Network Solutions blog: How to Prevent a Data Leak within VPN Environments

It has been one of the first things that most remote workers learn: use a Virtual Private Network (VPN) to connect your laptop when you aren’t in the office. And given that many of us haven’t stepped foot in our offices for months, using a VPN now is ingrained in our daily computer usage. But as VPNs have gotten popular, they are also getting harder to keep secure. Various reports document that private data from 20M users have been leaked because of poorly implemented VPNs, including email passwords and home addresses.

In this post for Network Solutions’ blog, I discuss ways to prevent data leaks from happening and to better secure your VPNs, along with links to the most trusted reviewers of these products.

Understanding the issues behind crypto art works

This week the art auction house Christie’s sold a work of art for $69M. What is noteworthy here is that the artist Mike Winkelmann had until last fall never sold any of his works for more than $100. Entitled Everydays: The first 5000 days, (a portion of it shown here) the artwork was entirely a digital work. The buyer got a digital record of the work, but not the graphics file itself. What was interesting about the sale was the bidding process, typical of a valuable eBay collectible: the auction had to be extended several minutes as dozens of hopeful buyers bid the price up in the last moments. You would think they were bidding on a “analog” DaVinci or a Degas. The piece, as you can see, is a digital file composed of a mosaic of other digital files. How meta!

This is the brave new world of what is being called non-fungible tokens (NFTs) or crypto art. This world is heavily into cryptocurrencies, blockchains, smart digital contracts and other totems of tech. Even if you think you understand what each of these things means in isolation, you might not be able to wrap your brain around this concept entirely. So you should start with this post on GitHub, which explains some of the movers and shakers, links to where you can purchase other crypto art works, how the various tech pieces fit together, and other components of this ecosystem. The NY Times documents some of the other crypto works that have recently sold for multiple millions of dollar-equivalents (the actual transactions typically happen via Ethereum), such as a digital copy of Jack Dorsey’s first Tweet. One analog art collector commented about the Christie’s sale that “Art is no longer about a relationship with an object. It’s about making money,” he said. “I feel bad for art.” As someone who has purchased a few analog pieces myself (more on that in a moment), I would tend to agree.

The site CryptoSlam keeps track of recent transactions and should convince you that this is now A Thing. Tim Schneider writes this excellent piece about the crypto art evolution and mentions four important and unresolved issues:

  • Who really owns what? As I mentioned, these works are really selling digital licenses and descriptions but not he bits of the digital art itself. The art is hosted elsewhere – what happens if the hosting provider disappears? Or if your digital wallet is compromised?
  • Will gatekeepers be the same old rich white boys club or have a chance to decentralize and diversify? Or put another way, is there an opportunity for grassroots and sustainable tech platforms to take hold that will encourage a more pluralist art world?
  • Will collectors be the same old RWBC, or worse –the rich tech bros from Silicon Valley? How the gatekeepers and collectors interact will be critical for the future success of the crypto art world.
  • The old system benefitted the collector on resale of the art. Can crypto-based systems benefit the artist since they can track ownership forever? But while using existing ETH-based smart contracts is a step in the right direction, it is just a small step. Most of these contracts don’t contain any resale/redistributions provisions. The Mint fund is trying to solve this in a different way by giving grants and getting new artists started and trying to diversify the creators beyond the US/EU RWBC axis.

This last point deserves further discussion. One crypto artist is Sara Ludy. She wrote smart contracts that lays out the revenue share arrangement, now and forever, for her works. She keeps half of any sale for herself, 15% goes to the crypto marketplace/platform she chooses to sell with, and then the remaining 35% to her gallery, where it is divided among the staff in equal portions. That means as the price of the art work escalates, everyone retains a piece of the action. That Christie’s sale only benefitted the last owner of the work — who wasn’t even the artist. Clearly the crypto world still has some major teething pains.

My first piece of art that I bought was a series of county courthouse photos taken by William Clift in 1976. I owned them for many years and they had supposedly appreciated in value. But when I couldn’t find a buyer, I decided to donate them to a museum instead. That points out that any auction requires both buyers and sellers.

Avast blog: Beware of your browser extensions

The not-so-dirty secret about web browsers is that browser extensions can be a major security weakness. But the problem with extensions deserves further treatment, especially as they can combine some very clever supply chain and obfuscation methods to make these kinds of attacks harder to detect and defend. These extensions are powerful tools: they have the same ability as your user account to obtain read/write access to any data in any browsing session you bring up, which makes exploiting them a big issue. Many extensions don’t require any special permissions to run on your computer or phone.

I write about how extensions can be exploited and what you can do to protect yourself in my latest post for Avast’s blog here.

Avast blog: An update on data privacy and protection legislation

Data privacy legislation is a difficult topic to get your head around. There can be multiple dimensions, sector-specific rules, and various national and, in some cases (such as in the US), local laws enacted to cover a multitude of issues. But the good news is that there are several US states which are on track to pass new data privacy laws during 2021. Some of these laws focus on consumer protection, while others concentrate on regulating data brokers or how ISPs should protect their customers’ data. Let’s review the progress and what is being proposed in my latest blog for Avast here. This could make 2021 the year that privacy laws become more pervasive in the US.

Book review: The Jigsaw Man

Detective Inspector Anjelica Henley has a problem. A new series of copycat murders have happened that mimic a perp whom she put behind bars previously. She is also in love with one of her bosses at her police unit, to the concern of her husband. After fending off an attack by the perp, she returns to duty to deal with the copycat killer. The bodies start to pile up and her husband wants her to quit the force. “I want the job and I want my family. It just seems like I can’t have both at the moment,” she says at one point. Their marital conflict drives some of the more interesting plot points as Henley zeros in on the killer.

It is a classic situation but artfully told with some great characters and plot points. Even though I am not very familiar with the London locales the story still kept me engaged until the end. For thriller fans I would highly recommend this book written by Nadine Matheson.

How deepfake videos can be used for good

We all got an update on the quality of deepfake videos last week with the popularity of a set of videos of “DeepTomCruise” on TikTok.  I have been keeping track of these videos, created by various computer programs, and last wrote about them for Avast here. It doesn’t take too much imagination to see how this technology can be exploited, but lately there are some positive things to say about deepfake vids. Let’s go to Korean TV, covered by this story in the BBC.

The announcer shown in the screen grab above is supposed to be the anchor Kim Joo-Ha, one of the regulars on the MBN channel. It looks pretty ordinary. But she was replaced by a computer program that generated a digital copy that mimicked her facial expressions, voice and gestures. Now, before you get all in a twist, viewers were told ahead of time that this wasn’t the real Kim and the network was using it as a test. One place that deepfakes could be useful is during real breaking news reports where they have to put someone on air quickly (as opposed to what American cable news calls breaking news).

Deepfake videos are increasingly being used for legitimate purposes, such as Synthesia, a London-based firm that creates corporate training videos. The tech can be useful and cut production costs significantly if you are trying to produce a series in different languages and don’t want to hire native speakers. USC’s Shoah Foundation has produced a series of deepfake video interviews of Holocaust survivors, and the public can ask questions from the survivors and get their answers in real-time — all assembled by computers from hours of videotaped interviews.

The issue is the negative taint that has been part of the deepfakes. In my post for Avast, I mentioned four different categories, including porn, misinformation campaigns, evidence tampering and just plain fraud. Clearly, that is a lot of tempting places for criminals to use them. So we have some work ahead to swing to more legitimate uses.

Also an issue: who owns the rights to the person that is depicted, particularly if the person is no longer alive? This means some truth in labelling, so that viewers — like in the Korean example cited above– know the exact situation.

Nok Nok blog: Why Intuit picked FIDO

One of the long-time FIDO supporters gave testimony to its biggest benefits at the recent Authentication 2020 conference. The speaker was Marcio Mellowho is the head of Product for Intuit’s identity and profile platform. The benefits are saving money and time when users have to login to their SaaS financial offerings from Intuit, a company who has been interested in FIDO for years.

You can read more on my post for Nok Nok’s blog here.

News flash: Google can still track you

Yesterday Google announced that they will completely eliminate third-party browser cookies. Calling it a move towards a more privacy-first web, as their director of product management who wrote the post claimed, is a bit of a misnomer. Yes, they will phase out tracking these cookies on their Chrome browser. But they will still track what you do on your mobile phone, especially an Android phone, and track what you do on their own websites, including YouTube and its main search page. And they will still target the ads that you see from these activities.

The announcement was expected: last year they announced their plan to de-cookiefy their browser. They basically had to — Safari and Firefox have blocked these cookies for years, so it was high time Google got on board this train. They have come up with a variety of technologies and tools that sound good at first blush, but I am not sure that these replacements are better, especially for preserving privacy. One of them is called the Privacy Sandbox. Now, sandboxes have certain implications, especially for security researchers.  The goal is to limit who can view what is going on inside the sandbox, and more importantly, who can’t. It seems that smaller advertisers will have to find some other place to play, but the big guys will still have the means to figure out who you are and more importantly, what you are interested in, to target their advertising. Vox’s Recode says that “Google will still technically deliver targeted ads to you, but it will do so in a more anonymous and less creepy way.”

Firefox has a better idea: to limit the reach of cookies to just the website that places them on your hard drive. They call it Total Cookie Protection and you can follow the links on their blog to understand more of the details. It does seem to eliminate web tracking cookies, but we’ll see as they roll it out across their browsers.

In the meantime, if you use any Google products, go to your Google Account and review the numerous personalization settings you have at your disposal to rid yourself of tracking, including their activity controls, ad personalization, and recorded activity history. And if you are using an iOS phone or tablet, make sure you update to iOS v14 and enable the ability to block cross-app tracking.

Network Solutions blog: Best ways to manage a corporate domain portfolio

Domain names lie at the heart of a business’ online presence. They control how a company’s web and other resources will be identified to the world and reinforce the numerous brands and trademarks of a business. Domains represent a combination of virtual storefronts and billboards to promote the brand and identify a source of trusted information about the business. The right domain name makes it easier for online customers to find and purchase a business’ products and services and is also used to protect their intellectual property and complement their offline efforts.

Companies typically register their internet domain names to support new brands, product launches, marketing campaigns, corporate acquisitions and restructurings. The issue for many corporations is managing many domains. And while the attention is focused on some of the world’s largest corporations, such as Coca Cola and Unilever which are reported to own thousands of domains, even smaller businesses can have large domain name portfolios. It is not uncommon for large organizations to own and operate thousands of domain names [3], for example.

But managing these large domain collections isn’t easy and in this ebook that I wrote for Network Solutions, I discuss the various problems and offer some solutions.

Telegram designs the ideal hate platform

Last week the Parler social network went back online, after several weeks of being offline. Its return got me thinking more about what the ideal hate platform is. I think there are two essential elements: the ability to recruit new followers to hate groups, and the ability to amplify their message. The two are related: you ideally need both. Parler, for all the talk about its hate-mongering, really isn’t the right technical solution, and I will explain why Telegram has succeeded.

This blog post comes out of email discussions that I have had with Megan Squire who studies these groups for a living as a security researcher and CS professor. She gave me the idea when we were discussing this report from the Southern Poverty Law Center on how Telegram has changed the nature of hate speech. It is a chilling document that tracks the rise of these groups over the past year. But the SPLC isn’t the only one paying attention: numerous other computer science researchers have tracked the explosive growth in these pro-hate groups since the Capitol January riots and other seminal events in the hate landscape.

Telegram’s rise in numbers doesn’t tell the complete story. Telegram has crafted a more complete social platform for distributing hate speech and recruiting new followers. Certainly, Facebook still has the largest user base, but their tech hate stack (if you want to give it a name) is nowhere near as well developed as Telegram’s, and Parler’s is a distant third. Compare the three networks below in terms of both amplification and recruitment elements:

Criteria Parler Facebook Telegram
Type of service Microblog Social network Messaging+
Coherent and transparent reporting process for hate speech No Mostly and improving No
Support email inbox No Yes No
Content moderation team It depends Yes It depends (see below)
Appeals process Yes Yes No
Encrypted messaging No Separate app Built-in
Corporate HQ location USA (for now) USA Dubai
Growth in English-speaking hate group followers Unknown Unknown Huge growth (SPLC report)
Group cloud-based file storage No No < 2 GB
Group-based sticker sets No No Yes
Bot infrastructure and in-group payment processing No No Yes

“Telegram is absolutely the platform of choice right now for the harder-edged groups. This is for technical reasons as well as access/moderation reasons,” says Squire. You can see the dichotomy in the table above: most of the moderation features that are (finally) part of Facebook are nowhere to be found or are implemented poorly on Telegram, and Parler is pretty much a no-show. Telegram’s file-sharing feature, for example, “allows hate groups to store and quickly disseminate e-books, podcasts, instruction manuals, and videos in easy-to-use propaganda libraries.” I have put links in the chart above to descriptions on why the bot infrastructure and sticker creation features are so useful to these hate groups.

What about moderating content? Here we have conflicting information. I labeled the boxes for Parler and Telegram as “it depends.” Telegram has said that their users do content moderation. In their FAQ they claim to have a team of moderators. For Parler, their community guidelines document says in one place that they don’t moderate or remove content, and in another that they do. My guess is that they both do very little moderation.

The picture for Parler is pretty bleak. If they do succeed in keeping their site up and running (which isn’t a foregone conclusion), they have almost none of the elements that I call out for Facebook and Telegram. Using the Twitter micro-blogging model doesn’t make them very effective at amplification of their messages (at least, not until some of their personalities can bring over huge crowds of followers) or in recruitment, especially now that their mobile apps have been neutered.

There are two technical items that are both useful for Telegram: its encrypted messaging feature and the difference between its mobile app and web interfaces. Much has been written about the messaging features between the different social networks (including my own blog post for Avast here). But Telegram does a better job both at protecting its users’ privacy (than Facebook Messenger) and has much better integration into its main social network code.

The second item is how content can be viewed by Telegram users. To get approval for its app on the iTunes and Google Play app stores, Telegram has put in place self-censorship “flags” so that mobile users can’t view the most heinous posts. But all of this content is easily viewed in a web browser. Parler could choose to go this route, if they can get their site consistently running.

As you can see, defining the tech hate stack isn’t a simple process, and evolving as hate groups figure out how to attract viewership.

N.B.: If you want to read more blogs about the intersection with tech and hate, there is this post where I examine the evolution of holocaust deniers and this post on fighting online disinformation and hate speech.