Category: Security

1.1.1.1

DNS is an important and overlooked backbone structure of how we interact and communicate with the web. If you think that Facebook and Google knowing so much about you is weird, you definitely don’t want to go down the rabbit hole of probing what your Internet Service Provider knows about you based on all the traffic that flows through them and their DNS services that you subscribe to.

I’ve been using Google’s 8.8.8.8 DNS for many years, but excited to see another new player that promises complete encryption and privacy. Granted, Cloudflare is becoming a point-of-failure worry given how much heavy lifting they do as a content delivery network for many sites (including this one), but more competition is a good thing in this case (especially if they aren’t advertising companies).

Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.

We think that’s gross. If you do too, now there’s an alternative: 1.1.1.1

Source: 1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver

Surveillance Capitalism

Surveillance capitalism is deeply embedded in our increasingly computerized society, and if the extent of it came to light there would be broad demands for limits and regulation. But because this industry can largely operate in secret, only occasionally exposed after a data breach or investigative report, we remain mostly ignorant of its reach.

Bruce Schneier – Facebook and Cambridge Analytica

Massive MyFitnessPal Data Breach

Annnnd I just restarted my MyFitnessPal account last week after picking up the Apple Watch again.

Great.

I guess it’s just a given now that any sort of online service you sign up for is going to eventually have a data breach of some sort. Here’s to Two Factor Authentication and user-friendly hashing of login credentials.

Roughly 150 million people who are MyFitnessPal users were impacted by a breach, which Under Armour discovered earlier this week. An “unauthorized party” acquired data about MyFitnessPal users in late February 2018, Under Armour announced on Thursday.

Source: Massive Under Armour data breach through MyFitnessPal hits 150 million people – Business Insider

Churches and nonprofits should realize that Facebook privacy issues are just the tip of the iceberg

Way back in 2012, I was featured in a New York Times article titled “How To Muddy Your Tracks on the Internet” and offered up this bit as part of my interview (I was teaching Middle School Science at the time):

“The topic of privacy policies and what lies ahead for our digital footprints is especially fascinating and pertinent for me, since I work with 13- and 14-year-olds who are just beginning to dabble with services such as Gmail and all of Google’s apps, as well as Facebook, Instagram, social gaming,” he said. “I have nothing to hide, but I’m uncomfortable with what we give away.”

It feels like we were so naive then, doesn’t it? Perhaps.

Here’s a segment from a great post by Doc Searls:

Let’s start with Facebook’s Surveillance Machine, by Zeynep Tufekci in last Monday’s New York Times. Among other things (all correct), Zeynep explains that “Facebook makes money, in other words, by profiling us and then selling our attention to advertisers, political actors and others. These are Facebook’s true customers, whom it works hard to please.” Irony Alert: the same is true for the Times, along with every other publication that lives off adtech: tracking-based advertising. These pubs don’t just open the kimonos of their readers. They bring people’s bare digital necks bared to vampires ravenous for the blood of personal data, all for the purpose of “interest-based” advertising.

Source: Doc Searls Weblog · Facebook’s Cambridge Analytica problems are nothing compared to what’s coming for all of online publishing

I have no problem admitting that I’m a fanboy of Doc Searls. Search through the 12 years of archives here and you’ll find me quoting or sourcing him many times in posts regarding advertising throughout the years.

This is one of those seminal posts that I feel like I’ll come back to later and want to reflect upon giving newfound insight or knowledge. That often happens with posts from Searls.

What I’m particularly intrigued about here is the 1) action and 2) reaction notion of “NOW WHAT?”. It’s been no surprise to us that work in the marketing and advertising world what’s happened with Facebook and Cambridge Analytica over the last couple of weeks.

In fact, it’s incredibly easy and almost encouraged to use Facebook data to target people to an alarmingly intimate degree. It’s part of the game. I’ve always felt icky about the situation and I’ve more than once steered clients away from targeting users using FB Ad Manager for campaigns that would otherwise have been fine without that element.

It’s been an uneasy compromise for many of us, knowing what we give away in exchange for the enjoyment of friends and family pictures on Facebook. But this isn’t new. We just waited too long to do anything about it.

So where do we go now? I like Searls’ argument for a reader-first method of distinguishing rights and responsibilities for data on the web. Having worked in AdTech circles for 20 or so years now, I’m dubious about the execution or transformation that it will take to bring about such a revolution though.

Aside from the ethical dimension, there’s also the notion of democratization. Love it or hate it, AdTech and Facebook Ads and Twitter ads and affiliate marketing have leveled the playing field for many small businesses and nonprofits who could never have afforded agency rates as we knew them.

Perhaps that’s the lesson here for us all to learn. There needs to not only be profit involved in algorithmic marketing based on user profiles of demographic data, but also ethics.

We all need to do better with our marketing campaigns. However, the genie is out of the bottle to use another saying. There’s no going back to the quaint world of multi-million dollar Mad Men style creative brand advertisements dominating the industry.

I’d posit that’s a good thing. Meanwhile, online news and publishing and business and church and nonprofit sites should do better about monitoring the type of data they collect and pass on to 3rd parties either knowingly or unknowingly.

Churches and nonprofits especially need to heed this warning. Tracking is built into so many website builders and content management systems and email newsletter systems that they use. However, churches and nonprofits turn a blind eye to the reality that now faces them in an era where people are increasingly already turning away from their outreach.

It’s time to take the web (and those you’re looking to reach) seriously.

Reaping Data

Not to mention how companies and governments so haphazardly use this data for causes and purposes…

The unchecked power of companies that harvest our data is a great problem—but it’s hard to get angry about an idea that’s so nebulous. Like climate change, the reaping of our data is a problem of psychology as much as business. We know that the accumulation of massive power in so few hands is bad, but it’s impossible to anticipate what terrible result might come of it. And if we could envision them, these consequences are imaginary: abstract and in the future. It feels so oppressively intractable it’s hard to summon the will to act.

Source: Cambridge Analytica Is Finally Under Fire Because of Whistleblowers | WIRED

What Facebook knows about you and me and what I can do about it


Cambridge Analytica harvested personal information from a huge swath of the electorate to develop techniques that were later used in the Trump campaign.

Source: How Trump Consultants Exploited the Facebook Data of Millions – The New York Times

I often have consultations with clients involving data sources. Marketing has always been closely tied to the acquisition and analysis of data related to potential target audiences or desired demographics. A large part of what I do every day is staring at spreadsheets and trying to derive direction or wisdom out of data that Facebook or Twitter or Instagram or Snap or Google has gathered from their (often overlapping) groups of products users for our clients’ campaigns.

I loathe using the term “campaign” to refer to anything marketing related… it’s not a battle and we’re not at war. Even worse is the dehumanization that often occurs in marketing conversations we all have about the data generated by real people on the web. Both are related in that our gathering and use of this data combined with our resulting conclusions and “targeting” (again with the militaristic violent language) makes actual people into abstract data points.

It’s little talked about in our industry, but data ethics are something we really need to take more seriously in all aspects of our marketing efforts, whether you’re working with a Fortune 500 company or a small country church.

I know that I personally feel a twitch of regret mixed with reservation when I click on a radio buttons to specify that I’d like to target women above the age of 40 who have relationship issues but live in this affluent ZIP code and enjoy looking at pictures of wine and spirits on Instagram. It’s terrifying. But, it’s relatively cheap and incredibly effective. Our church and nonprofit clients on shoestring budgets can’t get enough of the reach and response from this kind of data marketing (“like shooting fish in a barrel” is a common saying for a reason).

I did a good deal of work on ethics in Divinity School. I’m taking a course in the coming weeks on Data Science Ethics. Now, I need to do a better job of thinking through these types of marketing efforts and explaining the ethical implications of using this data given that most people have NO IDEA how much is known about them (yes, because of Facebook and social media but also because of the relative ease of connecting someone’s phone number or address or email with their browsing history, activity on location tracking services, voter records etc). I need to do a better job of helping clients think through the humanization and dehumanization involved with marketing and advertising and their own goals (especially for churches and nonprofits). I need to do a better job of providing real alternatives to the types of data usage that resulted in situations like our current political climate. I need to provide shoestring budget options for marketing that emphasizes humanity and relatedness rather than victory.

Otherwise, I’m just hanging out in Omelas.

Is there space for “ethical marketing” in a crowded environment of agencies driving the cost of “targeting” and “campaigning” and “development” to the lowest common denominator in terms of price and friction? I’m not sure. But I’m just crazy enough to start giving it a try.

WordPress Plugin Supply Chain Attacks

These are pretty popular plugins in the SEO world… I imagine lots more of these “supply chain attacks” exist due to older but still popular plugins being sold or leased:

If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site. Even though one of them, WP No External Links, has been updated to remove the backdoor, it has been closed, so it will never be updated again in the future.

via Three Plugins Backdoored in Supply Chain Attack

Building a website is cheap, but not protecting it is costly.

massive-brute-force-attack-dec18

We use Wordfence as a default on all new WordPress client sites that we create for good reason. Here’s a scary reminder that while building a website has become quick, easy, and relatively cheap your company / nonprofit / church / community group should not take WordPress security for granted with cheap hosting and no one overseeing these sorts of things:

This is the highest volume brute force attack we have seen to date. It may also be using the fresh credentials that were provided in the database released on December 5th, so it may achieve a higher than normal success rate. Please spread the word among the WordPress community to create awareness of this new threat.

via Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC

Tech and Public Policy

Interesting article from NY’s Attorney General directed at the FCC:

In today’s digital age, the rules that govern the operation and delivery of internet service to hundreds of millions of Americans are critical to the economic and social well-being of the nation. Yet the process the FCC has employed to consider potentially sweeping alterations to current net neutrality rules has been corrupted by the fraudulent use of Americans’ identities — and the FCC has been unwilling to assist my office in our efforts to investigate this unlawful activity.

If law enforcement can’t investigate and (where appropriate) prosecute when it happens on this scale, the door is open for it to happen again and again

via An Open Letter to the FCC: – Eric Schneiderman – Medium