Tag: cybersecurity

It’s the Most Wonderful Time of the Year, Part I

BobbieLeave a comment

As we sit in meetings and hear “yeah, so let’s circle back to that in the new year”, as we receive out of office emails, as we get quite literally bombarded with solicitations (to go buy things or donate money), we find ourselves yet again at the end of a calendar year, heading into “the holidays”.

It is “the holidays” because it incorporates a selection of them with a variety of observances and customs, and I can get behind any seasonality that involves getting together with the ones you love and eating things. Oh, and pretty lights.

This is also the time of year where you may be dragged into being tech support for a friend or family member and remember that it is an honor and a privilege: You Are the Techie Person. You get to say stuff like “it works on my machine” and “have you tried turning it off and turning it on again”. Practice holding your coffee mug in your non-dominant hand while gesturing at screens, it will help.

If, however, you do not want to spend all of your time at a gathering doing tech support, and you’ve allotted a specific amount of time to do the Good Work, here’s some suggestions. For all of these you should explain to the recipient what you are doing and why, so they understand when things change. It also means that they can’t wander off and leave you by yourself to play tech support (unless you, and they, want it that way).

15 Minutes

With 15 minutes, grab the phone(s) of the intended persons (WITH THEIR PERMISSION) and:

  • Ensure they are updated with the latest patches – this will help guard them against security issues and could help performance.
  • Adjust the text sizing/accessibility features as needed – sometimes these are hard or confusing to get to.
  • If the phone is a sea of apps, make sure they know how to search for apps and/or reconfigure their first page of apps to the ones they use the most.
  • Establish a family code word for human MFA – AI has gotten savvy and so if Grandma gets a call from her “Grandson” explaining he’s in jail / trapped in a town someplace else / needs money, Grandma can ask for the passphrase. The kid will know it, AI will not. (You may need to show Grandma some examples of AI real-time deepfakes, so she understands the abilities of the bad guys).
  • Depending on the state of the person and what kind of support you do, you may want to enable location sharing to you. If you do that explain why.

3o-45 Minutes

With this additional time,

  • Make sure they are storing passwords someplace safe. IF THAT IS A PIECE OF PAPER, make sure they understand that that piece of paper needs to be hidden and not just hanging out and visible to anyone who visits the house. Pitch solidly for a password manager — the one Apple has built in is fine; Bitwarden is good too.
  • Make sure they understand to NOT STORE THEIR CREDIT CARD INFORMATION IN THEIR BROWSER. If they are doing that, walk them through why it needs to be removed, and teach them how to use Apple Pay or Pay Pal. Yes, this may take more than 15 minutes.
  • Walk them through how MFA works (if they don’t already know it) and ensure it’s set up for any/every instrument tied to money (bank accounts, shop/store accounts, subscriptions, etc.)

An Hour or More

  • Check to see if the router ADMIN password is unique and not the one the router shipped with. If it is, change it, make sure they add it to whatever they’re using to manage their passwords, and explain to them why (I find it useful to use the “Garage Door Opener” example: there was a thing a few decades back where folks discovered that if you bought a garage door opener and drove through neighborhoods eventually you’d find one you could open).
  • Make sure their Wi-Fi is not open for all – it should be password gated and that password should be stored accordingly.
  • If you have crazy amounts of time and inclination – let’s say you’re visiting from out of town and staying at the house a few days? –
    • Consider setting up a guest Wi-Fi and/or IoT Wi-Fi network. Separate things-that-touch-money from “smart” things (e.g., smart fridge, smart thermostat, etc.), and also separate “visitors”.
    • Go through browser hygiene on all machines – how cookies work, what you do and don’t get for them (explain that this is how Facebook knows you were shopping for boots).
    • Make sure machines are on auto-update for patches.
    • Consider getting a separate authenticator, and walking them through how and why to use that.
    • Explain passkeys.

Stocking Stuffers

  • Don’t plug your phone in to charge at any rando USB port. Instead, use a USB Condom. And with this, let the recipient know that they should never have to download an app just to charge their devices.
  • You can also get them a portable charger, especially if they travel a lot.
  • Bitwarden has a free tier but also for $1/mo or $3.33/mo you can get extras.
  • Ghostery is free but does accept donations.
  • Signal is free but does accept donations.
  • Credit Monitoring – even though we all get it “free” every time one of our accounts is compromised, it’s a good idea.
  • Authenticator Apps – Wirecutter and PC Mag have covered these.

Next post: why the Credit Monitoring is a good idea, and how to deal with the never-ending Data Breach issues.

Supply Chain Attack: an Explainer

BobbieLeave a comment

I have told you to Do Your Updates, twice. A good example of why is the recent news about supply chain attacks in popular npm packages, which may mean nothing to you, and I figured I’d break it down.

Firstly, most folks understand that a supply chain is… a chain… of supplies. Tautology aside, it specifically means the chain of manufacturers, people, places, and companies through which various stuff flows through to an endpoint. Let’s take my fake coffee shop, Bobbucks, as an example. Bobbucks sells fancy coffee and (of course) pastries. Bobbucks does not want to have to have individual bakeries in every city/county/country that it owns, because Bobbucks’ primary focus offering is *coffee*, not pastries. Therefore, Bobbucks contracts with local corporate bakeries across the world.

Those bakeries make pastries according to Bobbucks standards, but key ingredients are fairly universal: for example, flour. All of those bakeries need to get flour, and they probably don’t all get it from the same place across the world, but there’s a good bet they get it from the same place in a geographic region. We’ll take that part of the chain. Now we have Bobbucks, which contracts with Starbakers for pastries, which in turn contracts with Queen Guenevere Flour company. Queen Guenevere Flour company in turn gets the wheat from Alan’s Wheat Farm.

Those products don’t magically flow, though, so for this supply chain we need trucks, and trucking companies. The trucking companies that are used in each part of the chain are contracted between the two links, e.g., Bobbucks and Starbakers have one trucking company (probably more, but we’ll say one to make it easy) between the two of them; Starbakers and Queen Guenevere Flour may have a different one.

If someone wanted to attack this supply chain, they could do it at different spots, with different results. For example: if someone were to put some laxatives in the pastries at Starbakers, then Bobbucks is unknowingly buying laxative danishes and selling them to people, who will then get sick. Bobbucks will need to do some investigating to figure out where it’s coming from, would probably quickly find the culprit in the danishes, and push back to Starbakers. Now Starbakers has to figure out if it’s one of their staff, or one of their ingredients.

Maybe it *wasn’t* some gremlin at Starbakers, maybe it was a gremlin at Queen Guenevere Flour company putting laxatives in the flour. Or maybe one of the trucking companies. Each company has to spend time and money to figure out where it happened, to rectify it. In the meantime, people need to be notified to get their pastries elsewhere and to take Imodium.

Specious examples aside, you also see this not so much in supply chain *attacks* but general “oopsie” like when a farm has questionable fertilization practice and ships a bunch of lettuce with ecoli– which then gets washed and chopped up in a processing plant (but maybe not washed enough) — which then gets packaged up with authentic Pirate Frank’s packaging for all the Pirate Frank stores — which then ends up in your cart. How many food recalls have you seen lately?

“But Bobbie”, you say. “Bobbie, that is concrete hard things that move from place to place. How do you attack a software supply chain?”

By poisoning a package. Or several.

As we’ve discussed previously, it is not efficient for you, the developer, to create a formula every time you want to say, convert Celcius to Fahrenheit. Someone else has done it and they’ve put it available for others to use, up in a registry. If you, a developer, need to create a shiny new website for your Ancient History Studies college courses, you would go searching for a package that already exists on the registry that, say, converts Julian dates to Gregorian dates (or vice-versa). You wouldn’t hand-code it yourself because you value your time and also your sanity.

That registry is visible and more importantly, open source. That means that if Person A has built that Julian to Gregorian date converter, and Person B has a Mayan Calendar conversion they want to add, they can publicly add to that package to make it more useful for them and others. That add is visible, and can be checked both by the registry and subsequent editors/adders/changers. There are all kinds of places and ways the content can get scrutinized.

For each fine cat, a fine rat. A particularly fine set of rats have gone to the very most popular packages – packages that handle string pattern matching, or prettifying things, or cleaning up things, or converting things – and put some poison in them. Sometimes the poison is to capture credentials (e.g., your logins or suchlike). Sometimes the poison is to silently watch what you do on your machine for ages to see if you go to any crypto sites (so it can grab your wallet) or banking or whatever. The little code injection captures what it needs and sends it faithfully off to the architect of this chaos, and sometimes you find out right away and sometimes you don’t.

The thing about supply chain attacks is that it isn’t just you, or a handful of yous. Much like with our flour analogy, those packages get used by Company A to build a thing which Company B buys, and uses in their thing that they in turn sell to Company C. Each of those companies have customers who use their products and it’s possible a customer is a customer of all 3 and so tracing back to “where did this come from and what is it doing” can take an appalling amount of time. Also, it’s not just one package. They use more than just one package. They may use dozens, or even hundreds, throughout a large product offering. And sometimes it’s a combinate poison: part 1 of the poison is in package Foo, but part 2 of the poison is in package Bar, and engineers tend to use both Foo and Bar packages.

Once the real origin is figured out though, time is still of the essence. Companies and developers have to update to the last known good or the newest known good version of those packages, push those updates out to *their* customers, and *also* have to sanitize all their stuff, change their passwords, their 2FA/multi FA, etc. It’s not enough to take Imodium, you’ll also want a probiotic and lots of Gatorade. And you may stop getting pastries from Bobbucks.

So do your updates.

PS – “how were attackers able to poison the packages in the first place?” – Phishing. They sent official looking (down to the return address) scary mails to package owners telling them they had to update their 2FA credentials and used that data to gain access to multiple packages and locations. They sent the same kind of official mail, with lots of urgency in it, to lots of package owners, and lots of package owners fell for it.

DO NOT click links in official sounding scary emails. All of those that purport to come from your bank, or important places like this, have actual websites you can actually go to directly without clicking on specious links. Same thing goes for phone calls from “the bank”, “social security”, “the IRS”, etc. Thank them for calling, tell them you will hang up and call them back. Then call back on the phone number from the *website*, not the number they called you from. (The IRS doesn’t call – they don’t have anywhere near the human capacity for that).

Do your updates.

Bobbie2 Comments

Usually I try to figure out a pithy title as a draw, but for the love of whichever entities you respect and/or follow, please do your software updates. Specifically do your platform updates: on your iPhones/Pads/Macs, on your Windows machines. Update your apps. When the little red notification comes on, do not ignore it, just do it.

How to Update

(If you have other devices/platforms just use your handy dandy search engine — I use Duck Duck Go — to identify how to get your updates in a timely fashion. Bonus points if you set it up to automatically do it.)

Why Update

There are some that believe the updates are for feature funsies: e.g., if I update my phone I will get the new AI this or the new UI that. This is true, for most “regular” updates there are some feature releases and you get to read all about those (and decide if you like that or not). There are also “bug fixes”. I feel like this does disservice to what those fixes are: if I think of a “bug” I think of “annoying thing that happens”, I do not think of “wide open gaping hole for bad actors to waltz in through”.

Your platform updates often include security patches. These patches are, for the most part, NOT because the engineers made a mistake when crafting the platform, rather, they relied on packaged convenience libraries to do some standardized work and *it is those libraries* that have problems. Think of it like this: the engineers baked the cake, but the problem was hidden in the flour they used, and would not have been visible when they baked the cake and someone found out the flour had something in it long after the cake has been baked.

This happens *all the time*. There are thousands, probably millions of little packed up conveniences in the software world, because writing something *from scratch* takes a very long time and it’s kind of silly if someone has already done it (and done it so well that All the Other Kids are Using It). When a vulnerability is discovered in a package, it is given a CVE number (Common Vulnerabilities and Exposures), and a detailed write up on what the vulnerability is, where it is, and oftentimes suggestions on how to fix it. Companies worldwide use MITRE’s CVE database to understand what and where those vulnerabilities are, and how to fix them, so they can iteratively update their software and further secure it. Vulnerabilities are discovered by engineers around the world, sometimes on their own time, and sometimes on their company time: they are written up and shared with package users to make sure they get fixed.

How Bad Can it Be?

A vulnerability or exposure has roughly four stages of severity: low, medium, high, and critical. YOU as the consumer don’t really know which basket of vulnerabilities is addressed in “bug fixes”, but the company you depend on does: high and critical vulnerabilities, and their address, are often why you get off-cycle security patches (ever had an update on your phone that seemed awfully soon after the last one?). These vulnerabilities are “publicly disclosed”, meaning, their existence and how they can be exploited is also disclosed. The analogy here is: there’s a catalogue of all barn doors that are unlocked in your area, and anyone who uses those barns should be aware of that, and the barn owners should be aware of that, so the barn owner can lock the door. This also means that bad actors (who, let’s face it, are probably serially trying all the barn doors through the area anyway) who are lazy and did not do their homework now have a legit directory of which barns are probably unlocked.

Hence the haste.

These vulnerabilities are discovered and there is a Very Short Window in which the companies that use them can get a heads up on fixing them and getting those fixes out before they show up in the public discourse. (Meaning, the CVE doesn’t show up formally in the MITRE database until which time as the organizations and libraries dependent on fixing it have at least had a *chance* to fix it). This means that the original discoverer(s) of the exploit know how to break in, but it isn’t available to everyone else to see: that happens after (theoretically) everything has been fixed.

“Everything has been fixed”, in this case, means that your software has been patched and updated, *or you have been asked to do an update*.

If you wait, and the longer you wait, the more exposed you are.

Modern convenience often comes with modern inconvenience: we have computers that are smaller than our hand that literally tether to all global knowledge, they help us stay in communication with others and they help us track our lives and livelihoods. They also are fragile and need care and feeding, and it can be easy to defer it in light of convenience (“oh, I won’t do the update now because it will take too long, I’ll wait until ‘later'”). Please. Don’t wait until “later”.

Privacy

BobbieLeave a comment

Firstly, and this is super depressing to write, understand that you will never be 100% private, and that privacy is also a never ending game. Everything we do online has an electronic trail that leads back to us and relies on the infrastructure of the entities we interact with to keep us private. In most cases – and especially when we are using “free” services – *we* are the product.

DeleteMe

Deleteme is a service you pay for that identifies how much of your personal information is out there for use/abuse, and helps you remove it: search engine results, data brokers (these are the companies that purchase from like Facebook and Amazon all kinds of data about you, and then they marry it up with other data they’ve gathered), and things like public records (e.g., why you can search someone’s name and see them on White Pages, Spokeo, etc.).  Remember the old days when White Pages was a physical book and you picked up your rotary phone to call them to tell them to remove you from the book (okay maybe you don’t but I do)? Those days are gone, and now every site has a different process. Using a service like Deleteme can help streamline that.

That said, there are places where you may want to share information, but only to people you know and like. This could be on Facebook, LinkedIn, whatever. Deleteme won’t delete from what you’ve specified there, and so there are some things you will want to do to make sure that your information only is visible to the people you want to see it.

Social Media

Meta (Facebook, Instagram, Threads)

On Facebook, go to the top right screen, click your avatar, go to Privacy Settings, and there’s a whole menu of things you can do. Here are some recommendations:

  • Identify who can see your profile information (things like your email, birthday, city, who can see your friends, who can see your people and pages, who can see your posts/stories, limiting your past posts, etc.
  • Most of these rely on a curated friend group and someone knowing you’re on Facebook and sending you an invite that you must accept (or direct) before they can see your stuff.
  • The levels are typically: Only Me, Friends, Public, or a curated group

You should then update your Ad topics in account center: this is who gets to advertise to you and what they get for it. Go to “Ad Preferences”, “Manage Info”, which will tell you how your data is used for advertising.

Finally – there is a section where you can view and manage your activities on Meta products. Note that it will have your activities across all Meta products (Facebook, Instagram, Threads) and will give you an idea of what all they track. And if you continue reading, there’s the FBP browser extension that can curb even more.

Instagram and Threads have similar experiences – go to your profile and there is a section that links to your privacy. Remember that unique identifiers are best for people who are trying to invade your privacy: usernames, emails, etc. Keep your email(s) private, and usernames unique, if you want to make it harder (never impossible) for someone to find you.

X/Twitter

X (fka Twitter) has a Privacy & Security section in which you can control your visibility, your post visibility, people’s access to your DM’s, etc.

LinkedIn

Much as with Facebook, on LinkedIn you can lock down to just your network of chosen people, make it so you don’t show up in search results (or only show up for a certain level of “connectedness”, e.g., if you and I know the same person I can see you, but if I know someone who knows someone who knows you, I can’t). You can also specify how LinkedIn uses your data. 

Reddit

One of the very first things that Reddit will tell you in their Privacy Policy is that they are a public platform. Anyone can see your profiles, posts, and comments, meaning that a person with a lot of spare time and access to their API’s could sieve through your post history and look for context clues of who you are (because your username can be blissfully anonymized, like “TigerPanda640” or suchlike. 

Microsoft

Your Microsoft account is likely also tied to your Xbox account or other products, and much as with other providers and platforms you can control some things.

In the Settings & Privacy tab of your Account Overview, and walk through the Privacy “Make sure you’re safe and secure” guide. It will also link you to the different Microsoft product structures (e.g., Xbox, Teams, etc.)

NOTE: much as with Reddit, Xbox handles are public, and so you would want to have a handle that isn’t easily identifiable as you. 

Most Microsoft data visibility is within your organization (so at work, people can see your work email information; at home, only you can see your email information (or your family if you have a family account)). It’s not like there’s a forum in which that information would be scrapable by simple search; for someone to get ahold of this there would have to be an actual security breach of some kind. For that, see “Security” to avoid the impact there.

Apple

Apple is KNOWN for its privacy and security, and much like Microsoft there isn’t a way for someone to get your information *from* Apple unless you shared it out or unless they’ve been breached. Much as with all these other entities, go to your profile, and adjust any privacy/security settings as appropriate.

Google

There are two places to lock down your Google information: one is locking it down from Google (managing your ad settings and activity controls) and the other is locking down your account information (and who can see it, including in product reviews and endorsements. To address that, go to your account, go to Personal Info, and under “choose what others see” select “Go to About Me”. You can see your visibility per information item there and make it private or visible to anyone.

Useful Apps are Useful, but…

Yelp. Open Table, DoorDash. Lyft. Instacart. Any application on your phone that requires you to log in, is getting some kind of data about you and has an account for you. (Even if it doesn’t require a login, that app likely has information about your phone, location, etc. it can get as part of existing on your phone). In your account settings you should be able to update how much is visible to someone (either at the company or as part of an advertiser). 

Other Websites

There will be sites you *want* your image on – a local foundation, board service, etc. – that you cannot lock down (because that would defeat the purpose of visibility). For these, there are a few things you can do, though it would be hard to enforce:

  • Use a unique picture. In the old days someone could take a picture, reverse image search, and find everywhere else that picture is used, to draw a connection to different places a person works/does work. (They can still do this). However, with AI, they could now use that picture to extrapolate similar other pictures so the picture no longer has to be exact to trace you. 
  • See if the information can be behind a log in (e.g., if it’s board information, require membership to log in)
  • Use an avatar instead of a picture (this… can feel unprofessional)
  • Use abbreviations of names (e.g., B. Conti or Bobbie C) – small roadblocks can be useful. 
  • Do not have emails useable on a website. E.g., instead of bobbie.conti@gmail.com, which can be picked up and read by a scraping machine (and useful for creating a spam attack), you can list it as bobbie.conti, on gmail.
  • Website owners can make things a little easier by requiring verification of humanity and actual enrollment for newsletters – e.g., when someone “signs up” for their newsletter, they should send a confirmation request/update to the email address *before* actually signing them into the email service. I love websites that do this because it makes it harder for people to use them in spam attacks.

Nom Nom Nom on your Data: Cookies

Cookies are little trackers that websites drop onto your local machine. If you log in to a website on your PC, and then on your phone, it’s dropped cookies in both places as relates to your log in (if you had one) or any number of other log ins (if they’re affiliated with say, Facebook). This means that when you go back to the site six days later, it can go to your cookies file and read all of the cookies in that file: and it will know things like what other sites you’ve been to, what you looked at, etc.

“Cookies” and your “cookie hygiene” are what comes into play when you go to a website and it gives you that “Accept All”, “Reject All”, and then typically a setting where you can “pick”.  The options are typically:

  • Functional – these you typically cannot opt out of, and they will help convey information to the site owner about issues with their site, performance, etc.
  • Experiential – these are things they track like your preferred products, pages, etc. 
  • Advertising/Marketing  – these are things like tracking what specific things you looked at and marrying it up with other data to either infer what you would like (target advertising to you) or to have other sites use (so they can target advertising to you). 

You can, for example, reject all cookies out of hand. You can also go through and clean out “cookie deposits” on your machines. Because cookies are dropped and used by a browser, the instructions on how to remove them are browser specific:

  • Edge
    • Go to Settings, Privacy, Clear Browsing Data, click Control and Shift and Delete at the same time. 
  • Safari
    • Go to Settings & Preferences, go to your Privacy tab, click Manage Website Data or Clear History and Website Data, select Remove All (or pick which sites), and click Remove Now or Delete to Confirm.
    • You can also select to block all cookies, and prevent cross-site tracking.
  • Chrome
    • On Chrome, at top right, click More (with the vertical 3 dots), and select Delete Browsing Data. Choose a time range (last hour, all time etc.) and specify which information you want to remove. 
    • Click Delete Data.
  • Duck Duck Go
    • Duck Duck Go doesn’t store cookies and cache.
  • FireFox
    • Click on the menu button (the three horizontal lines), select Preferences or Options, go to the Privacy and Security panel, in the Cookies and Site Data section, click “Clear Data”. You can elect to clear cookies, site data, or both.

Shields Up or Shields Breached: Browser Extensions

Browser extensions can help or hurt, depending on which browsers and which extensions. A Browser extension is software that will extend the functionality of your browser: it is supposed to add helpful things. These are things like password managers, social media tools, and ad blockers.

Helpful Extensions

  •  Fluff Busting Purity – this will remove Facebook’s ability to track you and spam you with ads. It hides sponsored posts, suggested posts, newsfeed posts from unknown authors, allows you to give it specific phrases for topics to avoid, etc.
  • Ghostery is a web privacy extension that blocks trackers, ads, and can opt you out of automatic cookie dumping (aka “never consent”)
  • Bitwarden has a browser extension for ease of access to your vault.

Generally speaking, most beneficial/altruistic extensions operate on donations (e.g., FB Purity and Ghostery do), and so it’s nice to slide a few dollars their way (if you can).

Private Messaging

There are a variety of messenger services out there, including iMessage (which comes with an iphone), regular SMS texting, WhatsApp, and Signal. WhatsApp and Signal offer double-ended encryption, meaning that, in theory, there is encryption on your device and encryption on the recipient’s device, and the intermediary (the messenging service) cannot access or decrypt your messages (they’d have to have access to both phones). That said, there is evidence that WhatsApp has a “back door” – the recipient of any message can flag it, and once that message is flagged it is copied and sent to Facebook/Meta for review. This means that there is nothing stopping WhatsApp from “self flagging” a message for perusal).

Instead, I advocate Signal. Signal is end to end encrypted, there is no evidence of a back door, and Signal has stated *in court* that it has no way of decrypting messages (nor will it build a back door to support that). Signal is also supported via donation.

App Hygiene

When you download an app to your phone, especially an iPhone, it runs you through a bunch of questions and may include Terms and Conditions. The biggest things it will ask you, though is:

  • Is it allowed access to your camera and microphone?
  • Is it allowed access to your photo library?
  • Is it allowed access to your contacts?
  • Is it allowed access to your location?

iPhones

Each of the privacy settings above are available in the individual app menu: go to Settings, scroll down to Apps, select which app you’re interested in.

You can: 

  • Set location usage to “always”, “while using”, and “never” (and if an app is using your location it will have the little location arrow showing purple or outlined). Some also have “Ask next time or when I share”.
  • Set access to photos (None, limited access (where you select which ones), Full access)
  • Microphone and Camera are typically toggles.
  • Contacts offer None, Limited (select users), Full access.

Android

To review the privacy settings on an Android Phone, go to Settings, App, the specific app, and then Permissions. Mostly you can toggle between allow and don’t allow. 

Sniff Sniff

Let’s say you’ve done the above – you’ve locked down your socials, you’ve used deleteme – the barn doors are closed! Except there’s a window, and that window is you out in the world with your computer – let’s close that window.

  • “Free Wifi” isn’t free, and it could be problematic. When you use your machine to connect to free wifi, you are giving up some measure of information about your machine and also what you are doing – they can get your IP address/MAC address (basically, they have an identifier for that machine/you), they can see what sites you go to (yes even in incognito mode), etc. They don’t see your passwords, but they would be able to infer from the collection of data over time (and marrying it up with that broker data) who you are and what you do and where you go. 
  • Use a VPN on your machines if you’re in public – yes, this is a pain and yes, you have to pay for it. A good one is Nord VPN. This establishes a secure network and so while you would be able to join the “free” wifi, the sharing of your IP address, visibility into what sites you go to, etc. is gone. 
  • Do not plug into public USB ports to charge your phones or any device. Instead, get a USB Condom (yes it’s called that). A USB condom looks like a little USB “bridge” that has one end you stick YOUR USB into, and the other end you stick into the “free” power port.  USB condoms work by shorting the data pins and only allowing the power pins to work on a USB connection.

Doxing

Doxing is rooted in the phrase “dox” which in turn is a bastardization of “docs” which is essentially the idea that someone has all your docs/documentation. In practical terms, if someone says they have been “doxed” or “doxxed”, or will “dox” you, what they are doing/have done is assembled enough information about you that they can blab to the world that User123 is in fact Princess Buttercup who lives at 642 Florin Way, Fire Swamp, Guilder, Fantasyland, and her phone number is 555-867-5309 and her IP is (insert rando ip address here). Someone “doxing” you means they know where you are and who you are and can publish that information, and it is an actual threat to your safety.

Here’s the thing to understand about doxing:

  1. Some people can actually do it, 
  2. Most people threaten to do it but don’t actually do it,
  3. Once you have been doxed it is very hard to get private again.

If you have set your stuff to private, used pseudonyms where you can, avoided posting anything publicly, used deleteme, etc. etc., it should be very hard to dox you. Doxing takes a lot of effort for a hobbyist and practically none for a hacker, but most hackers do not want to dox you they just want your money – so lock down your passwords and use at least 2 factor authentication on your bank accounts and rotate your credentials regularly.

Avoiding Doxxing

The person who wants to dox you on a public forum is a sad pathetic cretin who has nothing better to do in their life than make other people miserable because then maybe they can feel something. Doxers get off on the power trip of “I know who you are” and so there are two ways to combat this:

  • Yea, and??
    • This method (the it’s okay if you know who I am) is only good if you are reasonably sure of your physical security and circumstances – if you are living off the grid in remote Montana and surrounded by security cameras and a moat with sharks with laser beams attached to their heads, well, then that works just fine.
      • Alternatively, if you’re reasonably sure that someone would not have a real-world grudge against you then the likelihood that anyone would do anything with that data is small. But. That relies on rational actors, and we have precious few of those these days.
      • This is not “Come at me, Bro”. This is “all of the information you have/had is publicly available anyway and I am reasonably sure of my physical security”.
  • Locking down your stuff to make it hard.
    • See all of the stuff above. Use pseudonyms, don’t share your email address (or have a “spamhole” email address – I use my gmail for this – and then a separate one that is your “real people use this” and maybe a third for “this is my banking stuff email”), post privately, curate your audience.
    • Do Not Engage with Trolls.
      • Don’t get into online pissing contests in forums with people who are clearly escalating and/or not hearing it.
      • Leave the Chat

If you have been Doxed or are Threatened with Doxing

First, Don’t panic. Panic will not serve you now… force that panic down, get a cold glass of water, and if it helps to think about you leaping into action to help a friend, then do that. 

  • Document – screenshot the discourse, save emails, identify what was said, who said it, their username/handle, any identifying information you have about them, what they did or did not say they had done or would do, and how much information they have disclosed already.
  • Go back and clean your stuff – if you missed something or if there is any indication of where they got that information from, go back and see if you can further lock it down.
    • If you can, it will prevent others from using it.
    • If you can’t, it’s something to inform the site owners in terms of a privacy/ security hole.
  • Report the incident to whichever platform the doxing occurred on (e.g., if on Reddit someone says they’re going to dox you, report it to Reddit) and occurred from (e.g., if that Redditor says they found your info on Facebook, also report it to Facebook). Keep copies of your reports, date and time sent, and any replies you get.
  • Call in the law. Depending on the nature of the doxing you may want to involve your local police, sheriff, and or the FBI.  This has twofold purpose: one, is you may need their help for this (especially if this includes any sort of physical threat), but secondly, a popular pastime of some doxers is to “swat” your house (this is where they anonymously call in an incident at your house and the SWAT team shows up earnestly; if you’ve been doxed and you let them know you’ve been doxed they will be prepared to address it.
  • Get legal help. Doxing is also a form of harassment, and because it can lead to physical consequences (Even if the person *doing the doxing* wasn’t the one threatening physical harm – usually there’s one troll to share the information and one or more trolls to do something with that information), you want legal help in pursuing the doxer (if you can).

Other Things to Think About

How People Can Find You

  • Do you have a personalized plate? Does your car have lots of identifying stickers (e.g., “proud parent of a child at XYZ School”)
  • Do you have a blog?
  • Do you have a business *in your name*? Registered to your home address?
  • Are you prominently featured on one or more public websites?
  • Do you own property in your name (most public assessor’s sites are linked from Zillow, for example, and so addresses can be “backed in” to people’s names).
  • Google yourself. You’d be surprised. I’m on a registry for my son’s high school PTA from four years ago.
  • If you share photos, understand that every photo is by default encoded with metadata about where and when it was taken. That metadata can travel with the photo: in your iPhone, select any photo, and then slowly scroll up while touching the photo: you will see the date, time, what camera took it, what size the photo was, and so forth. If you share a photo, you’re going to share that metadata too. You can strip it from the photo before sharing it, and you can set your photo app on your phone to not include information like location data.

Perspective

You may find yourself – as I do, writing this – trying to do the risk assessment on privacy. After all, I have a personalized plate, I have property in my name, all of my social media handles (with the exception of Reddit and Xbox) are essentially my name and I have 15 years of blogging under my name with a personalized domain. Detaching myself from all of that would be a huge pain if not impossible. There are still things I do though: I secure my stuff, have a spamhole email, use Bitwarden, use USB condoms, etc. If a hacker is going to read through 15 years of posting history to glean information about me what they will find is that I am too hung up on work, I’m neurotic, I have an internet addiction that is useful, and occasionally I “enjoy” testing my physical capabilities. 

Risk has three elements:

  • What could go wrong?
  • How bad would it be if it did?
  • How likely is it to happen?

(Benefit also has the same calculation and so to illustrate that I will use a positive example):

  • What could go right? I could win the lottery.
  • How good would it be if I did? Pretty darned good!
  • How likely is it to happen? Extremely unlikely as I don’t often buy tickets.

Therefore, preparing for a lottery win, while it sounds like a fun distraction, is probably not useful.

Now the less fun side:

  • What could go wrong? I could get doxed on Reddit.
  • How bad would it be if it did? Not sure. Most of what I’ve posted are comments about sewing techniques or gardening. But they could find my reddit handle and attribute it to me, and maybe have my name and address and personal email to share. That said:
    • My address is already available by a property records search and/or white pages.I have four emails (active, two dormant) and depending on which one they share I make that one the spam hole one (if it isn’t already) and have to spend a tedious afternoon rewiring things.
    • If they show up at my house (or threaten to show up at my house) things would be problematic and for that I would engage law enforcement and probably an attorney.
  • How likely is it to happen? Also not sure. Most of what I post is banal, but I am associated with things that would make a certain factor in our society upset (love that for them), and so… I don’t know. I’m a mere Board Member, but one cannot plumb the depths of stupid mixed with malice. So to address a *potential* likelihood, I do some of the prudent things.

There is no foolproof way to avoid privacy/security/doxing issues, but there are steps you can take. 

Security

Bobbie1 Comment

It’s important to understand that the personal security space – that is, how you lock down your stuff – is a constant game of whack a mole. “For each fine cat, a fine rat” – as you close down some things, enterprising bad actors will find new ways in. Your very best option is to approach it as defense in depth by using multiple interventions to make it harder for them. Think of it like Swiss cheese slices: a single slice of Swiss cheese has many holes. Putting one slice of Swiss cheese on another limits the visibility of some holes but not others. Stacking a bunch of pieces of Swiss cheese will further close more holes.

This is a compilation of what I recommend for individuals and their (mostly cyber) security. A second post on Privacy is forthwith.

First, let’s get some terminology straight:

  • Security is the ability to ensure that we have Authentication and Authorization (AuthN and AuthZ). 
    • Authentication = we can verify you are really you. Examples are when you use a password and then get a code to your phone you have to enter, or have a PIN code to use, or a passphrase.
    • Authorization = once we know you are you, are you even allowed to be here and what are you allowed to do? For example, you can authenticate into your bank website as you, but you are not authorized to see anyone else’s stuff.
  • Privacy is the ability to ensure that ONLY authorized people get to see personal information (also known as PII, or Personal Identifying Information), and the person doing that authorization is the owner of the data (namely, you). 

Security Basics

The reality is there are a variety of different ways to secure things, and they are not employed consistently – so for example some sites have you authenticate in using your email, others require you to create a username. Some will send your second factor of authentication ONLY to a phone text, others will do email, still others will require or support an authentication app on your phone (and yet others will allow you to use a physical USB key you carry around with you). There are also “passkeys”, which are where a unique encryption is stored half on your machine and half on the server for the site you’re using, so unless someone has you, your machine, and that website, they can’t get in as you.

That said, there are some standardized ways to keep your stuff secure (or more secure):

  • Do not re-use passwords. I know, it’s tempting. But all it takes is someone getting ahold of one email/password combination, and they can feed that into a program and have it try a million different places to see what else they can get in to. There are password vaults that will create unique strong passwords for your sites, or you can use a pattern (a friend of mine uses album names and song names).
  • Regularly update your passwords. Passwords get leaked and stolen and bought.
  • Use a Password vault. I use Bitwarden.  Much like Apple’s Passwords, it will securely house your passwords, passkeys, etc. and will also tell you if that password is reused anywhere, and if it has been found on the dark web (where passwords are bought and sold). 
  • If you can use an authentication app, do so. It gets rid of the vulnerability that may happen if someone has access to your texts or emails.
  • Especially for banking stuff: you can set your communication preferences to tell you if a transaction more than $x has happened, or if someone has logged into your account.
  • Don’t click links in a text and be equally careful of links in email. If you get a “text” from GoodToGo, or your bank, or whatever, instead go directly to the website you know is theirs, and log in as you. If you don’t recognize the number, or if when you hover over the email “name” it’s an entirely different address (or the formatting is off, or there are misspellings, wonky grammar, or an inflated sense of urgency), do not click.
  • Have a separate email account for your banking/super important stuff, and your “shopping/etc” stuff. Online retailers can and often do sell your data and/or exploit cookie allowance for that purpose, so separate your concerns.
  • Do your security updates regularly: most of the iPhone updates you get (iPad, MAC, Windows, etc.) include a poop-ton of security patches and fixes and the longer you take to do your updates the longer you are leaving your barn doors open.
  • If you get a “here’s your code for logging in” *and you didn’t log in*, go to the website (open a fresh browser page and go there, don’t click on any links in the mail just in case), log in, see if anything has been messed with (especially for a bank account), *change the password immediately*, and notify the site owner via the site or the phone number on the site that you got a 2FA notification you did not ask for. Work with the site’s fraud department to address anything weird.

Secure your Credit and Identity

There are other things you should do to secure your credit and your information:

  • Freeze your credit with all three agencies (prevents anyone from using your data to open new credit lines/cards). Those three are Equifax, Experian, and TransUnion.
  • If you suspect your identity has been compromised and that someone is trying to or has used your social security information fraudulently, go to identitytheft.gov to report it and further lock down your information.

There are also subscription services you can use to monitor your credit and your identity for potential theft: oftentimes when you are notified of a data breach, the legal requirement is, at minimum, the breached party offer you this monitoring for one year for free. 

Securing your Networks and Devices

As we all know by now, all incognito mode spares you is someone identifying which pages you’ve visited when you lend them your browser — it doesn’t shield your internet provider from seeing them, or even your router. You’ll want to lock down who can see what.

  • Use a VPN where you can – VPN stands for Virtual Private Network and it means that from your machine to the machine your machine is talking to (‘cos the internet’s a series of tubes), the “tube” is locked on either end. More to the point, your cellular service, internet service provider, etc. do not get to see what you’re looking at or what you’re doing.
  • Avoid using Free Wifi, or make sure to use a VPN if/when you do. Remember that if something is “free”, you are the product.
  • Use USB condoms wherever you can. Those “free chargers” are not really free and can be infected with junk; USB condoms short the two data pins in a USB connection to allow for “just power”. You’re better off bringing your own charging block tho.
  • Secure your Router – change the default password to a strong one (the Admin password and the access password, each). Enable encryption (WPA2 or WPA3), and make sure you do your security patches for the router firmware.
  • If you have “Smart anything” in your home: put it on a separate network from your computers/phones that you bank/do business on; make sure all the Smart gadgets have *separate passwords* (your Smart TV and your Smart Fridge should have different passwords, for example).

Next Up: Privacy.