Privacy and security, a perpetrated myth

Post inspiration:  Yahoo, complying with U.S. intelligence directive, searched emails


Before you say it, this dude is crazy.  This quote is totally relevant though and absolutely true.  The Patriot Act is a perfect example of the State giving us security.

We’re living in a scary time in regards to online data and how that data is kept secure and private. We put a lot of faith in the companies where we save our personal data without much thought about how its kept private and secure. The article above is confirming what I’ve known since the Patriot Act was passed. The U.S. Government, in execution of a Foreign Intelligence Surveillance Act (FISA) request, using the Patriot Act as leverage, has forced Yahoo into complying with a directive to search emails. Yahoo designed a custom application to search their entire email system looking for key words, not yet known, catalog then place the information in a repository for remote pickup.

What irks me to no end is that the FISA was passed in 1978, well before anyone even dreamed of electronic storage or communications. The government used the FISA, as a sub-section of the Patriot Act, to allow it to spy on U.S. citizens in the prevention of terrorism. The crappy part of this is that they’re not targeting anyone specifically, rather, their using keyword searches and specific criteria to search EVERYTHING they can access easily. Think of trying to swat a fly with a 20 lb. sledge-hammer and you’ll come sort of close to what the government is doing. What I didn’t realize until just recently, is that the FISA has been amended with the following:

  • Protect America Act of 2007
  • FISA Amendment Act of 2008
  • USA Freedom Act

These aren’t what I’d call light reading. In my estimation, the FISA has been essentially used as the vehicle to push modern agendas that eroded away the security of U.S. citizens to the point that we’re not treated any differently than a foreign actor. The problem with keyword searches is simple: searching for “bomb” in the email inboxes of potentially 500 million people will result in a massive amount of data. The data is of course taken out of context and often falsely targets individuals that have nothing to do with terrorism. That’s the problem with casting a wide net, you get a lot of things caught in it that you don’t want or need to catch, but need to look at none the less.

I had a Yahoo account, I deleted it on Wednesday. I had a Gmail account and deleted that a few months ago. I’m consolidated to a few Outlook accounts at this point and am starting to think that a fully encrypted offshore email service is the better way to go. It’d be a major pain to migrate everything to a new email address, but for now, I’m going to stay put as I’ve yet to see anything damaging in regards to Microsoft bending over backwards for the government similar to the way Yahoo did. I do have a ProtonMail account, based in Switzerland, and reported to have end-to-end encryption that is unique to each account (meaning not even they can decrypt). As in, if you forget your mailbox password, in order to recover access it has to delete your mailbox and start you over. With years worth of email (something I’ve been meaning to go through), it would be a horrible tragedy to have to start over.

Our government has created a structure of law that allows them to essentially do what they want, when they want to, basically without our knowledge or approval. I’m left asking myself what the U.S. Constitution and Bill of Rights actually stand for when, very clearly, we’ve lost some or most of our rights to privacy, security, and personal freedoms. Shame on Yahoo for just “complying” with the Governments request to search emails of all their users. Shame on the American people who have traded their privacy in exchange for violations of their rights in the name of national security. My recommendation, encrypt as much of your data and activity as you can. Encryption, as we found out in the FBI vs. Apple, requires court orders to compel you to unencrypt; and then only after they have justified their request. I’m sure the elite will alter the law to make it so that even encryption isn’t adequate protection for your privacy. How and when remains to be seen.

#fisa, #illusion-of-security, #patriot-act, #privacy, #security, #yahoo-breach, #yahoo-e-mail-accounts

It’s not a matter of if, but when (Part II)

As promised, here is the second part of the post the other day. A disclaimer, these are only services and resources I’ve used in the past and found useful or appropriate for the situation at that time. I’ve noted the ones that I’m using currently and why I’m still using them despite more well known products or resources being available. The majority of what I’ve found in my experience is that online protection and security is more behavior (knowing what not to do or recognizing signs its bad stuff) rather than finding the right application to rely upon. What I’m using currently is an extension to my own experience and knowledge that helps when its not clear if I’m going down a road to something malicious.

Online Safety Resources

These are sites that I’ve come back to time and time again as resources to help people. Everyone has to realize that it’s their responsibility to keep themselves safe online because no one else is going to do it for you (unless you’re a child with proactive parents). The wife and I have consistently kept a lot of technology away from our daughter on purpose because we knew she wasn’t ready to 1) listen to our advice and 2) properly police herself online. A recent foray into YouTube that got her into some real-life videos with questionable content is a perfect example. She didn’t know enough to say “I shouldn’t be watching these” and close the application. The computer is now only allowed in open family space, no more in the bedroom with a closed door!

YouthSpark Hub (sponsored by Microsoft) (sponsored by National Cyber Security Alliance)

Get Safe Online

Protection (Anti-Virus / Anti-Malware / Web Filtering)

Out of all the things that you can choose to passively keep yourself safe out there, these are the three that I highly recommend. They’re a good balance between protection and minimal resource impact on the machines you’re running them on. I’ll address each individually to make things easier.

Microsoft Internet Safety & Security Center

This is a combination service that includes Microsoft Security Center and Windows Defender that come bundled with Windows 8.x and Windows 10. It’s automatically enabled by default and if you don’t know that they’re there, you’re already protected to a certain extent. I like this application because it literally sits in the background and only reminds you its there when something bad is about to happen or your actions are going to trigger something bad. It would well despite some of the bad press online, however its free and capable at protecting the “macro” stuff.

Microsoft Family Safety

Probably one of the best services I’ve seen from Microsoft, this lets you create an account for your child with a password they select, yet let you watch/see/block anything you want. An amazingly easy interface, you create the Microsoft account while logged in with your account and authorize their account on only the devices you want them to be able to log onto. You have the ability to restrict their total time, the time frames they’re allowed to log on, as well as see everything they download/install/browse online. If a site shows up you don’t want them getting on, a quick click of “Block” next to the site will remove their ability to get to it via any browser. You can also block installations of certain applications (like Firefox or Chrome) forcing them to use IE or Edge so you can keep track of their online behavior. Instructions are easy and they take you through every step.

Sophos Home (anti-virus/anti-malware/web filtering)

I highly recommend this service due to the ease of use and quick setup. You create an account, then install the Sophos Home agent on every computer you want to protect (up to 10 for free). Each computer shows up individually by machine name (I change them to be specific, e.g., “DaughtersLaptop”) and lets you review their online activity. This is an added blocking defense for any site that they got to that Family Safety didn’t block for some reason. In addition to the web filtering, this is also an added anti-malware tool and has an extensive database of web sites that have been reported as having a bad reputation in regards to malware or virus activity. Simple installation and small footprint (less than 50MB of memory used when running), this passively watches in the background.


I can’t stress enough how important it is to have strong, complex, and long passwords. A password using capital/lowercase letters, numbers, and special characters that is 8 characters long, can be cracked in about 6-8 hours @ 1,000 attempts/minute. The same type of password at 15 characters will take 2-3 years @ 1,000 attempts/minute. Once you add in non-standard characters, it could take decades to crack. It’s not a matter of making your password uncrackable (that’s impossible) but more a matter of making it so long to get it cracked that they move on to the poor guy that has decided to use “12345678”, “p@ssword1”, or “qwerty1234” as their password for their banking site. And please, don’t be a smart-ass and make it “passwordWITH1number”….. that’s just stupid.

I personally use LastPass and definitely utilize the password generator built into it for everything now. I can access my password database on all my devices including my mobile. The database is encrypted even in the cloud to the point where LastPass is unable to decrypt it should I happen to forget my master keycode. They also just released an authenticator application (numbers that sequence every 60 seconds) to allow for dual-factor authentication on sites that allow it. WordPress supports it 🙂

LastPass – Password Manager

Creating a strong password

How to Create a Strong Password (and Remember It)

How to Create a Super Strong Password (Infographic)

Well, there you have it, a lot of information to digest and absorb. It’s worth the read in my opinion as it holds true: “It’s not a matter of if, but when” you get hacked / you get a virus / you get malware / you get phished / etc. Stay safe out there!

#breach, #hacking, #internet, #lastpass, #mobile-2, #security

It’s not a matter of if, but when (Part I)

I received a letter from American Express yesterday.  It was nothing out of the ordinary as they send me crap all the time, but this was different.  The letter informed me that my information changed via a third party service sometime in January 2016.  Red flag.  The letter didn’t tell me that this was an ordinary or extraordinary action and in the 22 years I’ve had this card I’ve never had anything changed via a third party.  Red flag.  Upon calling them, I was informed of a potential breach in a third party system that American Express uses to update their credit files.  The letter was auto generated and was a result of a changed file.  My question “Why did I get a letter its changed as I’ve never received this before?” went unanswered.

This event triggered me to write about it, because I’ve yet to talk to someone that completely understands the extent of their threat exposure.  So here, a short list of items that I’m sure everyone has an account with or a device in their possession:

  • Mobile Devices:  mobile phones, wifi doorbells, wifi cameras, wifi baby monitors
  • WiFi Vehicles:  On-Star, Hyundai Assist, Ford Sync
  • Medical Devices:  pacemakers, defibrillators, insulin pumps
  • Social Engineering:  email, text messages, phone calls
  • Service Providers:  mobile phone companies, cable, phone, electric, gas, water

Every single one of the above items (its not an exhaustive list) has a component that can be breached and used to take advantage of unsuspecting people.  I’ve been in this industry for years and still see threat deltas that I’ve never seen before.  The potential that hundreds of thousands of people are even less aware is very real and the news tends to support that theory.  Here are some scenarios that may or may not fit:

  • Get a new WiFi router for your home and just plug it in and it works.  No changing of the default password, no wireless security (open), no update to the default factory settings that allows for internal device browsing, etc.
  • Get a new Android phone and start to build out your profile, download apps, etc.  You get a prompt to enter in your credentials for GooglePlay and blindly enter in your credentials because you think its for an app.  You don’t notice that you’re not prompted for a username/password ever for downloading apps (since it uses your Google account automatically) through official channels.
  • Connect your personal mobile device to a hotspot for internet access without reviewing the entire list of available networks.  Most places of business will display their wifi network name so you don’t connect to something malicious.  Ex – a wifi network will NEVER show up as “ad-hoc”, the ones that do are malicious almost in every case.

There are literally hundreds of thousands of articles and resources available if you want to learn more about protecting yourself.  I’m going to list a few of the more easier to understand resources in my next post.  Keep yourself safe online and the horror stories you see online will never be about you.

#breach, #hacking, #internet, #mobile-2, #security