Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2020
Doug Lhotka

Secure Thinking

By

I often speak on ‘Secure Thinking’ to a variety of audiences, and share some suggestions on how to keep themselves safer in their online lives.  Here’s those tips:

 

  • Patch your systems regularly (patch Tuesday is a great start)
  • Run Anti-Malware, but don’t pay too much for it.
  • Uninstall flash completely. If you need it, run it inside Google Chrome (and only use Chrome for flash sites).  Likewise with Java in your web browser.
  • Stay off the seedy side of the net
  • Only install software from trusted sources
  • Don’t click links in emails.
  • Avoid wi-fi hotspots, or use a personal VPN if you need to use them. I use getcloak.com
  • Never, ever use a public computer, for anything. It’s like swimming in a sewer.
  • If you find a USB thumb drive, destroy it – never plug it in.
  • Encrypt your data – FileVault or BitLocker
  • Backup your data to a trusted repository
  • Use robust, unique passwords for every site. I use 1Password from agilebits.com to manage mine (and store a copy of the file with another family member)
  • Enable two factor authentication when it’s offered
  • Enable a passcode on your phone. If it’s iOS or a Google Nexus running Marshmallow or newer, consider using the fingerprint reader to make it more usable.
  • Only use Google Nexus android devices to ensure you can stay current
  • When asked for secret questions, lie – and record those lies in 1Password.
  • Lie to websites that ask for information they don’t need – why does a game company need my real birthday?
  • If you receive an inbound phone call, don’t assume it’s real. Hang up without sharing any information and call the bank/insurance company/etc back from the number on your card or statement.
  • Get a credit freeze – not credit monitoring. Brian Krebs has a great article on this. Store your PIN in 1Password, and keep a backup copy of the vault In a safe place.

 

In the end, it boils down to simply being aware.

 

Think about security!

Apple and FBI

By

Ok, Apple vs FBI.

I might as well write about a third rail, but I’ve gotten so many questions about what’s going on that it’s simpler to chime in.

Let me begin by saying that I’ve worked with a lot of law enforcement professionals over the years, and have the highest respect for their integrity and professionalism.  They have a tough job, and take their duty to stand between us and the bad guys very seriously.  I do not remotely, condemn them for making the request of Apple – in their role, with their charter, I’d probably do the same thing.  Likewise, Apple is acting on their own good character – this is not a marketing stunt as some have suggested, I believe it’s an honest principled position.

That’s not a cop out, this simply is one of those times when people of good conscience and character disagree.  Balancing security, privacy and liberty is very hard in the digital age.

Couple of things to start:  First, Apple is not being asked to break their encryption.  They’re being asked to create a special version of iOS that bypasses the protections against brute force attacks, so the FBI can break the encryption the hard way – by trying every PIN until it unlocks.   Right now, iOS has an escalating timeout on wrong passwords – after 9 it locks for an hour, and after 10, it wipes the phone (assuming that feature is turned on).  It’s those two features that they’re being asked to bypass (and to allow electronic passcode testing instead of tapping with fingers, but that’s less impactful).  A version of iOS that does that would to be digitally signed (validated as real) by Apple in order to be loaded on a device.  Once that code is created, it’s about 2 minutes work to enable it to be loaded on different devices, or to be loaded on any device at all.    This is not a universal back door –  it removes the barriers that protect the door against someone battering it down, which is still a significant reduction in security.

As an aside, it’s unfortunate that county that issued the phone failed to install basic MDM (mobile device management) software, which could have unlocked it remotely.  That’s a best practice.  It’s also unfortunate that this is an option – Apple allows loading of new iOS versions on locked devices without wiping memory.  I see reports today they’re working on closing that gap, so this whole thing may be a moot point going forward.

But let’s set that aside – this was always going to come to a head.

We can also set aside some wilder speculation:  ABC reports a rather esoteric means to extract the data directly from the chips.  I’ve seen some commentary that the chips could be removed intact, and the memory read out using the standard pinouts, loaded onto a separate machine, and brute forced external to iOS (I’m far removed from my soldering iron days, so I don’t know if that’s possible).  If that capability existed, it’d be something that would probably be a highly protected capability.  Conspiracy theories abound that the suit is a smokescreen to protect such a capability by unnamed three letter agencies.  Let’s leave that for the movie plots.

So the net is that Apple can do what’s being asked, though at a significant cost (they’d have to pull engineers off their commercial development activities), and at significant risk – both of precedent, and of the software leaking.   The question is should they do it?

I believe that such a question needs to be decided through the legislative process, with full public debate, by Congress.  Not by individual states, and especially not by the judiciary.  Apple is doing us all a service by forcing that debate to happen.

 

Adblock-blocking done right – almost

By

While there are good security reasons to block ads, I’ll be honest and admit that I detest advertising – particularly intrusive, annoying animated ads on websites.   That’s why you’ll never see an ad here, and why I run adblockers.  Traditional ads (newspapers, televisions, etc), were one thing – I could ignore them, and remain anonymous.  Mail ads suck because they take up space in my tiny USPS issued mailbox.  But online ads are another beast, filled with trackers, cookies, and all too often offensive ads, or even malware.

There’s a recent trend of sites blocking visitors using adblockers.  That’s perfectly fine – it’s their business, and I don’t begrudge them making money.  Some sites have an ad-only revenue model, and have taken a hard line, Forbes among them.  I simply don’t visit that site anymore.

Others, like the Wall Street Journal, have a subscription+advertising model, and live behind a paywall.  I don’t try to get behind those paywalls because that’s their chosen business model.  I don’t subscribe, but if I did, I’d block the ads – and if they started blocking adblockers, I’d cancel my subscription.

A few months ago Wired.com started displaying graphics related to adblocking.  Something about doing a ‘solid’, but I never could figure out what solid they wanted: Sphere? Cone? Cube?

Eventually they posted a more straightforward note:  They’re going to block adblocking customers, but are providing an alternative:  $1/week for an ad and tracking free experience.

That’s the right way to do adblocker blocking: Have compelling content worth paying for, and price it relatively cheap.  Now, I suspect they don’t make $1/week/visitor on ads, but it’s not too bad, and their content is worth it.

So I signed up – they converted a non-revenue customer into a revenue one, by letting me get the good stuff without all the junk.

Well done Wired!

[edited – not quite well done]  They almost had it right.  It seems that the temptation to track is too strong.  Even the subscription version still has social media, adobe and chart beat trackers, among others.  Very disappointed that they’re not providing a clean option – and now I have to think about subscribing – because even if I block those cookies, they can capture my activity on the back end.    How hard is it to just simply let us subscribe without any – and I mean any – tracking, monitoring, or spying on what we do?  Let me be your customer, not your product!