Thursday, January 28, 2010

Data Privacy Day Checklist

Rather than add to the previous post, I decided a true celebration of Data Privacy Day deserved a post all its own, and what better way to celebrate the date than with a list of Data Privacy To Dos! Don't think that sounds fun? Put it in perspective: would discovering someone's gone hogwild with your Amazon (or PayPal) account be fun? How about suddenly getting a flurry of unhappy replies from friends and family (or coworkers) to some offensive email you don't remember sending? I don't think that's fun. If you do, I'm guessing this is where you'll stop anyway, if you even made it this far. However, if such or similar scenarios are on your Not Fun List, you might want to check out my list of a few ways to avoid them.

Review all your passwords (and they'd better not be on a large post-it stuck to the bottom of your keyboard, either).
Are they on this list? Don't pat yourself on the back just yet if the answer's "no"; you might want to check this list too. Still in the clear? Maybe - depending on whether you can also answer "no" to the next question.

Do you use one password for everything?
If so, you need to make a list of your own: of all the stuff someone would have access to if they got hold of that ONE little word. Write it all down, look it over, and think about it. Now imagine it in the hands not just of someone, but someone who really, really doesn't like you. Feeling any password creativity yet? If you need a little help, here are some tips:

1. Choose a strong password, with numbers and even punctuation marks as well as letters. Substitute numbers for vowels, for example: p4ssw0rd (NO, DON'T USE THAT). Pick a line from a favorite song or poem, and use the first letters of each word. Mary Had A Little Lamb = MHALL (NO, DON'T USE THAT EITHER). If you've just got to use your pet's name, spell it backwards. If your pet's name is Spot or Rover, give him a middle name (preferably a long one) and use both.

2. Use a different password for all websites/accounts. Write them down if you must, but keep them in a safe place; under your keyboard or taped to your monitor doesn't count. I'm not a keen proponent of the old "stash it in your wallet" routine, either. Yeah, if you lose your wallet your day's already in the toilet, but why add to the booty if someone other than a Good Samaritan finds it? Besides, do you really need to carry all your passwords with you everywhere?

3. Never let websites "save" passwords for you. That cute little "remember me" box next to your Twitter login? UNcheck it. That's actually saving your password to your computer hard drive, usually in a simple cookie and all too often unencrypted. If your computer gets compromised by a malware ridden banner ad or flashing pizza coupon, or your laptop gets boosted in an airport lounge, guess what's the first thing bad guyz look for? Don't trust your computer to remember your passwords or keep them secure. You really shouldn't trust your computer for much of anything, anyway. Ultimately, computers are dumb. You can trust me on that.

Designate ONE credit card for online use, or see if your credit card company offers a virtual credit card service.
Using one credit card soley for online use makes it easier to spot red flag fees or charges, and if you smell smoke and have to put out a fire, you won't also be having to cancel the same card you use for dining out or keeping your wardrobe up to date. "Disposable" or "virtual" credit card numbers are also now offered by many financial services. They're one hoop jump too many for me personally (well, so far), but worth consideration at least for one-time purchases, or trial offers that also "offer" to automatically opt you in for the rest of your natural life - though bear in mind on that latter, if you did implicitly agree to some Neverending Subscription, you could still legally be on the hook. RTFP (Read The Fine Print). Never EVER use your debit card online if you can avoid it, and always practice safe online shopping.

Set up a "junk" email account.
Don't use your primary email address for casual shopping, social networking, or submission to any website that requires one before you can read the last sentence of a tantalizing news article (or leave a snarky comment on the same). Set up a separate email account with one of the many free web email services available, and whatever you do, DON'T immediately import your entire address book into the thing. Don't fill out a profile with your full name, complete home address, and life history, either; that utterly defeats the purpose. The idea is to cut back on the info merchants and advertisers can mine from you, as well as give them someplace else to send their spam.


I'll save my list of browser tips for another post (everyone can stop cheering now), and end here wishing a happy Data Privacy Day to all. If anyone has other tips or tricks to share, please do so! And if (again) it appears my tinfoil hat's a little tight, remember bad things don't always happen just to other people. Someone's got to make up the statistics, and if you don't preemptively stack a few odds in your favor, your number could be next.

Know what day it is? Data Privacy Day, of course!

I'm serious, today really is Data Privacy Day!

So chew on that, reflect on this, check out online privacy's very own new symbol, and if you've got a password of "123456" (or "abcdef") to anything go change it ASAP.

In view of the importance of the date, I hope to add to this post later. For now I'm off to share the love on a few other sites where it's much needed, as well as ones where it's already appreciated. :-)

Monday, January 25, 2010

Private eyes are watching you...

...and possibly some not-so-private eyes. But it's all good, right, as long as they're on Our Side?

Well, maybe. However, there's more to a little truth in the old saying that the road to hell is paved with good intentions (for varying values of "good"). Amid the usual rush to blame Microsoft, there's word that Google's own government backdoor may have been the route Chinese hackers took to gain access to some Gmail accounts, whose owners apparently left them off a mailing list or two. That, to me, is far more interesting news than picking the lock on Internet Explorer to open said backdoor. IE lock picking is old news anyway, and and for those who know how it's probably easier than using a key.

I'm not going to rush and shut down my Gmail accounts, but then again I don't use Gmail for anything sensitive or confidential (and I would strongly advise against such use, even if you work for Google - or perhaps especially if you work for Google). All their purported "spy system" is going to 'reveal' about me is that:

I like computers
I like horses
I have no entries in my address book (and therefore presumably no social life)

I invite both Google* and the Chinese - and any other entities Google shares information with, whether voluntarily or involuntarily - to make of that what they will. Meanwhile, I'll continue to carefully vet out any email services I'm even considering for usage more confidential or sensitive than model horse collecting, techie newsletters, or the occasional "Howdy back!" to a friend who catches me in passing. If a particular message warrants particularly special handling, I may even in that instance eschew email altogether.

Electronic communications are here to stay, and are only going to become more varied and embedded in the way we conduct our daily business, personal and non. As these communication systems become more sophisticated, like it or not, we'd better do the same. Not only in how we use them, but in our comprehension of the infrastructures behind them.

"In the aftermath of Google's announcement, some members of Congress are reviving a bill banning U.S. tech companies from working with governments that digitally spy on their citizens. Presumably, those legislators don't understand that their own government is on the list."

Oops. Hopefully Congress will be among the first to become more sophisticated in their comprehension (if not their usage). Otherwise their own fine print may come back to haunt them.




*Of course, Google also owns Blogspot, but what I post here obviously is for ANYONE to make of it what they will. So I'm good with that too. :-)

Sunday, January 17, 2010

Yeah, privacy's dead when it's this easy to be someone else

I can't help but love this story.  Shoot, I can't help but love this story title:

Dumbfounded: Smart phones breach Facebook security

This is beyond cool. Who cares if you can watch Sunday football through an AT&T coverage map, when what little network they've got will let you seamlessly login to someone else's Facebook account via your smartphone?

"Fortunately, the vulnerability would be of limited use to a hacker interested in pulling off widespread mayhem because the hole would let him access only one account at a time."

I beg to differ. I think the amount of mayhem a creative miscreant could pull off would vary greatly depending on whose account they accessed, not how many. C'mon, people, let's start thinking about quality vs. quantity here. Sarah Palin's Yahoo mail hack pales into insignificance. Zuckerberg's entire personal photo album plastered on Gawker suddenly seems boring. To heck with being ->insert your dream/nightmare here<- for a day - how about an hour? Or even five minutes? Oh, the possibilities!

Four questions immediately spring to my mind:

Is this another Facebook (non)privacy feature giving users exactly what they want?

How soon will Google work this into the Nexus?

Is there an iPhone app for this?

Am I gonna burn for all eternity because my imagination is in overdrive and I've got a serious case of the giggles...?

Saturday, January 16, 2010

This Luddite still cares about privacy

Apparently, privacy is not only really, really dead, but anyone who cares about that fact, or thinks there's any point in guarding any last spark of life remaining, is out of step with the rest of humanity, and in fact, a complete Luddite.

Move over, fellow Luddites, here I come. Count me as one of the I am not We Tribe.

From where I sit tending my little fire, it appears the Privacy Is Dead advocates largely fall into two groups:

Those who don’t care about others privacy because they stand to make a pile of money off it;

Those who don’t care about their own privacy because they’ve already sold it.

That much of our privacy is already long gone isn’t even a relevant argument. All we’ve really done is complete yet another circle and come back to the lack of privacy people took for granted when everyone DID still live in caves.

Eventually, though, some people probably started picking out their own corner of the cave so they could get a *little* privacy. I don’t know if they got whacked with a mammoth bone by one of the cave Social Leaders and told “Don’t bother trying that, your privacy’s already so much sabertooth scat.”, but if they did and they didn’t like it, they had the option of going out and finding a cave of their own. If they turned around and invited a whole bunch of other people to join them, well, that was their choice.

What the Privacy Is Dead theory tries to convince us is that we don’t have that option anymore, and with that I disagree. I’d go even further and say it seems some (marketers) are determined to pound home (with or without mammoth bones) the notion that we don’t even have the right to TRY to have that option, and with that I REALLY disagree.

I’m not going to give up fighting for my own corner of the cave. If I have to go find another cave and start over, so be it. If I do, you’d better believe I want control over who – if anyone – I decide to invite to join me.  Maybe I'll just visit with a few like-minded neighbors from the caves next door.

I’m not worried about keeping out the sabertooths, either. I’m pretty handy with those mammoth bones. :-P

Friday, January 15, 2010

Haiti shake up leads to cyber shake downs

When disaster strikes, there's a bunch of people who mobilize with lightning speed, calculated precision, and numerous approaches of varying creativity. Unfortunately they're not with the Red Cross, the United Nations Foundation, or even PETA (a group definitely known for quick mobilization). They're the scamming sharks of cyberspace, and they're in a full fledged feeding frenzy.

They spread attention grabbing rumors laced with dangerous links via Twitter, Facebook, and other social networks. They churn out sweeptakes winning volumes of spam. They heavily seed their existing driveby download websites with related keywords to increase their search rankings, and rush to register new domain names, where they may later set up more malware traps at their leisure.

I applaud the good will of those who give the benefit of the doubt, but sadly I'm far too cynical to believe that (most of) these domains are being parked for legitimate purposes. 1,000+ Haiti disaster related domain names snagged since the event? By the time this stampede of Good Samaritans goes back and adds any legitimate functionality to all those websites, Haiti will be several generations past the current crisis. Maybe they're just really forward thinking. Having so many websites already set aside could save hours, even days, up front in the event of another disaster.

However, rather than checking back on where these potential avenues of aid may lead, it's probably a better idea stay on paths already known, and heed warning signs along the way. It's a shame there are so many who will take advantage of people trying to do the right thing, in order to do the wrong thing. If folks keep their wits (and wallets) well enough to do the right thing the right way, the victims will more likely get the help they so desperately need.

Tuesday, January 5, 2010

Chain emails - the gifts that won't stop giving

I'll start off here with a disclaimer: not every chain/mass email is a malware spreading missive of misinformation, or yet another piece of scammer spam. Some truly are amusing, inspirational, or even informative. I've received things that have made me laugh out loud, moved me to tears, or been worthy of sending on in turn to other potentially interested parties. But like just about everything else on the intarwebs, the noise to signal ratio is high, and gems among the junk are far and few between.

A few months ago, I received yet another chain email from a friend who seems to do little with her inbox other than forward the daily contents to everyone in her address book. We've all got one: that friend or relative who happily shares every junk item they receive, apparently with the belief that someone, somewhere, will find it of some value, or perhaps with the fear that they really will get run over by a transit bus if they don't forward Oprah's Secrets For Success to at least seven people. Filtering my nearest and dearest straight into the spam folder isn't a viable option, and requests to be excluded from future mass mailings seem to be the one type of email that never gets through, so I usually just hit [delete] and move on.

However, this email was not only utter garbage, it was utterly outdated garbage. If you're going to send me crap, at least make an effort to send current crap. This time, I was compelled to compose and send a thorough reply.

Either $Friend ignored my reply or never saw it (I'd bet the latter; it probably got buried in a pile of Acai Berries), because the very next morning I received several more spam servings from her. With a little luck, she at least stayed true to form and forwarded my email to everyone in her address book. In case she didn't, and for the benefit of the few people left on the planet who aren't in her address book, I am posting an "open letter" version of my reply here. Hopefully it will resonate with many...and actually sink in with a few.

Dear Friend,

You know I love you dearly, but you need to not be forwarding this kind of stuff. I'm not even sure you DID forward it on purpose; this sort of spam often is spewed out by an infected computer behind the scenes without the owner even knowing it is happening. Hubby got the same email from you, and when he opened it, it suddenly copied itself all over his inbox - viral red flag behavior for sure. Girl, we want to see you SAFE, online and off. We can't do much about the latter, but we do the former for a living as best we can, for anyone and everyone (un)lucky enough to get on our radar. So, here goes:

1) "THIS TOOK TWO PAGES OF THE TUESDAY USA TODAY - IT IS FOR REAL"

No, it's not. It never was, never has been, and never will be. Honestly, just about every time I see something that blares out in all capital letters "IT IS FOR REAL", that's a dead giveaway it's NOT. And the more "!!!!" that follows said blaring, the more fake it generally is. That it was supposedly real in USA TODAY is the final capper. C'mon - when was the last time anything in USA TODAY was for real?? ;-P

2) "SORRY EVERYBODY.. JUST HAD TO TAKE THE CHANCE!!! I'm an attorney"

All tacky lawyer jokes aside, no self respecting attorney would be forwarding junk chain-email. Unless they're A) really bored and doing it for a joke or, B) their infected computer is doing it for them behind their back. Oh, and notice it's ALL CAPITAL LETTERS and has 3 "!!!" after it. DING DING DING - THAT'S A FAIL!!!

3) "Bill Gates sharing his fortune."

No, he's not. Bill Gates won't even share his fortune with his own kids, from what I hear. Oh, and FYI, Big Bill retired from Microsoft over a year ago - that IS a fact.

4) "It's all marketing expense to him."

No, but somewhere along the line it's probably "marketing" *income* to the yellow bellied pondscum sucking mouthbreathing spammer(s) who *start* these kinds of things, and who obfuscate themselves so that they're nearly impossible to trace. You are not "bound to get at least $10, 000.00". All you are bound to get, eventually, is bounce back notices from friends whose email inboxes have filled to capacity from viral emails like these. Or whose computers have crashed all together.

5) "Please forward this to as many people as possible." <-- **DANGER WILL ROBINSON, DANGER** If there's one written phrase in the English language that'll make me immediately smack the delete button, it's that. Well, that and hearing from some Nigerian banker that an Uncle I never knew I had just got killed in a plane crash and left me $5,000,000. All I have to do to claim it is send Mr. Noobiscam my bank account information and contact his lawyer perrymason@hotmail.com. Um, yeah. I'll get right on that. IMPORTANT (yeah, I know, all caps. So contact the "attorney" who sent this and sue me. ;-)): just how many email addresses are now attached to this sucker anyhow...? To: (MASSIVE EMAIL LIST WITH MULTIPLE FORWARDS - note: in my original note, I copied in roughly a half a page of email addresses, and that was less than half the email addresses in the multiple forwards)

That isn't even all of them, I was just making a point. Guess what? At best, that's how many more times this junk mail has circulated, and how many more people have to pick through it. At worst, that's how many computers are now infected if you've unwittingly forwarded a chain email that contains a link to a "driveby download" website, or worse, an embedded malicious payload. And no, badware doesn't have to come in an attachment anymore. It can be stuck right into the body of an email, if that email contains code or scripts that will run when the message opened.

Girlfriend, if I didn't care, I wouldn't have taken the time to write such a lengthy reply. Please, update the antivirus on your computer and do a scan NOW. And please, please, please, do not forward these sort of emails, and don't answer them. It's entirely possible the person you got it from didn't even send it on purpose. If they did, there *is* one email you can forward on to them - this one.

Give yourself, your husband, and the kids hugs from me and hubby, and if *they're* forwarding junk chain emails, whack them with a keyboard for me. 'kay?

Your sis,

-Peg



So, in closing, if you must forward, forward with some forethought, and not just for the sake of forwarding (and I promise, if you DO get run over by a transit bus, it won't have anything to do with bad email juju...unless you've been forwarding mass quantities of spam to a distribution list of bus drivers). If you take the time to weed out the junk and share only the gems, they're far likelier to actually be read, and even appreciated, by the recipient(s). Don't spread the spam. Think about it: do you stuff all the credit card offers, pizza coupons, and real estate flyers you get in your mailbox into an envelope and mail the whole mess off to your best friend, or your mom?

Oh, and if you get an unexpected email exhorting you to "CLICK HERE" in large red letters - like I just did - just don't.

Don't forward it, either. ;-)