Via Bruce Schneier, an advisor to the project, Citizen Lab has created an online tool to help you stay safe online:
Security Planner is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It's not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I don't see it replacing any of the good security guides out there, but instead augmenting them.
The advice is peer reviewed, and the team behind Security Planner is committed to keeping it up to date.
Some of the recommendations are simple: use Chrome; use https:// whenever it's available; use your computer's built-in encryption (BitLocker on Windows and FileVault on Mac). Some are a little more complex: use two-factor authentication; set up a password manager.
I recommend anyone who uses computers do a quick self-exam with the tool—especially if you aren't that experienced with security.
The unsurprising news that President Trump tweeted about something that his son found out only minutes before back in June shows just how foreign governments can use his impulsiveness and stupidity to play him:
Seeing Assange prompt a Trump tweet, via Don Jr, is I suspect only the first and clearest of many examples. Who told Trump what? In a lot of cases Trump’s tweets will likely tell us. Trump’s October 12th Wikileaks tweet was totally opaque until we found out about Don Jr’s DMs with Assange a few minutes before. Trump’s tweets are impulsive, immediate, unvarnished. They amount to realtime surveillance of what he was thinking and what he knew at key points of the campaign. They just require the fruits of the ongoing investigations to decipher what they mean.
Some day, we'll find out (perhaps through a Truth & Reconciliation Committee) just how badly this man has hurt the country.
I'm chilling in my hotel room on the second day of my trip, not sure how much longer I'll remain awake. (Waking up at 5am sucks, even more so when it's 4am back home.) This is a problem in that I need to write some code before tomorrow.
So I've spent a few minutes perusing the blog feeds and news reports that came in today, and I have a favorite. The favorite is not:
No, though all of those brought little flutters of joy to my heart, the story that London is going to make Oxford Street a pedestrian utopia by 2020 really got my interest. Since I have never driven a car anywhere in Zone 1 and have no intention of ever doing so, I think blocking 800 meters of Oxford Street to cars is fookin' brilliant.
I'm about to fly to San Antonio for another round of researching how the military tracks recruits from the time they get to the processing center to the time they leave for boot camp (officially "Military Basic Training" or MBT).
I have some stuff to read on the plane:
OK, off to K20. Or K18. Or wherever my plane has got to.
Imagine the largest office building (in land area) you've ever been in, add a small shopping mall, four food courts, and the security that demonstrates exactly how silly and ineffectual airport security is, and that's the Pentagon.
I'm in a little island that's like an anti-SCIF (Secure Compartmented Information Facility). We're in the one unclassified office in the ring, complete with unclassified Internet service, and because of that, behind two steel doors and in a Faraday cage. And it's literally the only place we're allowed to take pictures, which is sad because every hallway in the building is a museum exhibit. It's weird.
That, and we can't go to the bathroom without an escort, makes this a very strange day indeed.
Also, it's like an ongoing pop quiz in uniform insignia recognition. And I'm still having problems with upper enlisted ranks.
Home tomorrow, after a visit to a military facility outside Baltimore.
I've got a lot going on today, with a final rehearsal tonight before Saturday's dress for Carmina Burana (get tickets here) and two business trips in the next 10 days. But there are a few articles to note in today's media:
Back to work now.
Via Bruce Schneier, a British reporter requested her data dossier from Tinder. As with so many other things in life, she was shocked, but not surprised:
The dating app has 800 pages of information on me, and probably on you too if you are also one of its 50 million users. In March I asked Tinder to grant me access to my personal data. Every European citizen is allowed to do so under EU data protection law, yet very few actually do, according to Tinder.
With the help of privacy activist Paul-Olivier Dehaye from personaldata.io and human rights lawyer Ravi Naik, I emailed Tinder requesting my personal data and got back way more than I bargained for.
Some 800 pages came back containing information such as my Facebook “likes”, my photos from Instagram (even after I deleted the associated account), my education, the age-rank of men I was interested in, how many times I connected, when and where every online conversation with every single one of my matches happened … the list goes on.
What will happen if this treasure trove of data gets hacked, is made public or simply bought by another company? I can almost feel the shame I would experience. The thought that, before sending me these 800 pages, someone at Tinder might have read them already makes me cringe.
But as Schneier points out, "It's not [just] Tinder. Surveillance is the business model of the Internet. Everyone does this."
Republican Illinois governor Bruce Rauner, the best governor we have right now, vetoed a bill that would have required companies to get affirmative consent from consumers before selling their geolocation data:
“The bill is not overreaching,” said Chris McCloud, a spokesman for the Digital Privacy Alliance, a Chicago-based nonprofit advocating for state-level privacy legislation. “It is merely saying, ‘If you’re going to sell my personal geolocation data, then just tell me upfront that’s what you are going to do so I can make a decision as to whether I want to download this app or not.’ ”
The Federal Trade Commission has issued general guidance, and there are a variety of industry self-regulatory codes of conduct, from automakers to online advertisers, but federal law does not provide clear geolocation privacy protection.
The online advertising industry increasingly depends on tracking consumers to serve up lucrative and effective targeted ads. Data collection enables advertisers to learn everything from your search habits and recent purchases to where you travel, often in real time.
Remember: you're the product, not the customer. And that's how Republicans like it.
The January release of Google Chrome will prevent videos from auto-playing:
Starting in Chrome 64, which is currently earmarked for a January 2018 release, auto-play will only be allowed when the video in question is muted or when a "user has indicated an interest in the media."
The latter applies if the site has been added to the home screen on mobile or if the user has frequently played media on the site on desktop. Google also says auto-play will be allowed if the user has "tapped or clicked somewhere on the site during the browsing session."
"Chrome will be making auto-play more consistent with user expectations and will give users more control over audio," writes Google in a blog post. "These changes will also unify desktop and mobile web behavior, making web media development more predictable across platforms and browsers."
I mean, really. The more advertisers annoy the shit out of us, the less effective it will be effective.
While not quite as viscerally grotesque as a 140-tonne fatberg, new details about the failures at Equifax that led to its massive data breach are still pretty disgusting:
Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.
As the security community processes the news and scrutinizes Equifax's cybersecurity posture, numerous doubts have surfaced about the organization's competence as a data steward. The company took six weeks to notify the public after finding out about the breach. Even then, the site that Equifax set up in response to address questions and offer free credit monitoring was itself riddled with vulnerabilities. And as security journalist Brian Krebs first reported, a web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Equifax took the platform down on Tuesday. But observers say the ongoing discoveries increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix.
Whenever people conservatives say that private industry is better at solving problems than government, I just think about some of the companies I've worked for, stir in crap like this, and laugh out loud.