Browsed by
Category: Privacy

Again, 10?

Again, 10?

Back in 2016, I swore off Windows completely and especially Windows 10.

One of the reasons was a “feature” called Telemetry, that basically amounts to “Windows 10 is 100% spyware.”  It was widely reported at the time, along with an elaborate hokey-pokey you could dance to disable most of it.  My choice was, “Aww, the heck with it” but many people chose to continue.

Now we have the “1709” or “Fall Creators” update before us, and guess what?  It’s time to reinvent that hokey-pokey!  Not only is all the Telemetry back on, but it’s harder than ever to disable.

Recommendations for software products are popping up to help you manage this, but if software products were put forth that disable features of a non-spyware operating system the way these things do, we’d probably consider them malware.

It seems that Microsoft has decided they can’t make decent money selling consumer operating systems, so they will go all Facebook and sell all your data instead.  If you have been wondering why Win10 was free – or nearly so – now you know why.  Only this is, if anything, worse than Facebook.  At least Facebook can only get to things you decide to upload to it.  Windows 10, if that’s your operating system, has… EVERY-DAMN-THING!

So – hey – here’s an idea.  If you want a free operating system, I have a deal for you!  Click on the cute penguin to get started.

Safer Social Media

Safer Social Media

click through for more privacy tips, via Gizmodo

We live in the age of social media, that’s for sure.  Facebook claims over 2 billion people as its users.  Twitter is how we first get breaking news, how we know it’s time to turn on CNN or MSNBC to see what happened when the earth moved in Iran, how the Executive Branch of the US government distracts the press and the people from its horrifying agenda.

To keep up with sorta friends from high school, third cousins, and D-list celebs, we give Internet companies startling amounts of information about ourselves and our activities.  Not using social media at all is an option, but not one many of us take.  I use Twitter 99.5% in read-only mode.  I use Facebook and LinkedIn not at all.  I use Google+ more actively.  Some of you reading this just went either, “uh, what’s Google+?” or, “I didn’t know anyone still used that!”

The reason I don’t use Facebook or LinkedIn comes down to the privacy nightmare that these social network products are.  As the saying goes, “If you’re not paying, you’re not a customer.  You’re the product.”  Consider that whatever benefit you get from the use of these sites, you pay for it with information about your life, your family, your friends.  Everything you post is analyzed in detail that would shock you.

So the least you can do is not to overdo the sharing.  Lock down what you place online so that only the audience you intend can enjoy it.  It means, in general, going into the Privacy and Security settings, and taking a lot of options that are not the default.  Because the products you’re using are guiding you to share and share and share some more.  The more you share, the more their shares appreciate.

Here is a roundup of fairly current articles that will guide you how to max out the privacy possible in all the major social media products

Like everything in information security, this is a trade-off.  How much you want to protect your privacy vs. how much you want to take advantage of the instant connections and the interest groups you can find in the virtual worlds of social media.  Not everyone will choose my complete abstention from “major” networks, and I don’t expect them to.

But one final word: To whatever extent you can live with it, please try not to use these products on your phones.  Yes, I know, the spur-of-the-moment selfie or that Hey, Internet! Look At My Food! moment when you’re out and about can be irresistible.  But every single social media corporation does much, much more than you visualize with the information you give it by letting it operate on your phone.  You location — at all times.  Your contacts.  Whatever your phone’s camera can see or its mic can hear.  Anytime.  Please, think about it.

What’s Missing?

What’s Missing?

What’s missing from this pretty-good article?  Give it a read, but the TL;DR is that a NY Times cyber-security writer tells us what she does to make herself safer online.

It includes everything I do, and a few things I don’t.  But there’s one crucial item missing.


It’s not hard to figure out why ad-blocking is left out of a NY Times online article.  But I will say that until the publications who pay for it exert some pressure on the ad networks to clean up their act, I will continue to block ads 100%.

If they refuse to let me visit, I will gladly go elsewhere.

I predict that the publications will never do this, because the cost of ad-borne malware is a complete externality to them.  They never feel the tiniest pinch.  They leave that to us.


Why I Block Ads. Everywhere.

Why I Block Ads. Everywhere.

Advertising supports a lot of the content you enjoy on the Internet.  The economics of it should be simple.  An advertiser pays a certain amount to get a commercial message in front of many readers or viewers.  Some percentage of those viewers make a purchase.  When enough revenue comes back to the advertiser, the ad is a good investment: returning more in margin to the business than it cost to produce and place.  In practice it’s a lot more complex than I state here, but the backbone of advertising remains just that simple.

This simple idea has recently started to create problems of the sort that show up in the Safer Computing inbox.  Advertisers realized that a digital advertising message can be a lot more than a picture with words or a short film to watch.  This means you can experience web pages with ads that are mini-games, ads that follow you around a page as you scroll, ads that follow you from page to page as you browse, and more.  

You may also be aware that ads make and store all sorts of inferences about you — inferences they gather from what goes on in your browser and on the rest of your computer.  These inferred personal profiles are scooped up by data brokers and packaged to be resold to other marketers.  That’s supposed to be done in enough volume to make each individual profile impossible to identify.  But recent research has shown that, with so many different data points being collected, working backward from a large “anonymized” data set to reliably identifying individuals is far easier than anyone suspected.  Yet, without enough different data points, the package is not attractive to marketers.  It will not find a buyer.

Another very disturbing trend in advertising is the enormous number of computer virus and Trojan infections that the ad networks now make possible.  Remember that the ads are more than just pictures or films, they have all kinds of sparkly interactive features.  They dance, they sing, they explore the bleeding of edge of being so annoying that you want to throw the computer out the window and go for a walk instead.  And how do they accomplish these things?  

Every one of those ads is a small program that you have half-consciously invited to run on your computer.  Your browser was instructed to bring these programs along with the content you wanted to see.  The intent of these programs appears to be delivery of a commercial message — but other functions are often hidden there.  Viruses delivered within web ads have infected hundreds of millions of computers around the world with everything from botnet spam clients to ransomware.  The websites that deliver these ads don’t often know what they are sending out; they simply allow ad networks to deliver whatever they like within broad guidelines and accept the payments for what is passed along.  The networks that aggregate and place these ads do not have the resources to check out all the ads they deliver, from what may be thousands of sources.  What’s worse, they don’t have the incentive.  With enough layers of middlemen, there’s nowhere for liability to land.

With all that to consider, I decided a while ago that I would block ads everywhere I could.  There are two counter-arguments to blocking ads I did consider.  One is, how will I support the websites whose content I am enjoying?  Simple: I actually become a paid member or supporter of any sites I read frequently enough.  Some sites I visit for the first time, say they won’t serve me content unless I disable my ad-blocker.  Fair enough, I say, and click away to find a similar item elsewhere.  

The other counter-argument is, how will I learn of cool new products or services I might want to try?  Since I was never one to find such things through ads, I consider this a small loss if any.  But the truth is, I check out new things that are any larger than tiny impulse buys at recommendation sites like Wirecutter, Sweet Home or Consumer Reports.  I prefer unbiased comparative reviews to advertising content, for decisions to purchase.

My current ad-blocker of choice is uBlock Origin by Raymond Hill.  It’s a very low-profile browser add-on for Firefox, Chrome or Opera. I say “current” because my choice has changed a few times recently.  Other ad-blocker providers have gradually been seduced by money and become ad networks in themselves, serving what they call “safe” or “white-listed” ads.  Their users have had varying levels of choice about this, from “a little” to “none.”  With uBlock Origin, so far so good.  If things change, I will add an updated recommendation in this space.

This article first appeared in The Empty Closet.

Death and Taxes

Death and Taxes

Death and Taxes. With enough lawyers you can avoid most of the taxes, but as sure as I am typing these words, and you are reading them, every one of us is going to die[*]. While we each have a will to cover our possessions and assets, how many of us include in that document what to do about digital assets? More to the point – if someone dies and leaves no will, the law is reasonably straightforward about what to with their possessions and finances. But our legal system has not yet really begun to address consistently what to do with the dear departed’s Facebook or Twitter accounts, their email, websites, and so on. These are digital assets but there’s not necessarily a physical item that corresponds to any of them. To make sure these are handled according to my wishes after I die, I have made a “data will.” Note: I am not a lawyer and this is not legal advice. If you want your “data will” to be enforceable as part of your actual, legal last will and testament, you must consult a lawyer.

What’s in a data will? This will differ in the details for everyone but I think these major sections are a good starting point. First and foremost, passwords. If you are using some kind of password management tool (as I suggest!), this will be easy. You will only need to tell your survivors where the password data resides, and what is the master password to gain access to it. If there’s no password manager wrangling all your individual passwords, you’ll have to list them all in this document, or an attachment. The password list or manager also provides a map of where you had an online presence and business or personal relationships, which will help in other ways.

If some of your online accounts have two-factor authentication such as an app on your phone that generates a 6-digit code when logging in from a new device, etc., make sure the document details where to find that, and how to use it. Also, include information on how to unlock your phone!

Email is still a fundamental service in the online world, especially when it’s the focal point for most sites’ password-reset processes. So make sure your document includes an abundance of information as to where your email is delivered, how to log into it, and pointers to the password manager entries for the email password (or the email password itself).

You may wish some of your online accounts and services to continue running. For example, you may host a family website, or use a backup service that includes your spouse’s or other family members’ data. Instructions as to what should be kept going vs. what can safely be shut down will be useful here. Also consider that any auto-pay arrangements, such as monthly or annual billing to a certain credit card or via PayPal, might not be obvious to your loved ones. Make these arrangements explicit in this document.

Finally, how to notify online friends & colleagues of your death. Many of us are members of virtual communities that might not have visibility to other more traditional ways our death would be communicated, such as local obituaries or even Facebook pages. If you are a member of professional mailing lists or other such niches of cyberspace, make sure your survivors will know how to send a notification to those communities. You may have been working on a joint project at the time of your death: it’s only polite to let the team know you won’t be at the next meeting.

Once you have completed this awesome document, you have two main things to worry about: How to make sure it has the desired effect once it’s needed, and how to keep it safe, meanwhile. I mentioned above that if you want it to be legally enforceable, then you need to consult with a lawyer as to how to make it part of, or an attachment to, your will. Be sure to confirm whether or not it will become part of the public record – if so, you will want to work with your lawyer to conceal the passwords and other sensitive information in your document.

As for the security of the document while you’re still alive, I refer back to the three most basic concepts of information security: Confidentiality, Integrity and Availability. All three of those apply here, with very high stakes. You need to be sure the document is not disclosed to anyone unauthorized, that it is not altered without your knowledge, and that your survivors can get to it after your death without serious obstacles. There are many ways to accomplish each of these three things, but what I will delve into a future post is document storage “in the Cloud”, and how that can address all three of these concerns.

this article originally appeared in the September 2016 edition of The Empty Closet.

[*] – except maybe Peter Thiel but really… who wants to be a vampire?

Why 10?

Why 10?

windows-10-8-580x358I have a really simple question: Why is anyone running Windows 10?

Resetting default apps and other (supposedly) user-controlled system settings every time the system updates is bad enough.  Microsoft says it’s a bug, but from Microsoft’s point of view it looks a heck of a lot like a feature.

The home and personal editions are clearly being primed to become advertising platforms.  Ad blockers will not help because it will be OS itself serving ads, not the browser you chose (or the one MS chose for for you, see above on defaults).

And it’s not just the home editions.  I ran the SpyBot Anti-Beacon on a Windows 10 Enterprise build, and was shocked to see about 80% of the Telemetry* settings still sending data back to the mother-ship.

Even so, if there were legitimate needs to run Windows 10 because neither Windows 7 nor a decent desktop Linux distro were equal to some critical task, we’d have a benefit to balance off all these risks.  But for the life of me I cannot think of, nor has anyone I have asked been able to elaborate, a single application or ability that users need and that Windows 10 uniquely fulfills.  (And if you respond, “Edge Browser”, you are not being serious, please sit down and be quiet while the grownups talk.) 

Windows 7 is on extended support until 2020.  So what is the hurry to get off it?  Please tell me in the comments: what is driving the rush to Windows 10?  Is it just, “Ooh – shiny!”?

* – “Telemetry” is my solid pick for Euphemism of the Year: it means, “Spyware”.