Security

Security Comes First

by

My mum visted for April term break. She took the girls for a few days to a hotel. One day she took the girls to the postal museum. We went to the same museum with her when she visited a few years ago. It was nice and the underground tunnels and train ride was fun. When my mum needed an activity for a day she thought to go back there.

One of the activities is to create a stamp with your face on it. Both girls created ones.. The museum makes it easy for you to send your work of art to yourself by emailing them. My mum did just that to my personal email address. She really doesn’t know any other one.

The moment I got the mail and realised what it was I didn’t think oh cute. I thought oh great who knows who now has my email since it was sent via an unsecured system on a public kiosk. To be fair the stamps were cute however that wasn’t my first thought.

Vindicated By My Stance of You Are Not Paranoid If People Are Trying to Get You

by

I got worried when I started reading this article about Major Privacy Breach as Eufy Security Camera Owners Report Seeing Other Users’ Video Feeds. I use these cameras outside our house. I was curious how the issue could impact me since we use AppleHome kit. The reason I use HomeKit is because the video feed is encrypted before it leaves my house. it is stored encrypted on iCloud. By the time I came to the end of the article I was justified in my use of HomeKit since apparently I am not impacted. Well done past Scott for doing his research.

To Keep or Cancel Whatsapp

by

In my part 1 of My Great Social Media Purge of 2019 i outlined my objectives with assessing my use case of each social media platform I use. Part 2 covered Twitter. Part 3 covered Reddit. Part 4 covers Linkedin. Now part 5 is Whatsapp, or as I call it “the chat app i am forced to use since everyone left AOL IM”.

I thought about WhatsApp when I first started this excersise. It still only comes in fourth on my list. Partly because I was procrastinating. My assesment with WhatsApp is simple. I dont want anyone to know who i talk to. I am not doing anything wrong or illegal. Neither to my knowledge is anyone i am talking to. That is imiterial though. I have a right to privacy and I am excersising that right. Plain and simple.

Not wanting people to know who I talk to and using WhatsApp is challenging. Whatsapp does collect tons of meta data about your messages and calls. They allegidly are not able to read the body of the messages. Just the metadata. The question then becomes do care that WhatsApp has any metadata on me? More specifically the question could be how bad is it that they have metadata that i called my mom? Or my wife? Since lets face it they are the main people i use it for. I also chat or call people internationally with it for work. I can say I dont care about work linkage on WhatsApp however I probably should. I do care about everyone else I chat with on whatsapp. It’s mainly innocuous yet the linkage is still there in collected meta data. Will it likely impact me in my every day life that Facebook has that linkage? Probibly not. The fact they can learn a whole bunch about me because of it is creepy.

Practically speaking I know I will not get my local parents Organization for my kids school to stop using whatsapp. That means I have to live with the metadata collection.with. Or choose not to be in the conversation. I want to be in the conversation and there are too many ad hoc chats with friends and coworkers using Whatsapp that there would be a noticible loss of comunication and colaberation with several circles of people if I delete the app. Likely moreso than any other tool I am using and rewviewing.

To minimize my exposure to Whatsapp I aim to move as much of that conversation over to Signal or Telegram. Preferably Signal. I haven’t been very successful so far. Some work friends use Telegram. I got some family on Signal. The vast majority of people still use Whatsapp. I am going to make much more of an effort on this going forward.

The verdict on Whatsapp (For now) is sadly I will keep it. I will say its keep for as long as I have to, however lets face it that will likely be a while. I blame everyone else I chat with.

To Keep or Cancel Linkedin

by

In my part 1 of My Great Social Media Purge of 2019 i outlined my objectives with assessing my use case of each social media platform I use. Part 2 covered Twitter. Part 3 covered Reddit. In Part 4 I will cover Linkedin. its a short one since the decision was pretty straight forward.

Linkedin is a tough one. I feel for professional reasons it is necessary. The data mining that is creepy in other platforms may land me a job opportunity on Linkedin. Funny irony right? I would like to remain blissfully unaware of anything creepy that happens on this platform or what they do with my data. That way I will not dig further into it and get spooked by whatever I find.

I even need to use this platform more to promote myself professionally. Its a keeper. So if you have creepy stories about LinkedIn, I do not want to know.

To Keep or Cancel Reddit

by

In my part 1 of My Great Social Media Purge of 2019 i outlined my objectives with assessing my use case of each social media platform I use. Part 2 covered Twitter. Part 3 covers Reddit. Yup i started reading some stuff on Reddit.

I started using Reddit in 2019. I broke down and signed up. I haven’t posted anything. I joined a few sub-Reddit’s. That in and of itself helps build a profile on me and what I like and read. I am not a fan of that. I do find following along in each community I find informative. It is targeted discussions and some of them have been useful. That value however comes at the price of Reddit knows I am interested in specific things. For now I am not really sure if my lurking there for some information is worth that model on what i am interested in. For now I am paying that price.

I may just cancel my account and have direct links to some sub-Reddit’s i want to read. Then i could try to use a TOR Browser on VPN to just read without having the linkage to me. That work around does require much more effort to do so not sure if the cost benifit is worth it.

In the end I think I “should” delete Redit. That being said the cost “i think” for keeping it is low compared to other providers so I am neutral on it, for now.

To Keep or Cancel Twitter?

by

In my part 1 of My Great Social Media Purge of 2019 i outlined my objectives with assessing my use case of each social media platform I use. I am starting off with Twitter.

I surprisingly find value in using Twitter. I only ever post to twitter to share links to my blog. My reasoning is my blog is public anyway. At this moment I do not believe there is a downside to the linkage of my blog to my twitter account. I may come to regret that however for now I am ok with that linkage. I do have lists of peoples twitter accounts that i follow. Mainly i look at FinTech companies twitter accounts. Some security journalists and a few tech industry people. I also will look at a few comedian’s or The Onion. Even that information starts to build a profile on me. The limited amount of value there I am ok with.

Other uses for Twitter have been in the past I found huge value in having a list to track emergency management accounts. When i was in a pure operations role that came in very handy when Hurricane Sandy hit. Or when a few other big snow storms hit NY. Some of that linkage i am not happy with however that linkage would exist if i followed some of these companies or twitter accounts via Twitter or if i used an RSS feed.

As I wrote this post I unfollowed a bunch of people and friends who never post. What is left i am happy enough with. I think i will have to revisit Twitter again in the future however for now i am ok to keep using it the way i do. I may limit my usage (again) to a secured VM).

Verdict, for now a Keep.

My Great Social Media Purge of 2019 (Part 1)

by

In recent months i have been thinking (again) about my digital data in relation to my privacy. I have been thinking about what my objective is regarding keeping my digital data safe. From who, and why? This is topical because more and more details have been coming out about Facebook and other social media’s use and collection of data.

I have been pondering what my own personal next actions on my social media exposure was. Then I watched the Netflix Documentary The Great Hack. That movie reinforced to me that I am not able to justify keeping my some social media accounts. And the way I use others needs to change. First thing in my mind was do I keep or cancel Facebook. Even after scrubbing data off the account regularly there are just some things you cannot get rid of. I have been diligent not to post almost anything that is not already public. I just haven’t been 100% great at it all the time. The question that kept bothering me is what will I / can I do about it. That brought me to question what I was worried about? From there I started asking myself what my threat model.

I had to think for a while to figure out what is my threat model for data collected by social media companies. At first I just feel it is a bit creepy that any one company can have that much information on me. That is not a threat model. It just got me to further realise in this day and age there will be data about my life leaked to companies. What I do not want is one or a few companies having a huge collection of my life. That morphed my objective to see how can i minimise my data leakage so to speak. At the same time still getting value out of some of the services i use. That for me is the key. What am I really getting value out of? That is subjective to everyone. For me it came down to what is my social media use case? If I am going to keep hugging Twitter, Facebook, and even LinkedIn I should be clear to myself what my use case is of each of those services. Only then can I weigh the risks of what each platform collects on me. After that I can decide what I want to do about it. I use each platform and others for different reasons so each one has its own use case.

I got analyitcial and wrote up my own assesment of my use for each. As I wrote them out I realized this is more than one post. I will publish each as a post with their own summary of what i am going to do with the service. At present there are about 6 parts (this is part 1). First up on my list is Twitter.

This post is titled My Great Social Media Purge of 2019 (Part 1). I wrote it in the Fall of 2019. It is still very relevant however I only now am getting around to posting it.

A Note To My Future Self On Why I Do Not Use Android Phones

by

In July before my trip to Bangkok i picked up a mid range Android Phone. I opted for the Motorola G7 since it offered dual SIM cards. I got the phone for less than 200 pounds. An iPhone that would do that was several times more than that. My need was for a dual SIM phone so i could keep my UK SIM and have a Bangok one. Then when I went to NY for most of August I would also have a US SIM and my UK SIM card.

My intentions mostly worked out the way i wanted it. As much as I prefer iOS for many reasons the new Android was ok. I liked the big screen for a cheap price. I wasn’t happy about some of the security trade off’s however i was letting that go and being in deial about it.

I then put in a Pi-hole as my DNS at home. Looking at the metrics from that made it impossible to be in denial as to how bad my Android phone probibly was to violating my privacy after i clicked on agreeing to whatever terms and conditions. The cover photo is a graph of my entire DNS queries in my house for a 24 hour period. The part on the right where there is a huge spike is purely my Motorola G7 making calls out to the internet. Doing what i am not 100% clear since i wasn’t using the phone. It just got on wifi and started phoning home alot.

The photo below shows that the same Android phone is one the chattiest device on my network at home and also gets its requests blocked more than any other device. For a phone that i dont use alot and wasn’t in my house for most of the 24 hour period measured that is pretty creepy. To put it in context M and i have iPhones and iPads and none of them get blocked or “talk” on the internet that much if we are not using them.

The Motorola G7 in question is being reset to factory defaults and wiped as I write this article. It will get sold on ebay shortly. This entire episode highlights why I had reservations about Android as a technology in the first place. It is slick however the trade off on my privacy is not worth it. i would rather save longer and keep using iOS.

Encrypting Email, It’s Not Just For Criminals

by

In March I blogged about my “almost disposable email“. I still have improvements to make  when dealing with external sites and services.  Overall that model works pretty well.

When thinking about my personal email, my dilemma changes a bit. Unlike most people who use the Internet send and receive email for personal use I have changed my address multiple times over the years. Friends and family of mine have commented about the fact that I change probably too often. In reality it’s only once every 3 or 4  years. That apparently is to much for most people. Of course some the people commenting may still be using AOL addresses from the 90s.

In 2014 I blogged about My sudden allergic reaction to all things Google.  In that post I wrote about migrating from Google hosted mail to a hosting provider in Switzerland. The Swiss-based provider I selected offers much greater privacy protection vs a US-based company. For what I was looking for the price difference was nominal. By moving to a Swiss-based provider wasn’t a magic bullet. All my data on my website and email stored on their servers is still not encrypted at rest.  In other words I am still exposed just less likely to get snooped on by a government.  Even that statement has caveat. Let’s say I am better off than before.  I still have much to do.

With my mail being hosted in Switzerland I have relatively good level of privacy protection. That means if someone wants to get a hold of my mail they would need some sort of court order.  The fact that there is a request should be disclosed to me. That is unlike US hosting providers that would not need to inform me if they were asked to spy on me. To go a step further and make it impossible for anyone to get my email on the mail server I would need to   encrypted my email at rest with the hosting provider having no knowledge of the encryption keys. The reality is this is important however not my threat model. I’m more concerned about personal details being intercepted via an unsecured network.

To address both of these problems I have been investigating two different secure email providers. Protonmail & Tutanota. Both in theory provide the same service. They allow you to encrypt email and send it. They also encrypt email at rest on their systems and have no knowledge of how to decrypt. Email sent between two people on let’s say proton mail has the email encrypted completely. If however I am on protonmail and I send an email to someone not using that system messages secure however there is a caveat. What really happens is an email is sent to the recipient telling them that there is a secured message waiting for them and it provides a link to that message. I can send along a password hint if I want as well. The recipient can then click on the link and read and respond to the email. It secure however not super user-friendly to what most people are use to. I experienced similar systems when I briefly worked at a health benefits organization that had to comply with HIPPA rules in the US.

My threat model concerns sending and receiving of secured information via email.  I do realize that the use case is not required for most emails i send. In most cases what I’m sending can go “in the clear”. Having the ability to encrypt as needed is the big value to me.

Having stored mail encrypted at rest with the provider having no knowledge of the decrypt keys also makes me feel more comfortable when I am not hosting the data. ProtonMail & Tutanota both offer this fundamental security feature.  The challenge with both providers that neither currently have a way to import or export email. I am a person who has most if not all of my mail going back to 1996. For years I was proud to have that stash of mail.  I also have gone back to really old messages for information.  In today’s world however having that much personal data sitting on a typical mail server is too big of a potential risk and a major liability.  

I no longer keep that archive of mail on a live mail server.  Instead it is encrypted on a personal computer in a database.  At least I still have it. To use ProtonMail or Tutanota would mean I would no longer have correspondence that goes into the system. That limitation is given me a little bit of pause. Since I started playing around with the system late last year proton mail has announced they will be launching a secured IMAP option. I am assuming that will enable me to offload mail from their system. That would make their solution much more viable for me.

As I continue to play around with both systems I have been favoring ProtonMail over Tutanota. I’ve not yet jumped into using one for my personal mail however I am leaning towards protonmail. One of the hesitations I have is that protonmail is not cheap.  It costs about half of a full hosting package I have per year. Tutanota is as cheap as one dollar a month per user. Protonmail is around five dollars per month for what I initially need it for. Protonmail also does not allow me to move my entire family using a specific email domain onto an account unless I use a much more expensive account than the five dollars per month plan. Tutanota will let me set up multiple family mailboxes for one dollar per mailbox per month. That makes Tutanota an option if I wanted to continue using the same email domain I currently use for my personal email.

The solution to this issue is for me to switch domain names i use.  I have a few other ones I own i can start to use however that brings me back to how I started off this post.  I don’t want to change my address, however it is a price i am willing to pay if other factors are positive.

I could make my life easy and just use Tutanota and move my family over to it also. The challenge is I like protonmail much better. The UI is nicer on both the web and iOS app. The iOS app loads faster. It has a few more nifty features versus Tutanota such as tagging. Overall I just get a better feeling about it.

Knowing myself what I likely will end up doing is change my personal email so I can use a different domain name that I have that isn’t being used for anything else and point that the proton mail. I would then leave my existing mail domain where it is and allow my other family members to continue using it.

For now I’m still waffling a bit on what to do. If your friend or family member of mine and you are reading this, you know why in a few months you might get a notice that I changed my mail address yet again.  Of course if you read this far kudos to you.