having spoken to IT managers at state offices, election researchers, and others who are in the know. Let me first present a few links for you to establish some bona fides.

First up is Alex Halderman’s analysis of the 2020 voting irregularities in Antrim County, Mich. This was the scene of numerous recounts — five of them — and the source of a lot of conspiracy theories. If you read Alex’s paper, you will see that many of these theories were easily explained by more obvious error sources, namely humans. I have met Alex in person and interviewed him on this topic and he is a very sharp guy.  His paper concludes: there is “strong empirical evidence that there are no significant errors in Antrim’s final presidential results, including due to any scanning mishap.”

Copies of the voting machine software eventually found their way to Mike Lindell and his bogus “CyberSecurity Summit” that he held in South Dakota in the summer of 2021. One of the attendees at that conference was a long-time colleague Bill Alderson. He was interested in getting the promised reward of $5M to prove voting irregularities. You can watch Bill’s interview with local TV news where he unequivocally states that the data claimed by Lindell was a nothing burger (he had more colorful language when I spoke to him this week). In other words, there was no fraud, no evidence, nada. Bill never got a dime for his troubles, BTW.

There was several other county voting offices who were invaded by so-called security analysts looking for fraud. But they ended up doing their own fraud — and are now being charged for this by various legal efforts. These folks obtained copies of similar machine software and vote tally data cards. One of these locales was Coffee County, Geo. The AP ran this story about what happened last September and there was plenty of video footage, along with the data cards shown in the photo below that were given to these analysts. (Here is an excellent analysis from Lawfare too.)

As the 2020  election was happening, I was part of the CISA press group who was on the phone interviewing various officials on November 3rd. Granted, CISA had their own horn to toot, but from the evidence that I saw, the election happened without any major troubles. Yes, Chris Krebs lost his job shortly thereafter, which should tell you something about his integrity.

One lie that I hear often is the manipulation of mail-in ballots was done in a such way to swing the vote totals. Here is another data point: Colorado has been running universal mail-in ballots (meaning every registered voter gets one by mail, whether they want to use it or not is up to them). For years they have running fair and accurate elections. Neither major party had a problem with that, until the more recent elections. Here is a link to their info page, just to give you an idea of what they do. (Many states have had pre-Covid universal mail-in operations, BTW.)

Now, I warned you  — here comes the hard part for me to write about. We are approaching a very dangerous time in our country. There are many people who believe this massive voting fraud happened, despite various genuine IT consultants’ evidence to the contrary. I am not here to try to convince them of the error of their ways.

But let’s talk about something that I find even more distressing. Please check out this recent Politico post on what happened last week at the Vegas BlackHat conference. To provide some context, each year this hacking event features various “villages” where a bunch of attendees come to try to break stuff, in this particular case voting machines. (I wrote about the 2020 election village DEFCON event for Avast here.) Given the state of our society right now, this year they put on some extra physical security for the event. And if you believe Politico’s reporting is accurate, it is very chilling to see.

By now many of us have heard about how elections officials have been threatened both at home and at their offices. According to a March 2022 study from NYU’s Brennan Center for Justice, one in six election workers have experienced threats because of their job, and 77% said those threats had increased in recent years. Many have quit the field entirely.

That is bad enough, but now these threats have blossomed beyond the folks running the elections to include digital security researchers that are looking into election and voting-related matters. And I am thinking about my early Albany experience. Yes, we have issues with vote counting and certainly there is plenty of mistakes made over the years. But to annoy and threaten the people who in many cases volunteer their time and do their civic duty and claim they have evil intent, just because the election didn’t go your way is a horse of a different color.

Where do we go from here? I don’t know. But thanks for reading this far.

The trouble with Bob, a typical small businessman with tech issues

Small businesses have so much trouble with their IT support, especially if they are really small, have been around for a long time, and have owners that have just enough knowledge to know that they can do better. This was brought home to me with a nearly hour-long call with a friend of mine whom I will call Bob. Bob has four full time staff and several part timers, and has been in business for decades. We go back to the 1990s and have remained in touch, and he has called me for help on numerous times over the years.

I don’t mind being his IT support guru, and hey, I get to write this column as a result to share his pain with you. Let’s dive in.

Bob has several problems that he revealed by peeling layer by layer during our conversation. First was an aging Mac, and by aging I mean of late 2015 vintage. It is too old to run the current MacOS, a situation that I am all too painfully aware of myself. More on that in a moment. Then he needs a new printer. And what about his website? That has been down for some time, thanks to a variety of things.

And for DNS nameservers he is still using a friend from the dawn of the internet who has his own business to run — and the friend sometimes forgets that Bob’s email depends on him when he upgrades his servers, which will happen from time to time over many years. Bob is fearful about making any changes without understanding what he is doing. Oh, and by the by, his emails are getting blocked because he hasn’t set up DMARC/SPF et al. properly. And by properly, I mean he hasn’t set any of this up at all. And could his issues be due to a bad DNS entry somewhere? Perhaps.

Bob is typical of many small business people. They aren’t computer experts, even though Bob certainly knows his way around the tools mentioned above. But Bob has several things working against him:

  1. As he reminded me, I once told him his problem is that he takes really good care of his gear, but then hoards it way beyond the sell-by date. I am alot like him in that regard: last year I bought a Mac Studio that replaced a ten-year old Mac Mini. But the longer out you go with your gear, the harder it is to replace it. It took me months agonizing about this decision, so long that I missed several product review opportunities because I couldn’t run modern applications. Bob just wants to get his work done, he isn’t using anything special. Just old.
  2. He likes the all-in-one iMacs. I don’t: if you have to upgrade, you have to toss the whole unit out. Much better to have a separate monitor, and to have a system that you can add parts to it as needed. He does max out on memory when he buys his gear, which is a good strategy. But that 2015 vintage is time for the donation bin.
  3. He has multiple suppliers for his online presence. Having one ISP as his registrar, another one for his email, another for his website, and probably a few others for bits and bobs isn’t a good situation. I have two major ISPs: one for my registrar (GoDaddy) and Pair.com for my content (email lists, website). Make that three ISPs: I also use Google Workspace for my regular email functions. See how hard it is to keep track? As for Bob, his friend from the dawn of the ‘net is now ghosting him, and he doesn’t know what to do.
  4. He set a lot of this up years ago, back when things were simpler. That means his security exposure is a lot greater. Take the DMARC/SPF issue. It took me about six months and lots of help (in my case from Valimail) to get this working properly. Bob is frozen in indecision about how to even start on this particular project.
  5. He likes to have vendors that he can call up on the phone and talk him through things. I do too — that got me into trouble when my ISP died from Covid. He was a one-man operation, but once he was gone there wasn’t anything there. The trick is finding a company that prides themselves on good phone support. I am happy to report that Pair does a terrific job in this regard.

Bob will eventually figure this stuff out, get the right gear, and bring his operation at least into the 2020s. But all of this takes time away from doing productive work that generates income for his business. And that is the rub that many smaller businesses have to deal with: they aren’t IT specialists, and they don’t want to be. I don’t have that excuse: I have to play an IT guy on TV, or at least on the internet, every day.

SiliconANGLE: Google’s Web Environment Integrity project raises a lot of concerns

Earlier last month, four engineers from Google LLC posted a new open-source project on GitHub and called it “Web Environment Integrity.” The WEI project ignited all sorts of criticism about privacy implications and concerns that Google wasn’t specifically addressing its real purpose.

Remember the problems with web cookies? WEI takes this to a new level. I tell you why in my latest piece here: