Categories
Security

10 steps to make your data harder to find online

There are two key concepts in information security: threat model and attack surface.

“Threat model” is another way of asking, “Who’s out to get you?” If your threat model includes the curiosity of nation-state intelligence services, you have many more things to worry about than J. Random User. It’s more likely that voicing a contrary opinion on social media might make you yet another unwitting main character of Twitter, or that a stray mention by someone else could bring you to the attention of the internet’s malcontents.

“Attack surface,” meanwhile, describes a target’s vulnerable access points that an attacker will seek to exploit. When it comes to the internet, it’s nearly impossible to collapse your attack surface to zero — you’ll never achieve that without going into witness protection. Our goal in this article is to help you condense your attack surface as much as possible.

Admittedly, trying to scrub your offline coordinates from the online world can feel like counting cicadas during the every-17-years emergence of those sex-starved insects: you can start, but you will never finish.

But that doesn’t mean that giving up is the right answer. With some effort, you can make data points like your street address, phone number, and birthday less visible online — and therefore less easily available for harassment or identity theft.

This exercise will also renew your awareness — as unpleasant as the consequences might be — of just how much data about you sloshes around the web. And it may get you to think anew about how you want to craft the picture that emerges of you online in a stranger’s search.

1. Dox yourself before other people do

“I can tell you the cheapness and the availability of information you can get about anyone online would shock you,” says Brianna Wu, a Massachusetts game developer who was among the more public targets of the Gamergate harassment campaign and has since become an advocate for better online privacy.

For example, in some states, you can look up someone’s voter registration by providing their name and birthday. That will yield their home address; if they own a home, you can then plug the address into their county or city’s property-tax assessments page to see what they paid for it and what it’s worth now.

Other sources include social media such as Facebook and LinkedIn, your WHOIS profile, and any other information that may be floating around. Once this information is available, data brokers can then mine and combine public and private records, with the results on sale at low, low prices — sometimes, for free.

What you can do:

  • This first step may be the most unsavory: open an incognito window in your browser (so Google or any other search engine shows what a stranger would see) and search for your name and street address, name and phone number, name and birthday, and name and last four digits of your Social Security number.
  • Note that, individually, each data point may not look like a huge privacy risk — but combining them can unlock various other databases.

Sites like Intelius aggregate info on individuals and make that info available.

Sites like Intelius aggregate info on individuals and make that info available.

2. Opt out where you can

The results of your search will probably include a list of people-finder sites such as Spokeo, Intelius, and Whitepages that serve up the output of data brokers that themselves collect and fuse information from private and public records.

As you look through the search results, most will be somewhere in the “not great, but not terrible” range. Note which sites claim to have your information and get as far as you can (without paying) to see how much data they claim to have.

What you can do

  • First, you have to find all the sites you need to check — and how to contact them if they have your data. Data-removal service DeleteMe maintains a list of opt-out instructions for dozens of data brokers; in one I tested, DeleteMe provided more accurate help on how to remove your data than the actual third-party service in question.
  • Reputable people-finder sites offer free opt-outs of varying usability. At Spokeo and BeenVerified, I had to do little more than identify my listing, enter my email address, and click a link in the message sent to me. At the data broker Intelius, the back end of multiple people-locator sites, I had to input a code sent to my email instead of just clicking a link.
  • Others make it a lot harder. For example, at Whitepages, the “suppression request” protocol requires you to provide a phone number for an automated call. MyLife tells non-California residents to call or email; citizens of the Golden State, however, can use the opt-out required by the California Consumer Privacy Act.

Whitepages makes you supply your phone number if you want to remove a listing.

Whitepages makes you supply your phone number if you want to remove a listing.

  • Some of your data may actually be defunct or incorrect. In that case, it’s up to you whether you want to go through the trouble of deleting it.

3. Watch out for repeat offenders

Be aware that opting out once doesn’t mean you will stay opted out. I opted out of a Spokeo listing back in 2014, only to have to do that all over again for this story. Because data brokers and people-finder sites continually ingest data from public and private sources, this industry operates as a self-licking ice cream cone.

“A game of whack-a-mole,” summed up Soraya Chemaly, a writer and activist who has both studied and been a target of online harassment.

Rob Shavell, CEO of Abine, the Somerville, Massachusetts, company behind DeleteMe, said in an email that 43 percent of DeleteMe customers saw some of their data resurface at one or more data brokers six months after having their info expunged.

What you can do

  • If you have the time and inclination, go back to the major data brokers about every six months and check to make sure your information is still off their sites.
  • If you don’t have the time, but you do have the funds, DeleteMe will remove your data from the sites and monitor any changes. It charges $129 per year for that service (but often posts coupon codes for 20 percent off). That business model requires customers to trust DeleteMe with the same personal info they want to make vanish from the public web. The company’s site says the right things about it needing customer trust to survive but doesn’t get into details about its security measures. (Shavell provided more context in email, saying, “All data in DeleteMe is encrypted at rest,” after noting that the company requires all employees to secure their accounts with two-step verification and is subjecting itself to an “SOC 2” outside security audit.)

4. Try Google’s information-removal feature

Some sites may go beyond offering your basic contact info. If you encounter sites that include sensitive financial or medical data points, expose personal information in order to dox you, or demand payment in order to remove personal info, you can avail yourself of Google’s information-removal policy.

Note that this is not as sweeping as the results-removal options Google provides in the European Union to comply with the EU’s “right to be forgotten” — which as of June 1st had led to more than 1.7 million pages being delisted. Google did not say how many pages had been delisted in the US under the narrower American policy.

In an April 19th blog post, Danny Sullivan, Google’s public liaison for search, noted that while Google will let people request to be de-linked from pages with their data on sites with “exploitative removal policies,” it will not de-index those sites completely in case “people may want to access these sites to find potentially useful information or understand their policies and practices.”

Microsoft’s Bing provides a similar results-removal option.

Only some of the data wellsprings that flow into data-broker databases — or are otherwise open for the inspection of strangers — allow any sort of feasible oversight. But a great deal of information about you can be gleaned from your social media profiles, and you have some degree of control over your privacy there.

What you can do

  • Facebook’s option to view your profile as a stranger yields valuable insights about your attack surface. (To do that: go to your profile page, click on the three dots to the right of “Edit Profile,” and select “View As.”) However, the most important data-minimization steps to take on the social network are more basic. First, don’t include your street address or your phone number. Second, while you may want to list your birthday to soak in those “HBD!” messages from friends, you don’t need to add the year of your birth. (If Facebook insists that you enter a year, make sure it’s restricted so only you can see it.)
  • The same goes for LinkedIn and Twitter. That said, since those networks often function more as outward-facing ads for people’s personal brands, you may want to think more about which publicity-safe details you’d like to list there. Neither needs your birthday, and whatever email address you post in your profile on either network had better be one you would be comfortable seeing splashed on TV.
  • Having a separate “work” or “public” email address will let you reserve a safer one for friends and family, at the cost of a little more complexity in your communications. (More about that later.)

6. Check your WHOIS profile

If you’ve registered a personal domain name, you should do a WHOIS lookup to see if your home address or phone number appear in the record for your domain.

What you can do

7. Voter rolls are different

A different kind of registration, however, requires your home address and offers no custom privacy options: your voter registration.

Voter rolls are available to political parties and, in many cases, to the general public.

Voter rolls are available to political parties and, in many cases, to the general public.

Voter rolls are available to political parties and, in many cases, to the general public — and foreign hackers have helped themselves to this data too. You can also usually look up an individual’s voter registration status on a state’s website if you provide additional personal data. For some states, you may only need to enter a birth date, while others require a partial Social Security number, driver’s license, or other government ID number.

Wonder where all those candidates get your phone number from? That’s where. And this can lead to situations like the one where an automated Twitter account regularly released data on people who donated to Trump using Federal Election Commission records. (The account, @EveryTrumpDonor, has since been suspended.)

A list maintained by the National Conference of State Legislatures spells out what information is included and what is kept out of the voter file, as well as which states maintain “address confidentiality programs” that let threatened voters keep their contact details private. The catch here is that if this option is available at all, it requires you to have been a victim of threats first — see, for instance, the criteria for California’s Safe at Home program.

What you can do

  • Work to reduce the visibility of whatever metadata your state requires from someone looking up your voting information. One point that privacy advocates repeatedly make is that things won’t get better without stronger privacy rules, and those won’t happen if privacy-conscious people opt out of democracy.

8. Put safe-for-publicity data out there

To a certain extent, managing your privacy online is not so much a matter of starving search sites, but of giving them the diet of your choice. As I mentioned above, it’s not a bad idea to get a separate address and / or phone number for sites where this information is more likely to be collected.

What you can do

  • In addition to having a safe-for-inadvertent-publicity email address, getting a separate virtual phone number — with call forwarding that you can disable if necessary — will allow you to post those digits without worrying that your personal cellphone will get besieged by harassing texts or emails. Google Voice is helpful for setting up your virtual digits (even if its software could use an update) because it’s simple to add to an existing Gmail account.
  • A US Postal Service PO box remains a simple, affordable way to generate a mailing address independent of where you live. Rates vary by box size and the location and hours of the post office. For example, even the smaller boxes at USPS locations in Washington, DC, can run from $92 to $176 a year. (You can also find PO boxes in shipping stores for possibly better rates.) You don’t need to make a habit of checking that box if you set up the USPS’ Informed Delivery service to tip you off when mail arrives at your box.
  • When you register for a less-than-trustworthy site, you may want to provide incorrect information, like a false birthdate. Wu’s advice: “Any chance you get, pollute the information out there about you if it’s not useful, if it’s not relevant, to you getting what you want.”

9. Use two-factor authentication

The single most valuable data point out there may be your mobile phone number. Aside from the risk of abusive texts or calls, texting has become a common verification method for online accounts when their systems notice an unusual login. That’s led to a plague of SIM swap attacks, in which crooks fool or bribe wireless carrier employees into transferring mobile numbers to their control — and then use that to complete password resets and account takeovers.

So your last item on this privacy checklist involves going through the two-factor authentication settings on any accounts you value — starting with your email and social-media accounts — to replace texting with a verification method that can’t be socially engineered out of your hands.

What you can do

  • The single safest form of 2FA is a USB security key, a special USB dongle that you cryptographically associate with an account and then plug into a computer (or, with newer models, pair to a phone via NFC wireless) to confirm a new login there. Because it’s already been digitally paired with that site address, it can’t be fooled by a lookalike phishing site. They aren’t free — basic, USB-only models start at $20 or so — but you can use one with multiple accounts.
  • Using an app that generates one-time codes, like Google Authenticator or Authy, is your next-best option, now available at pretty much every email and social service of any value.
  • If you must use a phone number, make it a virtual one because the companies that provide them, Google included, generally don’t have in-person customer service that crooks can con.

10. Remember: this is an ongoing process

Can you hoist a “Mission Accomplished” banner at this point? Absolutely not. The reality here, online privacy advocates agree, is that this work never ends. This is basically an operating cost of having an online life.

Repost: Original Source and Author Link

Categories
Tech News

Google to make it harder for advertisers to track users on Android

Mobile users are tired of advertisers tracking what they do on the Internet, and both Google and Apple have made changes to help prevent tracking. While Apple implemented changes to make it more difficult for appetizers to track users, Google is just now gearing up to make similar changes. Google has allowed Android users to opt out of personalized ads for a long time.

However, even if the user opts out of personalized ads, Google has still allowed software developers to access the user’s Advertising ID. The Advertising ID is a unique string of characters that identifies the user’s device. Advertisers access the information for purposes like measuring app usage or to allow advertisers to detect and prevent invalid traffic.

The new change by Google will allow the user to opt-out of personalized ads and will make the Advertising ID unavailable. Any advertiser request for the Advertising ID will return all zeros. Google has recently confirmed that the change will impact all apps running on Android 12 devices starting late this year.

The modification will then roll out to apps running on devices supporting Google Play in early 2022. Google is promising advertisers an alternate solution to support essential use cases such as analytics and fraud prevention. Google has been promising to increase the privacy of users of its services and software, such as Chrome.

Last year, Google promised it would end support for third-party cookies on the Chrome browser within two years. However, anything that impacts advertising is thoroughly thought out by Google as advertising generates 80 percent of the search giant’s overall revenue. It also sees the need to keep advertisers happy by providing alternative ways to place ads in front of Internet users and track their effectiveness.

Repost: Original Source and Author Link

Categories
Tech News

Here’s why predicting space weather is even harder than it sounds

Recent developments at the forefront of astronomy allow us to observe that planets orbiting other stars have weather. Indeed, we have known that other planets in our own solar system have weather, in many cases more extreme than our own.

Our lives are affected by short-term atmospheric variations of weather on Earth, and we fear that longer-term climate change will also have a large impact. The recently coined term “space weather” refers to effects that arise in space but affect Earth and regions around it. More subtle than meteorological weather, space weather usually acts on technological systems, and has potential impacts that range from communication disruption to power grid failures.

 

An ability to predict space weather is an essential tool in providing warnings so that mitigation can be attempted, and to hopefully, in extreme cases, forestall a disaster.

The history of weather forecasting

We are now used to large-scale meteorological forecasts that are quite accurate for about a two-week timescale.

Scientific weather forecasting originated about a century ago, with the term “front” being associated with the First World War. Meteorological prediction is based on a good knowledge of underlying theory, codified into massive computer programs running on the most advanced computers, with huge amounts of input data.

Important aspects of weather, like moisture content, can be measured by satellites that monitor continuously. Other measurements are also be readily taken, for example, by the nearly 2,000 weather balloons launched each day. Exploring the limits in weather forecasting gave rise to chaos theory, sometimes called the “butterfly effect.” The buildup of error brings about the two-week practical limit.

In contrast, the prediction of space weather is only truly reliable about one hour in advance!

An explainer of the science behind chaos.

Solar effects

Most space weather originates from the sun. Its outermost atmosphere blows into space at supersonic speeds, although at such low density that interplanetary space is more rarified than what is considered a vacuum in our laboratories. Unlike winds on Earth, this solar wind carries along a magnetic field. This is much smaller than Earth’s own field that we can detect with a compass at the surface, and vastly smaller than that near a fridge magnet, but it can interact with Earth, with an important role in space weather.

The very thin solar wind, with a very weak magnetic field, can nevertheless affect Earth in part because it interacts with a large magnetic bubble around Earth, called the magnetosphere, over a very large area, at least a hundred times as big as the surface of our planet. Much like a breeze that can barely move a thread can move a huge sailing ship when caught on the large sails, the effect of solar wind, through its direct pressure (like on a sail) or through its magnetic field interacting with Earth’s, can be enormous.

As the origin point, the sun itself is a seething mass of hot gas and magnetic fields, and their interaction is complex, sometimes even explosive. Magnetic fields are concentrated near sunspots, and produce electromagnetic phenomena like solar flares (the name says it all) and coronal mass ejections. Much as with tornadoes on Earth, we know generally when conditions are favorable for these localized explosions, but precise prediction is difficult.

Even once an event is detected, if a large mass of fast, hot and dense gas is shot in our direction (and such a “cloud” in turn is difficult to detect, coming at us against the glare of the sun), there is a further complicating factor in predicting its danger.

NASA scientists answer questions about space weather.

Detecting magnetic fields

Unlike the detectable, sometimes even visible, water content in the atmosphere that is so important in meteorology, the magnetic field of gas ejected from the sun, including in hot and denser clouds from explosions, is almost impossible to detect from afar. The effect of an interplanetary cloud is greatly enhanced if the direction of its magnetic field is opposite to Earth’s own field where it hits the barrier of Earth’s magnetosphere. In that case, a process known as “reconnection” allows much of the cloud’s energy to be transferred to the region near Earth, and accumulate largely on the night side, despite the cloud hitting on the side facing the sun.

By secondary processes, usually involving further reconnection, this energy produces space weather effects. Earth’s radiation belts can be greatly energized, endangering astronauts and even satellites. These processes can also produce bright auroras, whose beauty hides danger since they in turn produce magnetic fields. A generator effect takes place when dancing auroras make magnetic fields vary, but unlike in the generators that produce much of our electricity, the electric fields from auroras are uncontrolled.

The electric fields from auroras are small, and undetectable to human senses. However, over a very large region they can build up to apply a considerable voltage. It’s this effect that poses a hazard to our largest infrastructure, such as electric grids. To predict when this might happen, we would need to measure from afar the size and direction of magnetic field in an incoming space cloud. However, that invisible field is stealthy and hard to detect until it is nearly upon us.

Satellite monitors

By the gravitational laws of orbits, a satellite continuously monitoring magnetic fields by direct measurement must sit about a million miles (1.6 million kilometers) from Earth, between us and the sun a hundred times further away. A magnetic cloud causing minor space weather effects usually takes about three days to come from the sun to Earth. A truly dangerous cloud, from a bigger solar explosion, may take as little as a day. Since our monitoring satellites are relatively close to Earth, we only know about the crucial magnetic field direction at most one hour in advance of impact. This is not much time to prepare vulnerable infrastructure, like power and communication networks and satellites, to best survive.

Since the fleets of satellites needed to give better warning are not even on the drawing boards, we must rely on luck in the face of space weather. It may be a small comfort that the coming solar maximum — when the surface of the sun is at its most active during a cycle and is expected to peak in 2025 — is predicted to be mild.

It may be Mark Twain who said “it is hard to make predictions, especially about the future,” but it is certainly true in the case of space weather.

This article by Martin Gerard Connors, Professor of Space Science and Physics, Athabasca University, is republished from The Conversation under a Creative Commons license. Read the original article.

Repost: Original Source and Author Link

Categories
Computing

Computer privacy: Laptop microphones are harder to block than webcams

If computer privacy is critical enough that many laptops now include a physical webcam shutter, why can’t you do the same for the microphone?

It’s a question that PC makers should be asking themselves. Some, like Dell, say they’re working on a solution. But for whatever reason, reassuring customers that their conversations aren’t being monitored doesn’t seem to be a high priority, especially with consumer laptops. Fortunately, one recent model from HP signals a way forward.

google home vs amazon echo Amazon and Google

We now live in an era where we demand always-on connected services, and yet we’re terrified that someone else is listening.

A future where everything listens to you

Part of the problem simply may be the inertia driving us toward an era of always-on, always-listening devices. At their respective developer conferences in May, both Microsoft and Google suggested a future where a user would trigger an assistant with a wake word, and then an interactive conversation would take place naturally. Currently, assistants like Cortana and Google Assistant end the conversation after a single query. In Microsoft’s Cortana demo, the conversation lasted for several minutes. But there was no “thanks” or “that’s all, Cortana” to signal the end of the exchange and tell Cortana to stop listening.

Consumer expectations may be another driver. At least a subset of users seems to think that a device that isn’t always listening to them is in some way defective. Consider the customer responses before the other major assistant, Amazon Alexa, responded to wake words within Windows 10. (Yes, there are now two digital assistants capable of listening to your every command, built right into your PC.) Alexa’s inability to listen in was viewed as a critical shortcoming.

2nd gen echo buttons Michael Brown

The 2nd-generation Amazon Echo has an array of seven far-field microphones mounted on top, but also a button (at left) to turn them off.

Here’s the thing: Even if they buy always-connected smart speakers, consumers do care about privacy. That’s evidenced by the fact that most smart speakers like the Echo Dot now include some form of physical button for disabling the microphone.

We don’t know much that button is actually used, but there’s an important reason to have it. We know that Amazon, Google, and Microsoft aggressively collect as much data as you’ll allow. As Geoff Fowler of The Washington Post has chronicled, Amazon’s Alexa squirrels away dozens or hundreds of interactions she’s sampled. If you were an early adopter of a device like the Echo Dot, those recordings go back years.

Another fundamental problem is that when Alexa isn’t sure whether you’ve summoned her, she errs on the side of Amazon, not you, Fowler found. Even if it turns out that you haven’t asked anything of Alexa, the recording still exists. Your PC simply gives assistants like Alexa another way to collect information.

PCs already protect you from spying webcams…

While few laptops control their microphones as easily as smart speakers do, controlling webcams is an established practice. Consider the official and unofficial “privacy shutters” that adorn notebook PCs today—everything from adhesive tape and Post-It Notes to more sophisticated solutions, like the ThinkShutter on some of Lenovo’s ThinkPad notebooks for businesses. 

Repost: Original Source and Author Link