Search

Professional Troublemaker

 Jonathan Corbett, Civil Rights Advocate

Category

No Surveillance State Month

No Surveillance State Month, Part 21: Password Questions Are the Devil

You know those, “If you forget your password, answer these questions to get into your account” things? That always ask you in what city you were born, what your mother’s maiden name was, etc.? Well, think about it for a second: assuming you answer those questions honestly, what are the odds that other people also know or can look up that information? There you were coming up with some kind of uber-complex string of characters for your password, which can be bypassed by searching for your mom’s marriage announcement.

This is how a lot of celebrity account hacks happened. Nude pictures of Scarlett Johannsen are on the ‘net thanks to password questions.

The solution is to make the answer to your password question a password in itself. Simply pick a new password, and use that for your password question. If that makes things too hard to remember, even something as simple as adding an arbitrary word before/after the real answer will make things significantly more secure. “New York” and “Smith” become “New York Blue” and “Smith Blue,” or “Alligator New York” and “Alligator Smith.” Easy to remember, unlikely to guess.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 20: Snail Mail Services

Many people don’t like the idea of having their home address so easily searchable on the Internet. It used to be that if you wanted a way to receive mail without giving up where you live, you got a post office box, which is ok but let’s face it, there’s not much worse in this world than having to go to the post office.

I love to travel (hence the origins of this blog), and for me, I also would like to be able to receive my mail even when I’m not home. Rather than burdening my friends, I use one of the many services out there that receive mail on your behalf and, at your request, scan your mail and e-mail it to you, forward your mail to you, or simply drop it in the shredder if you don’t want it.

The services range in price from about $20 for the basics, and it’s the easiest way to get your address off the Google while still maintaining communication with those who still find it necessary to send paper. Two that I’ve used that I’ve been happy with (and receive no commission from) are:

One cool tip: with the check deposit feature that most banks have in their mobile apps, if you receive a check, you don’t have to request it be forwarded to deposit. Just request that they scan the item and then either print and endorse, or if you’re extra fancy, you can endorse using any graphics program and use the app to take a picture of your screen. It actually works.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 19: Use Friendly Web Services

I think that Google gives great search results, but it bothers me how much data they collect. Many people host their e-mail with Gmail, get directions with Google Maps, sync their contacts with Google, store credit cards in Google Wallet, and so much more. All this data is connected to PRISM and delivers such a complete profile of you that phone records may seem insignificant.

Just as a rich person would never store all his or her assets in one bank, a Web user should never place all their data in one place. Even beyond making it more difficult for government pwnage (a technical term for “taking over”), if your Google account is hacked, you’re screwed. Just don’t do it.

Instead, one way you can take a bit of your privacy back is by using search engines that don’t keep long historical records of what you’ve searched for to “personalize” your search. Frankly, I don’t want my search personalized anyway: I want to find new things, not things that meet some profile created by a bunch of programmers. One popular search engine among the privacy-conscious is Duck Duck Go, a search engine that promises not to log your data.

Sometimes, I find it necessary to use Google because I do believe their search is an awesome product. When I do, I use the “private browsing” mode of my Web broweser, accessed by pressing Ctrl+Shift+P on most major browsers. This mode disallows access to the cookies stored on your computer, making it difficult for a Web site to correlate the current person searching to their previous search records. It also ensures you start logged out of Google, so your search history isn’t logged in a named account either.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 18: Avoid Social Engineering Attacks

phishingIn the computer security world, “social engineering” is the process of persuading a person to give up a password or other important piece of data by tricking them. Typically done either by e-mail (or other electronic message, like Facebook) or phone, the person on the other end will pretend to be your IT help desk, your bank, some kind of investigator, or other person with whom you may trust the data. (When done by e-mail, this is more specifically known as “phishing.”)

There’s almost never a time when it’s necessary to give a password other than in a password form. Your bank will never ask for it, and neither will any non-lazy corporate IT department. If you must give it over the phone, make sure you initiated the call so that you at least know the person on the other end is who they say they are. If you’re clicking a link in an e-mail and it asks you to give a password, make sure that the address bar at the top of the window starts with the domain name you’d expect. If you think you clicked on a link from Chase Bank but see “http://chasebank.myfreehosting.com/login.php” in the address bar, chances are your bank accont will shortly be empty if you type in your password.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 17: Give Facebook Less Info

Lock FacebookWhen Facebook was released, I was a college student at one of the dozen or so universities first given access to Facebook. I was probably somewhere around the 50,000th user of the now 100,000,000, and I’ve watched it evole from a PHP script where you could find the cute girl down the hall knowing only her first name (and read her whole profile without even being friends!) to a massive corporation that connects nearly every young person in the western world.

The problems started coming when Facebook started allowing secrecy on your profile. You see, back in 2003, you knew anyone in your school could see everything, so you didn’t post private things (if you were smart and/or sober). Suddenly, “privacy options” appeared, and people uploaded content in confidence, but the privacy features didn’t actually work so well. On many occasions, the systems broke or were hacked, and now the picture of you doing a keg stand became accessible to your employer.

But, it got worse when Facebook started trying to make money. If there’s one threat to your privacy that’s close behind a government bent on “keeping you safe,” it’s an advertiser. All of the sudden, Facebook started asking you more questions. Where were you born? Would you like to tag your post with your current location? How old are you? My favorite is, “Where was this photo taken?” — did you notice that there’s no option to search your albums by location? Why, then, does Facebook want to know?

It gets one step worse, unfortunately. When this mountain of data is collected for the advertisers, it’s sitting there just waiting for a government subpoena. This is exactly what is meant by “metadata.” Maybe the government can’t see your pictures without a specific warrant (maybe!), but perhaps they are building a graph of where you’ve been, when you’ve been there, and who you’ve been with. Perhaps you happened to be in a bar at the same time as a known terrorist and both of you were on Facebook. Guess what happens now? They’re getting a warrant for you.

So, if you must use Facebook, here are some tips on reclaiming some of your privacy:

  • Never sync contacts with your cell phone. Do you really want Facebook to have access to your phonebook, which then is subject to being jacked by PRISM?
  • Avoid giving Facebook your location. Don’t “check in” somewhere (and if you feel like you really want to share with your friends the cool place you’re at, just type the name rather than tagging the location), don’t tag a location on anything (including pictures), and disable the little thing that tells where you are when you’re posting.
  • Your profile picture is accessible to everyone — even those who are not your friends. Remember that.
  • Don’t add people you don’t know as friends.
  • Don’t respond to surveys or feel compelled to answer any demographic-oriented questions.
  • Remember that ultimately, anything you post there or even say in a message may become public someday.

Be smart! 🙂


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 16: Encrypt Your Phone

Encrypt your phoneNot all phones can do this, but most Android phones can. By now, you know that encryption is the process of locking data with a key such that (when done right) even serious adversaries cannot unlock it. You can encrypt data for transit (such as when you view a Web site over HTTPS), and you can encrypt data for storage. The latter protects your data in the event your device is stolen (or “seized”).

For most Android phones, this is trivial: simply go into Settings -> Security, and there will be an Encrypt option. You may need to encrypt your phone and SD card separately, and you’ll need to set a strong password on your phone (no more 4-digit PIN, sorry!). iPhone users are a bit out of luck on this one: even with a PIN lock, someone with the right tools can grab your data, and there’s no real encryption option. Perhaps you could instruct Siri to delete your stuff if someone kidnaps her! 😉


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 15: Encrypt Your E-mails

PGPWe’re now half way through the No Surveillance State Month, and what a busy month it’s been! Part 15 discusses an important yet technically difficult topic: encrypting your e-mails as they are in-transit.

The most common way people accomplish e-mail encryption is through PGP. PGP is a protocol that’s now over 2 decades old, and works on “public key encryption.” Imagine a lock with 2 keys: one key that was required to open the lock, and another required to close it. You can give the key required to close the lock to everyone — in this case, allowing everyone to encrypt a message destined to you — while holding onto the key required to open the lock — thus preventing anyone from reading the message but you.

The reason why this is techincally difficult is that even in 2013, the Internet has not come up with a standardized, free, easy-to-use way of dealing with exchanging that “close the lock” key, known as the public key (the “open the lock” key is a private key). But, if you want to wade through one product that will get you through the job and integrate with common commercial e-mail software such as Microsoft Outlook, you probably want to look at Symantec Desktop Email Encryption. The University of Pennsylvania has published a fairly clear step-by-step guide for usage.

If the thought of using a commercial product really kills you, there’s GPG and the associated clients for each operating system, but like most things open source, be warned that the technical skill required for success increases drastically.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 14: App Awareness

App PermissionsAs “apps” become more and more ubiquitous on all our devices, it becomes all that much more important to keep track of what your apps are doing. If you use an iPhone or an Android device, every time you install an app, you get a warning like the one pictured here.

Pay attention to these warnings. If you’re downloading a Solitare game, but the app permissions ask to be able to send SMS messages and read your contacts list, that should indicate a problem to you. The solution? Download a different app. There’s almost always competition in the app stores, and in addition to price and user feedback, it’s also important to consider whether the app is safe. Unsafe apps can spam your contacts, steal your text messages, and kick puppies, so best to avoid an app that asks for more than it should.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 13: Update Your Software

Windows UpdateAnother pretty simple one for you. If you surf the Web, but never update your operating system, Web browser, and plug-ins (especially Flash and Java), you’re asking for it. Every few weeks, another “exploit” is published — exploit being a fancy term for “way to take over your computer.” Software manufacturers (generally) work very hard at putting out “patches” — software to fix the software and make the exploit no more.

US intelligence agencies have been known to take advantage of these exploits to spy or to cause damage. The most brilliant example of this is the Stuxnet worm, which disabled Iran’s nuclear program for many months. But, more commonly, the attackers are people trying to send spam using your Internet connection, steal your personal information, or otherwise make a few dollars at your expense.

Most programs and operating systems have automatic updates available, in the form of little nag boxes that remind you to update your software or, sometimes depending on your settings, will update the software for you. Failure to do so leaves you exposed, and eventually you’ll come across malware that can invade your computer. Make sure that you update your software through the software’s interface, however. The Internet is full of ads that prompt you to update, which usually give you malware instead of updates!

tl;dr: When Windows or an installed app asks you to update, do it; but if a pop-up on the Internet asks you to update, don’t!


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

Blog at WordPress.com.

Up ↑