Saturday, July 7, 2018

JusTalk.Com

 
JusTalk is a voice and video chat app, available for both iOS and Android users. If you have an iPhone, iPad or iPod touch, and your friend has an Android phone or tablet, you can still enjoy free video calls together on JusTalk.

According to the Just Talk web-site, you can rest assured your calls and messages are secured. Only you and the person you communicate with can see, read, or listen to them: even the JusTalk team won't access your data! Information and call data are end-to-end encrypted. All of the data are split into multiple random paths to ensure that calls cannot be monitored or saved by servers.
--
Having the ability to communicate with multiple end-to-end encrypted apps enhances your overall security. While we all likely have our favorite communications app, the ability to switch to a different communications method can help conceal your communications and also serves as an alternate or back-up means of communication if your primary choice fails or is unavailable. (As an example, Skype and FaceTime are banned in Dubai and the UAE, but JusTalk works.)




Talky.Io



Talky is a simple video / audio chat program. Just open a chat room, share the name with others when you invite them to join the chat and you're connected. No downloads, signup, or payment required.

Talky's privacy policy states: Our default privacy policy is never to gather or store or sell information about you, to log your conversations, or to engage in any other behavior that would compromise your privacy and security in any way. However, we do need to gather one piece of personally identifying information in order for you to use Talky in the first place: your computer needs to tell us its “IP address” so that we can connect you with your friend’s computer (which needs to tell us its “IP address” too). Although we do not track this information or keep a long-term record of it, we do log it for brief periods of time so that we can perform diagnostics that help us improve the service (these logs are erased after 30 days).

I note that you cannot use Talky over Tor, because Talky uses WebRTC. However, Talky works just fine over a VPN, which would mask your actual IP address.

Talky also gives you the option of password protecting your chat room. Choose a unique name for your chat room, set up a password to keep out uninvited guests, and meet friends and family on-line for a regularly scheduled live chat session.

There is an iOS Talky app available, but currently not one for Android. If I am on an iPhone, I would probably just use FaceTime for video chat. But it is from a desktop / laptop that I found Talky to be a quick, easy, and reasonably secure way of having an on-line video / audio chat.  (It was a lot easier than Skype.)

Talky is built and run by the &Yet team in Richland, WA.




Jitsi An Alternative to Skype

Jitsi is state-of-the art open-source video conferencing software that you can self-host or freely use on-line.

You don’t have to download anything. Just go to the Meet Jitsi site and begin an on-line conversation.

Note that WebRTC  today does not provide away of conducting multiparty conversations with end-to-end encryption. As a result: when talking on meet.jit.si your stream is encrypted on the network but decrypted on the machine that hosts the bridge.

However, Jitsi supports the OTR encryption protocol. OTR stands for Off-the-Record Messaging and once you’ve set it up (i.e. clicked on that padlock icon in a chat window and verified the identity of your contact) it allows you to make sure that no one other than you two can read your messages, not even your service provider.
 
 
 
 

Google says Google Documents is Secure Despite Russian Issue


Google said this week (July 5, 2018) that its document writing tool Google Documents was secure even as Russian internet users discovered scores of files that appeared to be intended for private use.

On Wednesday night, Russian social media users started posting scores of such documents, including an internal memo from a Russian bank, press summaries and company business plans.

The Russian internet company Yandex said in a statement that some users contacted the company Wednesday to say that its public search engine was yielding what looked like personal Google Documents files, suggesting there may have been a data breach. Google said in a statement that search engines can only turn up Google documents that had either been deliberately made public by its authors or when a user publishes a link to a document and makes it available for public access and search. Ilya Grabovsky, a spokesman for Yandex, said its search only yields files that don't require logins or passwords. (Komo 4 News, July 5, 2018)
--

If you are going to upload files to a cloud service, be sure that you encrypt those files, unless you intend them to be public. One free encryption tool for protecting files in the cloud is Cryptomator.



 

Friday, July 6, 2018

What Journalists Need to Know About Password Managers


The National Center for Business Journalism (June 13, 2018) has published an article "What Journalists Need to Know About Password Managers".

"Password managers are an incredibly valuable tool for generating and storing complex passwords. They allow users to create unique words, phrases, or combinations of letters, numbers, and symbols, for each of their password-protected accounts. Some of the more popular, time-tested password managers include 1Password, LastPass, Dashlane, and KeePass.

According to the Pew Research Center, 84 percent of survey respondents indicated that they primarily keep track of their passwords by memorizing them, or by writing them down. This typically limits the complexity of those passwords and makes them much easier to crack."
--

If you are not currently using a password manager to generate and safeguard your passwords, I encourage you to begin doing so.
--
 
 

Facebook Wants to Use Your Phone's Microphone to Record Secret Messages

 

Facebook has filed for a patent for software that could turn on the microphones of smartphones on in order to record secret messages in TV ads, without the knowledge of the phone's owner.

System would allow Facebook to identify what adults and children are watching based on ambient noise.

The patent application describes a system where an audio fingerprint embedded in TV shows or ads, inaudible to human ears, would trigger the phone, tablet or long-rumored smart speaker to turn on the microphone and start recording “ambient audio of the content item”. The recording could then be matched to a database of content to allow Facebook to identify what the individual was watching.
Privacy experts are concerned about the intrusion into people’s homes, particularly as the ambient audio recording would likely catch snippets of people’s private conversations without their knowledge.

“It’s extremely disconcerting for privacy to have an inaudible beacon as it means they want to make it not obvious to the user that the device is listening,” said William Budington, a senior staff technologist at the Electronic Frontier Foundation.  (The Guardian, June 28, 2018)
--


 
 

Thursday, July 5, 2018

Safari the Anti-Facebook Browser


At Apple’s Worldwide Developer Conference this year, the buzz was all about software. One key announcement was a radical update to the Safari browser—one that thumbs its nose directly at data-hungry Facebook. Building on last year’s ad-tech fighting updates, Safari is now getting a suite of of new security features that will alert you whenever a website tries to hoover up data, and it will stop data companies from ‘fingerprinting’ your Mac by disguising your choice of fonts and configurations so your machine is indistinguishable from anybody else’s. “Apple specifically called out Facebook's massive ad network—which is known for employing an array of user tracking strategies, like its ubiquitous ‘Like’ buttons. Safari will now block tracking from “Like” and “Share” buttons, as well as from comment fields. 
(Wired, June 14, 2018)

--


Firefox Monitor


Typically when a large data breach occurs, those possibly affected by it often have to jump through hoops to find out if their information was compromised.

A new initiative from popular web browser Firefox will bring information about data breaches straight to the user.

Firefox Monitor will be collaborating with the Have I Been Pwned database service, which is a collection of 3.1 billion compromised email addresses.

At this stage, Firefox is testing initial designs of the Firefox Monitor tool in order to refine it. Beginning next week (July 2018), they expect to invite approximately 250,000 users (mainly in the US) to try out the feature. Once Firefox is satisfied with user testing, they will work on making the service available to all Firefox users.
--


Lab Tests Find No Fentanyl on Flyers (Field Drug Tests Inaccurate)


On June 26, 2018 the Harris County Sheriff's Office reported that Flyers Laced With Fentanyl Placed on Cars. I provided a link to that information here in my blog.

The Sheriff made the public notification after a deputy handled one of the flyers and began to fill ill. A drug field test of the flyer handled by the deputy (and flyers from other vehicles in the area) was conducted and the field test returned positive results for Fentanyl.

However, laboratory have now been completed on the flyers. The Harris County Institute of Forensic Sciences tested 13 flyers – all promoting the same organization as the flyer found on the sergeant's car – as well as clothing items and blood and urine samples from the sergeant. Those tests came back from the laboratory as negative for the drug.

OK, if field drug tests report the presence of a potentially deadly drug, the Harris County Sheriff's Office should make a public announcement and warn others of the potential threat. Nobody should fault the Sheriff for warning the public to beware.  (Nixle Alert, June 29, 2018)

But here's the problem...  The scare highlights just the latest problem with field drug tests: they are not accurate! The Houston Chronicle reported in July 2016 that 298 people had been convicted of drug possession, even though complete lab tests later found no controlled substances in the samples tested at the scene.

All 298 people pleaded guilty to felony and misdemeanors before the field samples had been tested in the county's forensic laboratory. Many of those people pleaded guilty based on the initial testing kits indicated the substance recovered at the scene was positive for drugs.

It is too often the case that people who are not guilty of any crime will take some kind of a plea bargain just to bring the legal process to an end.  Corrupt police departments can drag out "investigations" for months wearing down the wrongly accused until they are ready take a plea deal, when offered by the prosecutor, just to make it all finally end.

And "even though complete lab tests later found no controlled substances in the samples tested at the scene" the individuals who took the plea bargains still have these convictions on their records and will have to complete whatever sentence was imposed by the courts. 


 
 
 
Amazon's annual Prime Day sale will be back on July 16, 2018 and include more deals, come to more countries and last longer than in past years. Plus, the company is giving away a new Lexus.
 
The sale will kick off on Monday, July 16, at noon Pacific and go on for 36 hours, up from 30 hours last year.
 
Sign-up for a Amazon Prime Free Trial here: https://amzn.to/2u4Tgpt 
 
In addition to free shipping on products ordered from Amazon, Amazon Prime offers other benefits such as free prime movies, and free data storage on Amazon Drive.

DEA, Border Patrol Search Greyhound Buses, Question Passengers


According to a report in Consumer Affairs (June 28, 2018), during an hour-long layover at the Greyhound bus station a DEA agent was  provided a passenger “manifest” (by Greyhound) listing everyone who was on the bus that day, where they were headed, and whether they paid Greyhound via cash or credit card. The DEA agent also had a chance during the layover to open the luggage bin and study the passenger's checked bags. As the bus was preparing to depart the DEA agent, "dressed in plain clothes, made his way down the aisle, quizzing people about their travel plans."
  
As a private company, Greyhound is under no obligation to let cops on its buses without a warrant, legal experts say, but that doesn’t appear to be a problem. “Cops routinely board Greyhound buses and ask passengers to search their luggage. If a person consents to the search, there is no fourth amendment protections relating to the search.”

Greyhound, being a private company, still does not have to allow DEA, Border Patrol, or other government agents inside its buses without a warrant, according the ACLU. The CLU has documented recent reports of Border Patrol agents questioning Greyhound passengers in Vermont, California, Washington, Arizona, and Michigan.
--

I discussed these searches briefly when posting about the Massive U.S. Border Zone, in mid-May. Law enforcement (DEA, Border Patrol, and others) has a job to do, but law enforcement actions must never be allowed to proceed to the point where they violate our civil liberties. Obtaining passenger manifests and inspecting bags without a warrant, questioning passengers about their travel plans, and as we saw in the report from Consumer Affairs removing passengers from the bus if they don't answer questions or "consent" to searches of their luggage is going too far.



 

Wednesday, July 4, 2018

App Developers Sifting Through Your Gmail


Google said a year ago it would stop its computers from scanning the inboxes of Gmail users for information to personalize advertisements, saying it wanted users to “remain confident that Google will keep privacy and security paramount.”

But, third-party app developers can read the emails of millions of Gmail users. Gmail’s access settings allows data companies and app developers to see people’s emails and view private details, including recipient addresses, time stamps, and entire messages. Google employees may also read emails but only in “very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.

While there’s currently no evidence that third-party Gmail add-on developers have misused data, just being able to view and read private emails seems like crossing a privacy boundary.  (The Verge, July 3, 2018)
--

Google's statement that it stopped scanning your e-mail in July 2017 may not be completely true. I commented on this in mid-May 2018 when I posted that Google is still reading your e-mail.

To protect the content of your e-mail you should use a zero-knowledge provider such as Tutanota or ProtonMail where the content of your inbox remains encrypted and where you control access to the decryption keys.




 
 
Amazon's annual Prime Day sale will be back on July 16, 2018 and include more deals, come to more countries and last longer than in past years. Plus, the company is giving away a new Lexus.
 
The sale will kick off on Monday, July 16, at noon Pacific and go on for 36 hours, up from 30 hours last year.
 
Sign-up for a Amazon Prime Free Trial here: https://amzn.to/2u4Tgpt 
 
In addition to free shipping on products ordered from Amazon, Amazon Prime offers other benefits such as free prime movies, and free data storage on Amazon Drive.
 
 


Massive Cache of Law Enforcement Personal Data Breached


According to ZDNet (June 29, 2018) "A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials. The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The database contained thousands of personal data records, including law enforcement officer's work contact information, with many of the records listing personal email addresses, work addresses, and cell numbers.

The database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University. More than 114,000 law enforcement officials have been trained by ALERRT.

Another table in the database contained 51,345 sets of geo-location coordinates of schools, courts, police departments, and government buildings, like city halls and administrative offices. The data also included places of interest, such as where people gather -- like universities and malls. The list also contained, in some cases, police officers' home addresses. We confirmed this using Google's Street View, which in several cases revealed marked police vehicles outside the residence."
--

Anytime personal information is contained in a database there is a risk that the information will be compromised. Too often it's not a question of if there will be a data breach, rather it's only a question of when there will be a data breach. For individuals, always limit the amount of information that you provide to any business or organization. For organizations, limit the amount of information you collect to only that required to accomplish your mission. If you must store personal information be sure that it is stored on a secure / encrypted device.


 
 

Tuesday, July 3, 2018

Become a Juggalo In Order To Dodge Facial Recognition Technology


Facial recognition is already in broad use by law enforcement. This past week, the FBI used facial recognition to identify the man who opened fire on the offices of Maryland newspaper Capital Gazette, killing five people. But use of facial recognition is largely unregulated. Amazon’s “Rekognition” tool has been piloted in the Orlando, FL and Washington County, OR police departments, and the company is looking to expand its use. Private companies like Moscow-based NtechLab have developed “ethnicity recognition” tools with the intention for it to be used by law enforcement to, in essence, automate racial profiling. This isn’t just happening in the U.S.: in China, facial recognition is used to monitor citizen activity as a part of its extensive “social credit” system, which affects people’s ability to get loans and use certain public services, like bike rentals.

Apparently the best way to dodge facial recognition technology is to become a Juggalo. According to Twitter user @tahkion, a computer science blogger for WonderHowTo, Juggalo makeup outmatches the machine learning algorithms that govern facial recognition technology.

@tahkion explained that facial recognition works by pinpointing the areas of contrast on a human face—for instance, where a nose is located, or where the chin becomes the neck. As it happens, juggalo makeup often involves applying black paint below the mouth, but above the chin. That makes facial recognition vulnerable to misidentifying the placement of the jaw.

Facial recognition technology needs to pinpoint the eyes, nose, and jawline to work successfully. But Juggalo makeup involves redrawing the eyebrows and jawline, which confuses the tech and evades recognition in the process.  (Allure, July 3, 2018)

--
ICP and the Juggalos are probably not reading my blog (although it would be cool if they were), but what is interesting in the above article is the style of face paint that seems capable of defeating current facial recognition technology.

Except for ICP concerts and Juggalos events, people are unlikely to wear Juggalos face paint as they go about their daily activities. Doing so might defeat facial recognition, but would certainly draw attention and make that person stand out from those around him or her. Still, understanding the weaknesses in facial recognition surveillance technology may help those living in hostile and non-permissive environments to find other was of defeating this intrusive technology.
 
 

Cyberwar, Surveillance and Security (University of Adelaide)


Cyberwar, Surveillance and Security is an archived edX course from the University of Adelaide.

WEEK 1: How the Internet Works
WEEK 2: Hacking and Leaking
WEEK 3: Surveillance and National Security
WEEK 4: Surveillance Privacy and Political Engagement
WEEK 5: Cyber Security & Cyberwarfare
WEEK 6: The Future of the Internet

While the course is not currently offered, you can still watch the associated videos and demonstrations that are part of this course.
--


 
 

Four in 10 People Have Deleted a Social Media Account Due to Privacy Worries



According to CNBC (June 18, 2018), "four in 10 people have deleted a social media account in the past year due to privacy worries, study says.

There is a serious lack of trust in social media such as Facebook and Twitter and consumers expect brands that advertise on such platforms to urgently find solutions, according to research published Monday.

Privacy concerns and the circulation of fake news are contributing to people's distrust of content on social platforms, said the study by public relations consultancy Edelman, with 70 percent of respondents expecting businesses and advertisers to put pressure on social media sites to address false information and remove offensive content."
--

Privacy issues on social media are a concern, but one that can be managed with reasonable precautions. Some privacy advocates will recommend that you delete all social media as a way of maintaining your personal privacy, and while that will certainly help, it's probably not necessary for most people. When you use social media, adjust your privacy settings to limit who can see your posts, but assume that everything that you post will at sometime become publicly accessible.

* Simply put, only post those things that you are willing to share with the world. * 

It is also important to be aware of what information you expose when using apps and taking quizzes in your social media accounts. While these quizzes can be entertaining, be aware that they are not free. You pay with your personal information.

The other concern that arises from the Edelman study is the desire of users for social media providers to censor information on their sites. The problem that arises from trying to do this is determining just what constitutes "false information" or "offensive content".

 





 

Facebook Quizzes Expose Personal Information of 120 Million Users


You know those quizzes on Facebook... What your spirit animal is?, Who’s your very best friend?, etc.?  Well they not only told users which Disney princess they were, but also exposed the private data of about 120 million people who took the test. 

Nametests.com, the site behind the ubiquitous Facebook quizzes pulls your personal data and posts some of it in the site's code along with a token that could be used to gain access to all the data a person taking the quiz authorized when they downloaded the app.

With the quiz company Vonvon, you agree to let them access the following information when you take a quiz:
  • Name, profile picture, age, sex, birthday, and other public info
  • Entire friend list
  • Everything you’ve ever posted on your timeline
  • All of your photos and photos you’re tagged in
  • Education history
  • Hometown and current city
  • Everything you’ve ever liked
  • IP address
  • Info about the device you’re using including browser and language
If you didn’t agree to disclose this information, the quiz wouldn’t work.

The app retains all your data, and its ability to be seen by others, even if the app is removed. To fully remove the information the test taker would have to delete the associated cookies. 

(SC Media, June 29, 2018 / The Wonder of Tech, December 3, 2015)



 
 

Monday, July 2, 2018

Canada Has Legalized Recreational Marijuana


According to the Mises Institute (June 29, 2018) Recreational marijuana use will soon be legal in Canada after the Senate passed a "historic" bill on Tuesday with a vote of 52-29.... The act to legalize the recreational use of weed was first introduced on April 13, 2017, and was later passed at the House of Commons in November. The Senate passage of the bill was the final hurdle in the process.

With the bill's passage, Canada becomes only the second national government to legalize marijuana. (The first was Uruguay in 2013.)

This changes the geography of drug prohibition in North American considerably. Given that the entire West Coast of the United States, and much of New England has now legalized recreational marijuana, this adds yet another large swath of North America (excluding Mexico) to what we might call the "legalization" zone."
--
Although the Canadian government had initially stated its intent to implement by July 2018, provinces and territories, who will be responsible for drafting their own rules for marijuana sales, have advised that they would need eight to 12 weeks after the Senate approval to transition to the new framework. The government is expected to choose a date in early or mid September.

Once the bill is formally approved, adults will be able to carry and share up to 30 grams of legal marijuana in public. They also will be allowed to cultivate up to four plants in their households and prepare products such as edibles for personal use.



Disable Remote Assistance in Windows


The ‘Remote Assistance’ function in Windows allows someone to take control of your computer over the Internet. This function is intended to allow someone (like Tech Support or a Systems Administrator) to fix problems on your computer from a remote location, but it creates a security vulnerability if it is left on (it is on by default, so turn it off).

To turn off remote assistance in Windows, go to the control panel and (1) click on the “System and Security” category, (2) then click on “System”, and in the top left corner of your screen (3) click on “Remote Settings”, finally (4) make sure that the “Allow Remote Assistance connections to this computer” is NOT checked.

If you legitimately need to let someone remotely access your computer you can always turn remote assistance back on, but since most home users never use remote assistance unless being targeted by a 'Tech Support Scam' it's a good idea to disable this function in Windows.




 
 
 

IRS Security Breach from 2015 - Three Years Later, It's Still Not Secure


According to NextGov (June 25, 2018) Personal information about more than 350,000 taxpayers [the IRS later reported that there were as many as 724,000 victims.] was compromised by the IRS in 2015. Three years later, it’s still not secure. The 2015 crisis was spawned by weaknesses in the identity verification process for the IRS’ “Get Transcript” feature.

Because the verification process wasn’t rigorous enough, scammers were able to use taxpayers’ personal information gathered from other sources, including data breaches, to get copies of their tax records and all the personal information they contained. The fraudsters could then use that data to file phony tax returns and steal refunds or for other nefarious purposes.
--

Hackers used the “Get Transcript” program, which allows you to check your tax history online. The IRS began the online program in 2013, allowing taxpayers to request their tax history on-line, in addition to through the mail. But following a nine-month investigation by the Treasury inspector general for tax administration, the IRS says its online service has put hundreds of thousands of more taxpayers at risk of identify theft.


 

Sunday, July 1, 2018

Hacked (IBM Film)


Hacked is an advertisement for IBM, with a security awareness theme. It shows the danger of using an official e-mail address for personal activities.



9 Injured in Mass Stabbing Attack in Boise



The Boise Police Department reported nine people were in the hospital, some with life-threatening injuries, after they were stabbed at an apartment complex Saturday night. Boise Police Chief Bill Bones said some of the victims are members of Boise's refugee community. The victims range in age. Some were found inside the Wylie Lane Apartments complex, others were found in the nearby parking lot.

Timmy Kinner, 30, of Los Angeles, was arrested on nine felony charges of aggravated battery and six felony charges of injury to a child. He was booked into the Ada County Jail. Investigators do not know the suspect's motive and crews were searching a nearby canal for evidence late Saturday night. Ada County Dispatchers received a call about a man with a knife around 8:45 p.m. [June 30, 2018]. Officers are still investigating why the suspect targeted these individuals.

Four of the victims suffered life-threatening injuries, according to police, and all nine were taken to a hospital. The attack is the largest stabbing in Boise history.  (KOMO4 News, July 1, 2018)

--

When we consider personal security, we must be aware that violent criminal attacks can occur at any place and at any time. A criminal doesn't need a gun to commit mass violence - as we see here this unprovoked attack was committed with a knife - yet; "according to U.S. Bureau of Justice Statistics data, having a gun and being able to use it in a defensive situation is the most effective means of avoiding injury (more so even than offering no resistance) and thwarting completion of a robbery or assault. In general, resisting violent crime is far more likely to help than to hurt, and this is especially true if your attacker attempts to take you hostage, such as sometimes happens in a carjacking situation. Most often with gun defenses, criminals can be frightened away or deterred without a shot being fired. Estimates of these types of defensive uses of firearms are wide ranging, from a low of 65,000 to 82,000 annual defensive gun uses (DGUs) reported to the U.S. Department of Justice's National Crime Victimization Survey (NCVS), to a high end of some 2.1-2.5 million annual DGUs, but they seem to occur at least as often (if not far more often) each year as misuses of firearms by violent criminals."