In the computer security world, “social engineering” is the process of persuading a person to give up a password or other important piece of data by tricking them. Typically done either by e-mail (or other electronic message, like Facebook) or phone, the person on the other end will pretend to be your IT help desk, your bank, some kind of investigator, or other person with whom you may trust the data. (When done by e-mail, this is more specifically known as “phishing.”)

There’s almost never a time when it’s necessary to give a password other than in a password form. Your bank will never ask for it, and neither will any non-lazy corporate IT department. If you must give it over the phone, make sure you initiated the call so that you at least know the person on the other end is who they say they are. If you’re clicking a link in an e-mail and it asks you to give a password, make sure that the address bar at the top of the window starts with the domain name you’d expect. If you think you clicked on a link from Chase Bank but see “http://chasebank.myfreehosting.com/login.php” in the address bar, chances are your bank accont will shortly be empty if you type in your password.

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

When Facebook was released, I was a college student at one of the dozen or so universities first given access to Facebook. I was probably somewhere around the 50,000th user of the now 100,000,000, and I’ve watched it evole from a PHP script where you could find the cute girl down the hall knowing only her first name (and read her whole profile without even being friends!) to a massive corporation that connects nearly every young person in the western world.

The problems started coming when Facebook started allowing secrecy on your profile. You see, back in 2003, you knew anyone in your school could see everything, so you didn’t post private things (if you were smart and/or sober). Suddenly, “privacy options” appeared, and people uploaded content in confidence, but the privacy features didn’t actually work so well. On many occasions, the systems broke or were hacked, and now the picture of you doing a keg stand became accessible to your employer.

But, it got worse when Facebook started trying to make money. If there’s one threat to your privacy that’s close behind a government bent on “keeping you safe,” it’s an advertiser. All of the sudden, Facebook started asking you more questions. Where were you born? Would you like to tag your post with your current location? How old are you? My favorite is, “Where was this photo taken?” — did you notice that there’s no option to search your albums by location? Why, then, does Facebook want to know?

It gets one step worse, unfortunately. When this mountain of data is collected for the advertisers, it’s sitting there just waiting for a government subpoena. This is exactly what is meant by “metadata.” Maybe the government can’t see your pictures without a specific warrant (maybe!), but perhaps they are building a graph of where you’ve been, when you’ve been there, and who you’ve been with. Perhaps you happened to be in a bar at the same time as a known terrorist and both of you were on Facebook. Guess what happens now? They’re getting a warrant for you.

So, if you must use Facebook, here are some tips on reclaiming some of your privacy:

• Never sync contacts with your cell phone. Do you really want Facebook to have access to your phonebook, which then is subject to being jacked by PRISM?
• Avoid giving Facebook your location. Don’t “check in” somewhere (and if you feel like you really want to share with your friends the cool place you’re at, just type the name rather than tagging the location), don’t tag a location on anything (including pictures), and disable the little thing that tells where you are when you’re posting.
• Your profile picture is accessible to everyone — even those who are not your friends. Remember that.
• Don’t add people you don’t know as friends.
• Don’t respond to surveys or feel compelled to answer any demographic-oriented questions.
• Remember that ultimately, anything you post there or even say in a message may become public someday.

Be smart! 🙂

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

Not all phones can do this, but most Android phones can. By now, you know that encryption is the process of locking data with a key such that (when done right) even serious adversaries cannot unlock it. You can encrypt data for transit (such as when you view a Web site over HTTPS), and you can encrypt data for storage. The latter protects your data in the event your device is stolen (or “seized”).

For most Android phones, this is trivial: simply go into Settings -> Security, and there will be an Encrypt option. You may need to encrypt your phone and SD card separately, and you’ll need to set a strong password on your phone (no more 4-digit PIN, sorry!). iPhone users are a bit out of luck on this one: even with a PIN lock, someone with the right tools can grab your data, and there’s no real encryption option. Perhaps you could instruct Siri to delete your stuff if someone kidnaps her! 😉

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

We’re now half way through the No Surveillance State Month, and what a busy month it’s been! Part 15 discusses an important yet technically difficult topic: encrypting your e-mails as they are in-transit.

The most common way people accomplish e-mail encryption is through PGP. PGP is a protocol that’s now over 2 decades old, and works on “public key encryption.” Imagine a lock with 2 keys: one key that was required to open the lock, and another required to close it. You can give the key required to close the lock to everyone — in this case, allowing everyone to encrypt a message destined to you — while holding onto the key required to open the lock — thus preventing anyone from reading the message but you.

The reason why this is techincally difficult is that even in 2013, the Internet has not come up with a standardized, free, easy-to-use way of dealing with exchanging that “close the lock” key, known as the public key (the “open the lock” key is a private key). But, if you want to wade through one product that will get you through the job and integrate with common commercial e-mail software such as Microsoft Outlook, you probably want to look at Symantec Desktop Email Encryption. The University of Pennsylvania has published a fairly clear step-by-step guide for usage.

If the thought of using a commercial product really kills you, there’s GPG and the associated clients for each operating system, but like most things open source, be warned that the technical skill required for success increases drastically.

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

As “apps” become more and more ubiquitous on all our devices, it becomes all that much more important to keep track of what your apps are doing. If you use an iPhone or an Android device, every time you install an app, you get a warning like the one pictured here.

Pay attention to these warnings. If you’re downloading a Solitare game, but the app permissions ask to be able to send SMS messages and read your contacts list, that should indicate a problem to you. The solution? Download a different app. There’s almost always competition in the app stores, and in addition to price and user feedback, it’s also important to consider whether the app is safe. Unsafe apps can spam your contacts, steal your text messages, and kick puppies, so best to avoid an app that asks for more than it should.

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

Another pretty simple one for you. If you surf the Web, but never update your operating system, Web browser, and plug-ins (especially Flash and Java), you’re asking for it. Every few weeks, another “exploit” is published — exploit being a fancy term for “way to take over your computer.” Software manufacturers (generally) work very hard at putting out “patches” — software to fix the software and make the exploit no more.

US intelligence agencies have been known to take advantage of these exploits to spy or to cause damage. The most brilliant example of this is the Stuxnet worm, which disabled Iran’s nuclear program for many months. But, more commonly, the attackers are people trying to send spam using your Internet connection, steal your personal information, or otherwise make a few dollars at your expense.

Most programs and operating systems have automatic updates available, in the form of little nag boxes that remind you to update your software or, sometimes depending on your settings, will update the software for you. Failure to do so leaves you exposed, and eventually you’ll come across malware that can invade your computer. Make sure that you update your software through the software’s interface, however. The Internet is full of ads that prompt you to update, which usually give you malware instead of updates!

tl;dr: When Windows or an installed app asks you to update, do it; but if a pop-up on the Internet asks you to update, don’t!

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

Today’s tip is an easy one. When you’re browsing the Web, if the address of the page you’re viewing starts with “http://”, you’re viewing a non-encrypted Web page, which means that it’s possible someone can intercept what you’re doing (a neighbor listening in on your WiFi, the NSA, etc.). On the other hand, if the address starts with “https://”, it is encrypted using “SSL” and likely safe. The “s” means secure!

Chances are, you’re viewing this blog with the unsecure URL (since we’re not really trasmitting anything secret here, that’s ok!), but you can easily go up to the address bar of your Web browser, add in the “s”, and press Enter to see this page over a secure connection. Not every Web site supports SSL, but many do, so before you enter a password or other personal information, try adding the “s” and seeing if you can change your unsecure connection into a secure one.

[Update: Commenter featherwinglove reminds that there is a plug-in for Firefox & Chrome users to do the above automatically for you. See: https://www.eff.org/https-everywhere]

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

Yesterday I announced my new software project called 1985 (Web Site | fundraiser), which uses peer-to-peer encryption and relaying to prevent your call — and the “metadata” about your call — from being intercepted. While we work to bring this to cell phones and voice traffic, this already exists for Internet browsing, and it’s called Tor.

Here’s how Tor works: you connect to a network of Tor users and get a list of peers that will help you. You select 3 peers at random, take your message (data), and encrypt it so that only the third peer can read it. Then you take that encrypted message and encrypted it so that only the second peer can read it. Then you take that encrypted message and encrypt it so that only the first peer can read it. Now in order to read the message, all three peers are required, in order, to unwrap each of the three layers of encryption. The message is then sent to the first peer, who unwraps a layer and forwards to the second peer, who unwraps a layer, who forwards to the third peer, who unwraps a layer, and forwards to the destination (Facebook, Gmail, whoever).

The second and third peer have no idea who you are since they got the message from the previous peer, not from you. The first and second peer have no idea what your message is, since there will still be encryption layers on it. The ultimate destination of the message is also included beneath the three layers, so they also have no idea to whom your message is to. What this means is that no peer has all the information, and in order to piece it together, all three peers would have to collude.

Take a look at the Tor Web site and Wiki page for details on how you can use it. It requires a little bit of technical skill to use in a way that affords you strong security, but not too much technical skill just to get going. The best part is that the more people who participate in Tor, the more anonymous it is because the peers are selected from a larger random pool.

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.