Category: Security

Chinese Spy Cars?

Turns out it wasn’t just spy balloons…

Chinese self-driving cars have quietly traveled 1.8 million miles on U.S. roads, collecting detailed data with cameras and lasers | Fortune:

Since 2017, self-driving cars owned by Chinese companies have traversed 1.8 million miles of California alone, according to a Fortune analysis of the state’s Department of Motor Vehicles data. As part of their basic functionality, these cars capture video of their surroundings and map the state’s roads to within two centimeters of precision. Companies transfer that information from the cars to data centers, where they use it to train their self-driving systems.

Think You’re Discreet Online?

Go read Mad Farmer Liberation Front:

But they are wrong. Because of technological advances and the sheer amount of data now available about billions of other people, discretion no longer suffices to protect your privacy. Computer algorithms and network analyses can now infer, with a sufficiently high degree of accuracy, a wide range of things about you that you may have never disclosed, including your moods, your political beliefs, your sexual orientation and your health.

Source: Opinion | Think You’re Discreet Online? Think Again – The New York Times

The Apps You Should Really Be Concerned About with Your Privacy

After examining maps showing the locations extracted by their apps, Ms. Lee, the nurse, and Ms. Magrin, the teacher, immediately limited what data those apps could get. Ms. Lee said she told the other operating-room nurses to do the same.“I went through all their phones and just told them: ‘You have to turn this off. You have to delete this,’” Ms. Lee said. “Nobody knew.”

Source: Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret – The New York Times

Everyone is afraid of what Google and Facebook “know” about them and how much information they’re sharing with these services because of poor media coverage.

While those two services need to be investigated and questioned, it’s the “bottom half” of the advertising industry connected to seemingly innocent apps that you install on your mobile device to give you the weather or locations of gas or local sports scores that are really the most alarming in how they treat your personal location data.

Good report here by the NY Times (we need more of this type of journalism in the tech-sphere).

You’ve already been hacked

Yet another reminder to change your passwords, use Two Factor authentication when you can, keep up with your credit and debit card statements, and don’t think for a second that all of your information isn’t already “out there”…

For 327 million guests, the information exposed was strictly personal: birthdays, passport numbers, email and mailing addresses and phone numbers.While some credit card information, card numbers and expiration dates, may also have been compromised, it was stored using a more advanced encryption method. Still, Marriott said it had “not been able to rule out” the possibility that card information had also been stolen.

Source: Marriott discloses a massive data breach affecting up to 500 million guests – The Washington Post

Keep your WordPress Site Plug-ins Updated

Now more than ever…

After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities.

— Read on www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

Moving beyond passwords

I was just working with a client for the better part of the morning to regain access to a few of their social media accounts and personal email because they had used the same password for those accounts. So I have very similar thoughts to Doc Searls right now.

Amen:

Please, please, please, tech world: move getting rid of logins and passwords to the top of your punch list, ahead of AI, ML, IoT, 5G, smart dust, driverless cars and going to Mars.

Doc Searls Weblog · Please let’s finally kill logins and passwords – Read on blogs.harvard.edu/doc/2018/08/24/pw/

Is your site http or https? It’s going to matter soon

This is going to bite a number of nonprofit, church, and community org sites hard when Google’s Chrome browser switches how it defines http sites as insecure…

Plus, in July 2018 in Chrome version 68, Chrome will mark all HTTP sites as “not secure.”

Source: Google’s Chrome browser to drop secure label for all HTTPS sites – Search Engine Land

Your Domain and Your Home Address

I often shock potential small business or nonprofit clients by knowing their home address or cell phone number during our first or second call. It’s easy if they have already purchased a domain. I don’t do it as a scare tactic, but as an educational moment about the need to plan ahead and think through security issues.

By the time someone or a business or group has come to me with an idea for a new website or marketing strategy needs, they’ve purchased or at least thought about a domain name. There are copious services out there that will sell you a domain for a range of prices. GoDaddy is perhaps the most popular due to its marketing over the years. Unfortunately, GoDaddy has a reputation in the tech world of being the Monarch of UpSells. You can go there to buy a domain but you have to wade through the other options of website hosting, email addresses, security services, and a fee to protect your domain name privacy.

That last one is something that has irked me for a while about GoDaddy and similar domain name sellers (including Google) that don’t offer free domain privacy and private registration. Again, many of my clients are shocked when they find out their home addresses are now public records tied to their great idea for a domain or their business’ domain.

Before private individuals started buying domains and GoDaddy / Squarespace / Wix / Weebly (all who will sell you a domain) started marketing how “easy” it is to build a website, it made sense that domain information would and should be public. Most domains were bought by agencies or companies tied to specific interests. However, that has all changed and domains should include domain privacy when purchased in 2018.

People are more and more becoming interested in privacy and security matters, and this only makes sense for everyone. Stop upselling it.

Good move from Namecheap.

When you register a domain, ICANN requires registrars to provide them with your contact information (such as name, email, address, and phone number). This is then added to the Whois database. This database lists the owners of every domain name online, and it can be searched by anyone on the Internet.

— Read on www.namecheap.com/security/whoisguard.aspx

Harrelson Agency is Now a Cloudflare Certified Partner

I’ve spoken at numerous events and conferences on the topic of web hosting and security and I’ve been quoted in the New York Times about that same topic over the years. Website security is something near and dear to my heart and I made sure to bake that into the very essence of every website build I’ve done since 2004 and since the founding of Harrelson Agency back in 2012.

The last few years have presented incredible challenges for website hosting companies and developers (and those that care about online security). Just think… applications like Bleachbit and terms like “private email servers” and “DNS hacks” and “SSL” have gone completely mainstream due to the 2016 Presidential election here in the US and high profile hacking of celebrities’ personal iCloud accounts. Edward Snowden’s revelations about the NSA’s oversight of American citizens’ online privacy as well as the ongoing drumbeat of news regarding the manipulation of Facebook and Google to sway news consumption around the globe has put online security in the crosshairs of attention.

I didn’t realize just how much Harrelson Agency would grow into a website host when we first fired up the servers six years ago. But over the years, our insistence on ethical website hosting as well as transparent and ultra-secure hosting have become one of our selling points with clients. It’s why we get so many nonprofits and churches and political groups coming to us for both hosting and consulting as well as website design work. We sweat the small details and it’s fun to work with a team that gives a damn about protecting our customers and clients. Seriously, I never thought website hosting would be something that would be a big chunk of our revenue but it’s becoming more and more a larger piece of the pie as groups, companies, politicians, and religious organizations realize the need for quality over something cheap like … well, those “start a free website today!” ads you see during the Super Bowl.

So, I’m proud to announce that we’re now a “Certified Partner” with Cloudflare. I personally trust and use Cloudflare on all of my sites (this one included) as well as our home’s DNS. It’s a fantastic service and I couldn’t be more proud to work with such a great group of people who are as passionate as I am about online security. Plus, their solutions are fast.

Here’s the email I’m sending out to our clients tomorrow in our newsletter with some words from the Cloudflare team:

“Harrelson Agency is excited to announce our partnership with Cloudflare, the website performance and security company.

Cloudflare is a content delivery network (CDN) that increases the performance and security of every website on its network, protecting from a broad range of threats and attacks. Over 7,000,000 websites run on the Cloudflare network—ranging from individual blogs to e-commerce sites to the websites of Fortune 500 companies to national governments. Cloudflare powers almost a trillion monthly page views—more than Amazon, Wikipedia, Twitter, Zynga, AOL, Apple, Bing, eBay, PayPal and Instagram combined—and over 25% of the Internet’s population regularly passes through our network.

Cloudflare increases the speed and security of your website and delivers faster web performance

Cloudflare was designed to take a hosting platform like Harrelson Agency’s and make it more fast, secure, and reliable.

Cloudflare runs 151 data centers strategically located around the world. When you sign up for Cloudflare, we begin routing traffic to the nearest data center.

As your traffic passes through the data centers, we intelligently determine what parts of your website are static versus dynamic. The static portions are cached on our servers for a short period of time, typically less than 2 hours before we check to see if they’ve been updated. By automatically moving the static parts of your site closer to your visitors, the overall performance of your site improves significantly.

Cloudflare’s intelligent caching system also means you save bandwidth, which means saving money and decreases the load on your servers, which means your web application will run faster and more efficiently than ever. On average, Cloudflare customers see a 60% decrease in bandwidth usage and a 65% in total requests to their servers. The overall effect is that Cloudflare will typically cut the load time for pages on your site by 50% which means higher engagement and happier visitors.

Broad web security

At the beginning of 2016, Cloudflare experienced and mitigated against some of the largest distributed denial of service (DDoS) attacks ever seen. As attacks like these increase, Cloudflare is stepping up to protect websites.

Cloudflare’s security protections offer a broad range of protections against attacks such as DDoS, hacking or spam submitted to a blog or comment form. What is powerful about our approach is that the system gets smarter the more sites that are part of the Cloudflare community. We analyze the traffic patterns of hundreds of millions of visitors in real time and adapt the security systems to ensure good traffic gets through and bad traffic is stopped.

In time, our goal is nothing short of making attacks against websites a relic of history. And, given our scale and the billions of different attacks we see and adapt to every year, we’re well on our way to achieving that for sites on the Cloudflare network.

We’re proud that every day more than a thousand new sites, including some of the largest on the web, join the Cloudflare community. If you’re looking for a faster, safer website, you’ve got a good start with Harrelson Agency.”

Most People Don’t Want Privacy

The broader question is the tradeoff between privacy and advertising. While a tempting noun, most people don’t really *want* privacy, let alone understand what that means. It’s definitely not an unattainable goal, but it does require work… which is something many of our fellow citizens are reluctant to pursue when it comes to such technological conditions.

Third, Google and Facebook’s advertising advantage, already massive, is going to become overwhelming. Both companies generate the majority of their user data on their own platforms, which is to say their data collection and advertising business are integrated. Most of their competitors for digital advertising, on the other hand, are modular: some companies collect data, and other collect ads; such a model, in a society demanding ever more privacy, will be increasingly untenable.

Source: Open, Closed, and Privacy – Stratechery by Ben Thompson

1.1.1.1

DNS is an important and overlooked backbone structure of how we interact and communicate with the web. If you think that Facebook and Google knowing so much about you is weird, you definitely don’t want to go down the rabbit hole of probing what your Internet Service Provider knows about you based on all the traffic that flows through them and their DNS services that you subscribe to.

I’ve been using Google’s 8.8.8.8 DNS for many years, but excited to see another new player that promises complete encryption and privacy. Granted, Cloudflare is becoming a point-of-failure worry given how much heavy lifting they do as a content delivery network for many sites (including this one), but more competition is a good thing in this case (especially if they aren’t advertising companies).

Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.

We think that’s gross. If you do too, now there’s an alternative: 1.1.1.1

Source: 1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver

Surveillance Capitalism

Surveillance capitalism is deeply embedded in our increasingly computerized society, and if the extent of it came to light there would be broad demands for limits and regulation. But because this industry can largely operate in secret, only occasionally exposed after a data breach or investigative report, we remain mostly ignorant of its reach.

Bruce Schneier – Facebook and Cambridge Analytica

Massive MyFitnessPal Data Breach

Annnnd I just restarted my MyFitnessPal account last week after picking up the Apple Watch again.

Great.

I guess it’s just a given now that any sort of online service you sign up for is going to eventually have a data breach of some sort. Here’s to Two Factor Authentication and user-friendly hashing of login credentials.

Roughly 150 million people who are MyFitnessPal users were impacted by a breach, which Under Armour discovered earlier this week. An “unauthorized party” acquired data about MyFitnessPal users in late February 2018, Under Armour announced on Thursday.

Source: Massive Under Armour data breach through MyFitnessPal hits 150 million people – Business Insider

Churches and nonprofits should realize that Facebook privacy issues are just the tip of the iceberg

Way back in 2012, I was featured in a New York Times article titled “How To Muddy Your Tracks on the Internet” and offered up this bit as part of my interview (I was teaching Middle School Science at the time):

“The topic of privacy policies and what lies ahead for our digital footprints is especially fascinating and pertinent for me, since I work with 13- and 14-year-olds who are just beginning to dabble with services such as Gmail and all of Google’s apps, as well as Facebook, Instagram, social gaming,” he said. “I have nothing to hide, but I’m uncomfortable with what we give away.”

It feels like we were so naive then, doesn’t it? Perhaps.

Here’s a segment from a great post by Doc Searls:

Let’s start with Facebook’s Surveillance Machine, by Zeynep Tufekci in last Monday’s New York Times. Among other things (all correct), Zeynep explains that “Facebook makes money, in other words, by profiling us and then selling our attention to advertisers, political actors and others. These are Facebook’s true customers, whom it works hard to please.” Irony Alert: the same is true for the Times, along with every other publication that lives off adtech: tracking-based advertising. These pubs don’t just open the kimonos of their readers. They bring people’s bare digital necks bared to vampires ravenous for the blood of personal data, all for the purpose of “interest-based” advertising.

Source: Doc Searls Weblog · Facebook’s Cambridge Analytica problems are nothing compared to what’s coming for all of online publishing

I have no problem admitting that I’m a fanboy of Doc Searls. Search through the 12 years of archives here and you’ll find me quoting or sourcing him many times in posts regarding advertising throughout the years.

This is one of those seminal posts that I feel like I’ll come back to later and want to reflect upon giving newfound insight or knowledge. That often happens with posts from Searls.

What I’m particularly intrigued about here is the 1) action and 2) reaction notion of “NOW WHAT?”. It’s been no surprise to us that work in the marketing and advertising world what’s happened with Facebook and Cambridge Analytica over the last couple of weeks.

In fact, it’s incredibly easy and almost encouraged to use Facebook data to target people to an alarmingly intimate degree. It’s part of the game. I’ve always felt icky about the situation and I’ve more than once steered clients away from targeting users using FB Ad Manager for campaigns that would otherwise have been fine without that element.

It’s been an uneasy compromise for many of us, knowing what we give away in exchange for the enjoyment of friends and family pictures on Facebook. But this isn’t new. We just waited too long to do anything about it.

So where do we go now? I like Searls’ argument for a reader-first method of distinguishing rights and responsibilities for data on the web. Having worked in AdTech circles for 20 or so years now, I’m dubious about the execution or transformation that it will take to bring about such a revolution though.

Aside from the ethical dimension, there’s also the notion of democratization. Love it or hate it, AdTech and Facebook Ads and Twitter ads and affiliate marketing have leveled the playing field for many small businesses and nonprofits who could never have afforded agency rates as we knew them.

Perhaps that’s the lesson here for us all to learn. There needs to not only be profit involved in algorithmic marketing based on user profiles of demographic data, but also ethics.

We all need to do better with our marketing campaigns. However, the genie is out of the bottle to use another saying. There’s no going back to the quaint world of multi-million dollar Mad Men style creative brand advertisements dominating the industry.

I’d posit that’s a good thing. Meanwhile, online news and publishing and business and church and nonprofit sites should do better about monitoring the type of data they collect and pass on to 3rd parties either knowingly or unknowingly.

Churches and nonprofits especially need to heed this warning. Tracking is built into so many website builders and content management systems and email newsletter systems that they use. However, churches and nonprofits turn a blind eye to the reality that now faces them in an era where people are increasingly already turning away from their outreach.

It’s time to take the web (and those you’re looking to reach) seriously.

Reaping Data

Not to mention how companies and governments so haphazardly use this data for causes and purposes…

The unchecked power of companies that harvest our data is a great problem—but it’s hard to get angry about an idea that’s so nebulous. Like climate change, the reaping of our data is a problem of psychology as much as business. We know that the accumulation of massive power in so few hands is bad, but it’s impossible to anticipate what terrible result might come of it. And if we could envision them, these consequences are imaginary: abstract and in the future. It feels so oppressively intractable it’s hard to summon the will to act.

Source: Cambridge Analytica Is Finally Under Fire Because of Whistleblowers | WIRED

What Facebook knows about you and me and what I can do about it


Cambridge Analytica harvested personal information from a huge swath of the electorate to develop techniques that were later used in the Trump campaign.

Source: How Trump Consultants Exploited the Facebook Data of Millions – The New York Times

I often have consultations with clients involving data sources. Marketing has always been closely tied to the acquisition and analysis of data related to potential target audiences or desired demographics. A large part of what I do every day is staring at spreadsheets and trying to derive direction or wisdom out of data that Facebook or Twitter or Instagram or Snap or Google has gathered from their (often overlapping) groups of products users for our clients’ campaigns.

I loathe using the term “campaign” to refer to anything marketing related… it’s not a battle and we’re not at war. Even worse is the dehumanization that often occurs in marketing conversations we all have about the data generated by real people on the web. Both are related in that our gathering and use of this data combined with our resulting conclusions and “targeting” (again with the militaristic violent language) makes actual people into abstract data points.

It’s little talked about in our industry, but data ethics are something we really need to take more seriously in all aspects of our marketing efforts, whether you’re working with a Fortune 500 company or a small country church.

I know that I personally feel a twitch of regret mixed with reservation when I click on a radio buttons to specify that I’d like to target women above the age of 40 who have relationship issues but live in this affluent ZIP code and enjoy looking at pictures of wine and spirits on Instagram. It’s terrifying. But, it’s relatively cheap and incredibly effective. Our church and nonprofit clients on shoestring budgets can’t get enough of the reach and response from this kind of data marketing (“like shooting fish in a barrel” is a common saying for a reason).

I did a good deal of work on ethics in Divinity School. I’m taking a course in the coming weeks on Data Science Ethics. Now, I need to do a better job of thinking through these types of marketing efforts and explaining the ethical implications of using this data given that most people have NO IDEA how much is known about them (yes, because of Facebook and social media but also because of the relative ease of connecting someone’s phone number or address or email with their browsing history, activity on location tracking services, voter records etc). I need to do a better job of helping clients think through the humanization and dehumanization involved with marketing and advertising and their own goals (especially for churches and nonprofits). I need to do a better job of providing real alternatives to the types of data usage that resulted in situations like our current political climate. I need to provide shoestring budget options for marketing that emphasizes humanity and relatedness rather than victory.

Otherwise, I’m just hanging out in Omelas.

Is there space for “ethical marketing” in a crowded environment of agencies driving the cost of “targeting” and “campaigning” and “development” to the lowest common denominator in terms of price and friction? I’m not sure. But I’m just crazy enough to start giving it a try.

WordPress Plugin Supply Chain Attacks

These are pretty popular plugins in the SEO world… I imagine lots more of these “supply chain attacks” exist due to older but still popular plugins being sold or leased:

If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site. Even though one of them, WP No External Links, has been updated to remove the backdoor, it has been closed, so it will never be updated again in the future.

via Three Plugins Backdoored in Supply Chain Attack

Building a website is cheap, but not protecting it is costly.

massive-brute-force-attack-dec18

We use Wordfence as a default on all new WordPress client sites that we create for good reason. Here’s a scary reminder that while building a website has become quick, easy, and relatively cheap your company / nonprofit / church / community group should not take WordPress security for granted with cheap hosting and no one overseeing these sorts of things:

This is the highest volume brute force attack we have seen to date. It may also be using the fresh credentials that were provided in the database released on December 5th, so it may achieve a higher than normal success rate. Please spread the word among the WordPress community to create awareness of this new threat.

via Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC

Tech and Public Policy

Interesting article from NY’s Attorney General directed at the FCC:

In today’s digital age, the rules that govern the operation and delivery of internet service to hundreds of millions of Americans are critical to the economic and social well-being of the nation. Yet the process the FCC has employed to consider potentially sweeping alterations to current net neutrality rules has been corrupted by the fraudulent use of Americans’ identities — and the FCC has been unwilling to assist my office in our efforts to investigate this unlawful activity.

If law enforcement can’t investigate and (where appropriate) prosecute when it happens on this scale, the door is open for it to happen again and again

via An Open Letter to the FCC: – Eric Schneiderman – Medium

“a new combination of media company and public utility”

Great point… and it’s unimaginable to me that anyone in government or a high profile position would take their own security and (operational and informational) so lightly…

As we saw this week, when Twitter, Facebook, and Google testified on Capitol Hill about Russias election meddling, “social media companies have failed to come to grips with who they are, and what role they play in society. They imagine themselves as tech companies that just make products, but they’re actually a new combination of media company and public utility,” Singer added.

These companies use of contractors, often part-time workers in internet call centers, to handle abuse and moderation is something else to consider. Twitter, for example, has never provided a breakdown of how much of its workforce is contracted.

via A Former Twitter Employee Told Us How a Contractor Could Take Down Trumps Account – Motherboard

Is Apple’s New Face ID a Security Risk?

The majority of negative commentary I’m seeing about Face ID in particular amounts to “facial recognition is bad” and that’s it. Some of those responses seem to be based on the assumption that it introduces a privacy risk in the same way as facial tracking in, say, the local supermarket would. But that’s not the case here; the data is stored in the iPhone’s secure enclave and never leaves the device. More than anything though, we need to remember that Face ID introduces another security model with its own upsides and downsides on both security and usability. It’s not “less secure than a PIN”, it’s differently secure and the trick now is in individuals choosing the auth model that’s right for them.

via Troy Hunt: Face ID, Touch ID, No ID, PINs and Pragmatic Security

Good read here on the pragmatic nature of what Apple is doing by pushing technologies such as Touch ID and Face ID in its devices. No, they aren’t foolproof and there are downsides. But Face ID is a way to help ensure that the “mainstrem” of security-apathetic users of these devices have at least some protection if their device is stolen etc.

However, that most people simply ignore or don’t care enough about basic security options such as 2 Factor Authentication that is available on most of the web and financial etc services we all use is appalling.

I’m constantly urging clients to use services such as 1Password or LastPass for their password generation and storage as well as services such as Authy which make it easy to use 2 Factor Authentication (and safer than relying on SMS for codes).

“But I’m a nobody. Who would want to hack my GMail or Facebook or Twitter?” isn’t a viable rationale or excuse anymore, if ever!

Even Hackers Take Summer Vacations

Pretty staggering July stats from Wordfence regarding attempts to log in to WordPress installs with guessed user / passwords. People still don’t use secure passwords (or more preferably a password manager)…

The average number of daily brute force attacks increased 21% from last month, which was up substantially from May. Daily attack volumes were incredibly stable throughout the month, with no big peaks or valleys. It’s almost like the attackers went on vacation and left their malicious bots running on autopilot.

via The July 2017 WordPress Attack Report

Why Your Church or Nonprofit Website Needs Regular Security Updates

hacked

One of the items Harrelson Agency itemizes on invoices when building out a new client website (particularly when using WordPress or Drupal) are maintenance and security updates for the year.

It’s not a major cost, but I often receive questions about the charge and whether or not it’s really necessary. That’s particularly the case when dealing with churches, nonprofits, and small businesses who are on tight budgets and looking to save every penny possible (and understandable). However, it’s necessary and I always counsel our clients (of all sizes) to understand what that cost entails and why it’s beneficial in the long run.

Regardless of the amount of traffic your website receives, if your site is self hosted and using software such as WordPress or Drupal, you have to make sure you or your website manager are doing regular updates of plugins and versions, as well as making sure there is some sort of security software in place to manage firewalls, login attempts, IP attacks etc.

If you accept online donations or payments via your website, this is especially true. If you host any sort of “member directory” or registration information or personal details of your congregants or customers, this is especially true. That’s not depending on the size of your church, nonprofit, or business.

This week, press (and governments) around the world are reeling from the explosive release of the Panama Papers. This is the largest leak of private documents ever, and exposes a number of world leaders and companies and their potentially illegal financial transactions. It happened because of outdated software with known vulnerabilities:

“FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.

That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided.”

Source: From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers

So yes… in 2016 it certainly matters that you have good passwords and good security on your personal online accounts as well as those of your church or business.

Don’t wait until it’s too late and have to deal with the ramifications.

Your Email Privacy (Thanks, Government)

Scary, true, and worth your attention if you value your privacy…

Mozilla will let go of Thunderbird | Boing Boing: “There are many good reasons to use standalone email clients, but for Americans one of the most compelling is the absurdly outdated Electronic Communications Privacy Act of 1986, which treats any file left on a server for more than six months as ‘abandoned’ and accessible to law enforcement without a warrant (no, really!). That includes all your Gmail previous to June 2015. Really. All of the efforts to reform ECPA have died on the vine, because law enforcement loves this creaking piece of legislation.”

Vote out your representative if they don’t “understand technology.” That’s not an excuse anymore.

Don’t Hold Up Signs on the Internet…

NewImage

We’ve all seen them before and I’m seeing more and more of them now that the Holiday Season is upon us (and today is “Giving Tuesday”).

I know I’ve seen a number of well-intentioned pictures of people holding up signs to support a specific cause on social networks this winter. A large number of those, especially on Facebook, have been churches and religious groups.

I hate to be Donald Downer, but be careful with such postings, especially if they include your face. It’s very (very very) easy to take those and do less-than-well-intentioned things with the images after they’re found via Google Image Search or a Twitter Search or Instagram hashtag search etc.

You’re not Michelle Obama, but that doesn’t mean that your own perception of your network size (or good intention) protects you from the wilds of the internet in 2016 and beyond…

Michelle Obama gave the Internet a sign—here’s what it gave back: “But once Reddit got ahold of the photo, its users—well-known for hosting Photoshop battles such as this—went wild adding anything and everything to the blank page”

So be careful, or you could be espousing something you probably wouldn’t agree with.

Amazon Finally Gets 2 Factor Authentication (Please Go Turn This On For Your Account Now)

amazon_logo_RGB

Here’s how to enable Amazon’s Two-Step Verification, a feature that adds an extra layer of security by asking you to enter a unique security code in addition to your password on computers and devices that you haven’t designated as trusted.

Source: Amazon.com Help: Turning On Two-Step Verification

Amazon finally has 2 Step Authentication. By all means, please go turn this on (and turn on for all the services you actively use from GMail to Slack to Dropbox to Facebook to Twitter etc).

I’m a big fan of Authy as my preferred authenticator, but Google has one and you can always use your mobile device for receiving authentication texts.

But you need to do this asap for your personal and business accounts or count the days until you’re “hacked.”

“Censorship that doesn’t look like censorship”

Remember, “free speech” doesn’t always align with the user policies on Facebook, Twitter etc. Own your content and your books or learn to live with the trade off of letting the algorithm decide how you vote…

“Censorship that doesn’t look like censorship. It deliberately reduces the spread of information that might otherwise go viral. Vicious. “You can say what you like but no one will hear you. And also, you’ll think no one cared, so you’ll give up trying.” Subtle, deniable, and quite ruthless.”

via Paul Dietric: Adventures in Twitter Censorship (PDF for obvious reasons)

Another Digital Divide Coming

Niels Ole Finnemann, a professor and director of Netlab, DigHumLab in Denmark, said: “The citizens will divide between those who prefer convenience and those who prefer privacy.”

via The Future of Privacy | Pew Research Center’s Internet and American Life Project.

I’ve long said that as the web continues to evolve, particularly as a social medium, we’ll see privacy and the idea of a federated web help shape a new digital divide.

On one side, there will be people who choose convenience and ease by utilizing networks akin to our current ones (ie Facebook). They’ll trade their privacy and data for connections for social connections in a walled garden with pretty flowers.

On the other side will be the federated web by those who are able (either technologically or financially or both) to have and sustain their own web presence that they own and control.

This isn’t a geek vs non-geek distinction as it has been since the web started or something like we have in 2014-2015 where people who care about things like federation or privacy are outsiders.

Now we just need to kill apps.

Don’t Use Admin As Your WordPress Username

We create, host, and manage a number of sites for churches, non-profits, community groups, and businesses. As a part of that, we also spend a good deal of time “behind the scenes” keeping these websites safe and secure. Our clients often don’t realize how much work that entails in 2014 / 2015 with the ongoing proliferation of sophistication and the sheer numbers of bots and bad folks looking to exploit poorly constructed sites or social media accounts to use for other nefarious purposes (nor should they).

Setting up a WordPress site on your own is not hard to do. You have to find a host, click a few selections for your server, then run through the install. It’s gotten tremendously easier over the years. However, if you’re setting up a self-hosted WordPress site, you have to take security seriously.

For example, the screenshot above is just a small sampling of the attempts to “brute force” access to this site from this morning. There are hundreds of these everyday for this site and I see thousands daily for some of our larger clients. You’ll notice the attempts are all trying to gain access to the site with the username “admin.” Before WordPress 3.0, the default for new site installs was to use “admin” as the username. Combine that with the terrible passwords that most people online use, and it’s not hard to see that with enough permutations, the math is there. It’s fairly easy to buy a list of the most commonly used passwords on the web if you know the dark parts of the web to look, as well.

Here are my surface level and generic recommendations if you do decide to set up a WordPress site for your church, group, or business after about a decade of working in this area…

1) Don’t use admin as your login username for WordPress or for any other account whether it will just be you logging in or a team of people.

2) Don’t use a short or “dictionary” phrase password. Use something unique to you and combine numbers, letters, etc as much as you can. That’s not fool proof and there’s research showing that doing so isn’t as effective as it was previously, but it’s still a good practice. Even if you’re “bad at passwords” as most humans claim to be, figure out system for a stronger password. It’s worth your time and it’s important no matter how small or large your site or social media account will be.

3) Use a good plugin such as Sucuri to keep track of security audits, reviews, and monitoring. Again, it’s worth your time and easy to set up email alerts for certain events.

4) Keep track of installed plugins and make sure that no one has installed a plugin that is actually a piece of malware or using your WordPress install for nefarious purposes. This is important especially if you are working with a number of people on a WordPress site and sharing a common user account rather than setting up various users (which you should do for a number of reasons).

5) Update, update, update. Keep your WordPress version, plugins, and themes as updated as possible. That usually means at least a couple of times a month.

Of course, there are many other things to consider but I get this question frequently and wanted to make my initial thoughts easy for others to find. Setting up a WordPress site is a great idea and it’s not terribly difficult. However, do it the right way and make sure you are keeping your brand, visitors, and users free from any potential threats that you can avoid with a little time investment.