How To Protect Yourself From the Next Cambridge Analytica (Maybe)

So how about that Facebook thing, huh? How can you protect yourself?

There are a couple of things you can do to prevent, or at least hamper, the next Cambridge Analytica. (Of course, the next 10 or 13 Cambridge Analyticas have already struck and already have your stuff, but you know what I mean.)

Before I give you specific instructions, let’s go over a few points.

Stop Calling It a “Breach”

When this story broke Sunday (even though it’s really old news, but I digress) new readers repeatedly called it a “data breach,” while techie folks and most of the techie press kept correcting them. This is because it’s not a fine point.

Facebook didn’t suspend CA and its parent company for “stealing” data. They suspended them for misusing it. For lying about why they wanted it. They’re not upset with them taking the data. They’re upset with lying about why they took it.

It’s Gonna Happen Again, And No One Cares

If Zuckerberg and Sandberg ever come out of hiding, they’ll make promises. Empty promises. Senators and Congresspeople will make bold statements. Dianne Feinstein, one of Silicon Valley’s Senators, will demonstrate her inability to grasp the fundamentals of well, our Universe, and nothing will change.

Collecting and selling this data is Facebook’s business, and another story that’s been drowned out, for the most part, makes this crystal clear. Facebook’s Chief information security officer is quitting over a disagreement over how Facebook handles these issuesand his department, which has already been cut from 120 people to 3, is being eliminated.

He has been overseeing the transfer of his security team to Facebook’s product and infrastructure divisions. (emphasis added) His group, which once had 120 people, now has three, the current and former employees said.

Taking a department, breaking it up, and distributing its responsibilities across the departments it used to oversee means its less important, not more. Anything Facebook promises about dealing with misuse of information or use of misinformation is bullshit.

All of the mechanisms used by CA were permitted by Facebook’s system. Many of them have since been disabled; only after Facebook was pressured by users and the government.

If a Product Is Free…You Know The Deal

You are the product on Facebook, Twitter, Google, and everything else free on the Internet. The philanthropists have left the building.

Google at least gives you tools to run a business and find damn near anything on the ‘net. It doesn’t make them any less evil (I mean, they even scrapped the “Don’t Be Evil” sham a while back) and I don’t even use them as my default search engine anymore, but the transaction is clear. “Use us to process information, and we’ll collect it.”

What does Facebook give you? A way to communicate trivial things. Poorly.

If you have something to sell, it is pretty useful. Of course, you have to pay for that part.

So What Can I Do?

Short of no longer using FB, which I am not even doing myself yet, do this:

      1. Go to Settings.
      2. Go to privacy and make it look like this. (Click to embiggen.)
        • Only friends can see your posts.
        • Stuff you are tagged in has to be reviewed by you. (Facebook will let you know.)
        • Only you can see your friends list. (This is important.)
        • Only friends can use your email address and your phone number to find you.
        • Your Facebook profile is not visible outside of Facebook.

     

    1. Go to Apps.
    2. Click on “App Others Use” and get very angry at Facebook. This where you can control what your friends share about you with other apps. Check out those default settings. Then make it look like mine.
    3. Extra Credit: disable Apps, Websites, and Plugins. If you want to be totally locked down, disable this feature. You may find it makes it impossible for you to use your Facebook profile to log into other websites. You shouldn’t do that. Your call.

That’s about all you can do, short of giving up on social media altogether. I’m close myself, but not there yet.

Stayed tuned. This blog is alive again.

How to Suck At Security, By Verizon

I switched to Verizon FIOS a couple of weeks ago. I live in the U.S, so I don’t have access to anything resembling a good Internet provider. This is because a central tenet of our form of capitalism is that utilities must be delivered by poorly run and weakly regulated monopolies.

However I do live in area where I have a choice between a slowly dying cable company in the throes of denial (check out that 90s web design) and a company that only exists because the government won an antitrust suit and then let them ignore it.

I switched to Verizon because they finally offered what I wanted: just Internet. Cablevision advertises they will give you that, and then refuses to actually sell it to you.

So yesterday I realized a bill I was supposed to receive from Verizon hadn’t arrived. I wanted to pay it before I ended up in some kind of debtor’s prison, or worse, without access to Netflix. I went to their site, paid the bill, and while I was there I set my password to a stronger one than I had set up during the install, and also set the “secret question.”

Eighteen hours later I received this text message:

WTF?
WTF?

This seemed to be an alert regarding the changes I had made. But eighteen hours later? Really?

I decided to be safe and change them again. I could be sure the account hadn’t been compromised somehow and also see how long it really takes to get the alert.

Here’s the options for security questions:security questionsThe idea behind these questions is “something you know” beyond the password. It’s two factor authentication for companies that don’t really give a crap about their customers, but want to avoid a lawsuit.

The problems with Verizon’s pre-canned questions are two-fold:

What if you don’t have a good answer? For example: what if you’re single? What if you’re older than 12 and don’t have a “best friend?” What if you didn’t stay on campus for college or, gasp, didn’t even go? Etc.

This seems like a trivial issue, but if the questions don’t fit well there’s a chance you’ll use an answer that you can’t remember later.

The other problem is: they can be predicted. If another site is compromised and used the same lame-ass questions, those answers can be used to compromise this one, or vice versa.

The right way to handle this is to let me specify the both the question and the answer. It also requires very little additional development and testing.

Assuming, of course, that you are not trying to spend as little as possible on protecting your clients’ information.

Now here’s where you enter the answer:

enter answer

You only enter it once, and you never see it. What could go wrong?

When was the last time you entered a password, credit card number, or the name of your favorite pet, and was worried about someone watching over your shoulder?

Actually, when was the first time?

I’m going to go out on a limb here: fucking never.

This is an idiotic idea, cooked up by someone way too fond of 1974 Gene Hackman movies. Maybe, just maybe, this precaution is merited for cell phones, although if you think about it: if they can read your screen then watching what you type isn’t much of much of a stretch, is it?

But if you think you’ve got a problem  with people reading your passwords over your shoulder at work or at home on a computer you need a divorce lawyer or a recruiter. Or counseling.

At least give us a “show password” check box. Or maybe take a moment to think instead of following the flock over the cliff of shitty design.

Which brings us here:

password
No LastPass controls.

I use LastPass to manage my passwords. That’s because like most people in 2016 I have a ton of them to worry about. I like my passwords long and unique. (There’s a joke in there. I’ll leave it to you.) When I see a story or get a email that a website I use was compromised, I don’t have to worry. I can just update that one site and carry on.

LastPass creates unique passwords for me and will will fill them out. At least it will fill them out when the website doesn’t make it difficult with fancy pop-ups, lightboxes, and blatant disregard for their users. Some sites, like Verizon, don’t work with password managers.

I don’t blame low budgets for this one. I blame crappy design. Part of designing a login page/control/dialog should be testing compatibility with password managers built into browsers and at least 1Password and LastPass.

Encouraging your users to manage their passwords responsibly is good security and part of being user-friendly.

I wish I could say that Verizon’s crappy website was somehow unique, but it’s not, and I’m willing to bet it’s ample whitespace (literally), sparse design, and fancy lightboxes won some compliments: from people that don’t have to use it.

However, eighteen hours for a security text? That is uniquely bad. That’s “boy who cried wolf” bad.

By the way, it’s been two hours since I re-updated my password and security question. Still no alert.

Maybe I should find another Internet provider. Ha! Just kidding. I’m American.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑