If you want to shock your colleagues into action, one effective way is to plug their email addresses into haveibeenpwned, and tell them:
> Alice, YOU were exposed in the XYZ breach. Your $identifiable_information IS publicly available. If you used the same password on XYZ as you do on other services, those services ARE vulnerable. If any of those services allow you to access your email, ALMOST ALL of the services you used are vulnerable. You should change them as soon as possible.
After talking this through with many non technical people, I have become of the opinion the shame is ours. Why do we keep pushing this patently unsafe authentication mechanism? It should never have been allowed in the first place, but now with hardware keys readily available there really is no more excuse. I understand there is a first mover disadvantage to disallowing password-only auth, but that’s on us. Our collective timorous prevaricating is to blame for the misuse of passwords by end users. Because, unlike them, we do know better.
and when the fingerprint database is stolen and shared with multiple adversarial parties? they now have your password and its gonna be hard to update / change yours.
This happened with the opm hack and a big one in India or Indonesia or something not too long ago I think.
Backups. Either in backuping the data, or in enabling several tokens for the same service.
The problem is that the first one is frowned upon for good reasons (but maybe not as good as they seem), while nobody supports the second one. So, yes, currently depending on hardware keys is dangerous.
The same as real keys: you make a copy. If you don’t, you have to call someone to get it fixed, which is an expensive hassle. It’s an intuitive model that everyone already groks. No fragile user re-education necessary.
It's a shame that operating systems exist with no functioning system-wide API for authentication, let alone storing passwords.
That would change things.
Just look how Apple now inserts long random passwords in registration forms and immediately saved it. That's how users will use secure authentication. By helping them, not telling them to do better on their own.
go to some random video chat, and record the reactions when you offer full data on some plain nothing to hide person, then show that to those with nothing to hide
In my experience there is a realization that its not about hiding your data, its about hiding from a particular type of netizen that amplifies to an extreme
I make a habit of getting friends and family to do this. And, it’s sad to say, but even this doesn’t always elicit the sort of response one would think reasonable
Agreed. The typical response seems to be “what’s the worst that someone could do with that info?”
The NYTimes article attempts to answer that question but I’m not sure how successful it is. The gist seems to be that your data affects others, and you may case later about data that you don’t care about now. Nothing about identity theft, answers to secret questions, etc.
Some people I talk to already get it, that it’s hard to foresee the abuses, but for most people, if it doesn’t end with a hacker raiding their bank account then it’s not really a problem .
> Alice, YOUR physical address and family names are available in public information aggregation site ABC. Did your bank ask you what your mother's maiden name is "for security"? Did your HR set your password to YourLastName+StreetNumber?
Another way would be to get that 50B location point data that some analysis was done on recently, and send them a list of all of the people that visited their home and all the homes the people in their home visited. Do that enough and you'll likely discover some clandestine activities.
Hmmm … I wonder into what kind of action they'd most likely be shocked.
> So you took a private email address I gave you in confidentiality and handed it over to some hacker site which, without making any verification that you own that address, gave you a list of services I'd signed up for? Bob, YOU are now on my shit list. Your face IS punchable. You should get lost as soon as possible.
Maybe it would be better to tell them something along the lines of: "I just improved my internet security, and so can you! Check out these resources, plus some background information from trustworthy sources."
But which tools and reports should I recommend? In this context, "that talk I saw at Defcon" doesn't cut it. Recommending a site that endorses exactly one password management service also seems questionable; I'm concerned that if I tell colleagues to trust HIBP, I'm priming them to fall for anti-malware protection rackets.
How about the venerable NYT? They must have some great stuff. But then there's also content such as TFA, in which a graphics director and a writer from the opinion desk deliver bons mots such as: "None of us really has a choice to participate in tracking or not — the system just serves up location data, usually without us noticing. […] When we participate in this system, we're tacitly endorsing it." On a page that attempts to contact DoubleClick and Google Analytics. (Which I did notice, and, unlike the NYT, chose not to participate in.)
When someone asks for advice or I noticed them make a security boo-boo, I can teach them the bare minimum (basic stuff such as how to use unique credentials for every site and service). But when it comes to doing my part in spreading the word about being more proactive than the bare minimum … halp!
Edit: Credit where credit is due: I just finished reading TFA and discovered the section "What about The Times?", which has links to "This Article Is Spying on You" [0] and "How The Times Thinks About Privacy" [1].
When I've done something like this in the past, most of the responses I get are shrugs and, "I guess I'll change that password, do you have any tips on good passwords?"
A few people will go off with their lighthearted hyperbole "I'm moving to a cabin in the woods!" To which I respond, it's much easier to track a n=1 with a unique heat signature in the middle of nowhere - should someone be so inclined.
When someone asks me why privacy matters, usually followed by "who cares about the details of my life?", or "I have nothing to hide", I ask them if they know who Milly Dowler was.
Milly Dowler, was a 13 year old girl who was abducted and murdered on her way back from school. It took months to find her body. During this time her family keep leaving desperate messages on her phones answering service. What they didn't know what that, news papers had hacked her voice mail and listened to and printed their pleas for her to return their calls.
When the voice box eventually became full, the reporters deleted messages from the phone service so that they could get new materiel. When the family noticed that the voice box had been emptied, it gave them hope that she was still alive and was listening to her messages. Much later they where devastated to learn the body had been found.
If you would have asked anyone in the Dowler family the day before Milly's disappearance if they where worried that some one might hack their voice mail they would probably have replied "No, Not really, we have nothing to hide and who would really care to listen to that?"
Only way I've been able to get older people to pay attention is by telling them that agreeing to the terms along with your other friends and family collectively, you all have gotten your kids to use and accept those terms,
now all of your daughters pics are autouploaded to fbook (not just the ones you chose to share, all photos on the device) - you agreed to those terms of access remember? and lots of enginerds get to see them. microsofts drive app autodetects nude and almost nude pics and sends a copy to humans for verification automatically. snap gets lots of pics that your kids are trying to hide, and keeps a copy for thousands of people to access behind closed doors. Same with instagram, which also allows us to buy pics of your kids and use them in ads for dirty dating sites and herpes commercials..
since you don't use signal you are making your children's texts, pics and videos less safe.
Oh, and the banks auto sell your shopping buys to groups of us enginerds. we may have you or members of your fam on the list of buyers of 'massagers' from certain stores.. we love those walgreens points cards, and so does google and fbook who also collect your offline purchasing data and share.
thanks for participating in our surveillance economy, we love to watch, and we give you cheaper things for letting us. its win win.
don't believe me? call your bank and ask them if they share your debit card purchases with me.
have a nice day.
So... given the Milly Dowler example... why does privacy matter?
Did the family suffer harm through other people listening to their messages?
The false hope is unrelated to a privacy violation; it came from unauthorized message deletion. It would have happened equally if messages had been deleted unheard. And, for related reasons, there are already laws against this type of conduct which do not draw on the privacy concept. ("Ownership" is sufficient.)
Was the family interested in hiding the fact that their daughter was missing? That they were desperate to get her back?
How would more privacy have helped?
The argument that
1. A bad thing happened;
2. Behavior X occurred while it was happening
does not actually show that behavior X is bad or had bad consequences. And a case in which all the relevant parties were intentionally publicizing their affairs seems like an odd vehicle to draw privacy concerns from.
> The false hope is unrelated to a privacy violation; it came from unauthorized message deletion. It would have happened equally if messages had been deleted unheard.
You are using a unique definition of privacy here to say that meddling with data you have understood to be private is not a privacy violation.
> How would more privacy have helped?
Unscrupolous journalists would not have had any reason to hack the phone to listen to and delete messages. Ultimately, because there wouldn't be any messages or because their storage was encrypted and guarded beyond reasonable means to access it without permission.
The false hope in the Milly Dowler story is deeply heart-breaking, but a privacy violating system that couldn’t generate false hope would still be bad. If the phone company mailed copies of every phone call made by the family, to reporters, I think we can agree that would still be gross.
> You are using a unique definition of privacy here to say that meddling with data you have understood to be private is not a privacy violation.
I'm saying that meddling with someone else's data isn't a privacy issue in the same way that if I enter your home and cut your table in half, the destruction of your table isn't a privacy issue. It's a destruction-of-property issue.
> I'm saying that meddling with someone else's data isn't a privacy issue in the same way that if I enter your home and cut your table in half, the destruction of your table isn't a privacy issue.
If I had written a message on the table that directed the recipient to destroy it to communicate something to me, it would be. Then you'd have entered our correspondence and communicated on their behalf in a setting I understood to be private, which in turn might prompt me to change my course of action and further correspondence.
Read the last few updates to this document and see how bad it can be:
FBI Director Wray, AG Barr, SoD Shanahan, & SoS Pompeo all raped boys & were paid billions in bribes for a Soros & Koch funded child rape org. So did Trump & his 'impeachment' team Nadler,Schiff,Mueller.So did media moguls Redstone,Murdoch,Moonves. What are they setting up? Who can arrest them?
Download the video\audio file, put on headphones and turn up the volume. You will hear these people committing these crimes. Audio was broadcast into my apartment by outdated surveillance equipment illegally embedded within my walls. This very same technology was being used to broadcast me to the internet for five years without my consent. I own this footage. Please use this to prosecute all found within. Note:: I am obliviously speaking throughout the video, and it can be quite loud at times relative to the desired content. The are dozens more links, including these, that can be found in this 139 page PDF doc, last updated four days ago:
-Accepting a $3 billion dollar bribe at 1033 am on the 17th of Jan 2019 to ensure Asian boys can get through the border at "Monterey" undocumented to be raped:
Speaker Nancy Pelosi also "preps" boys with First Lady Melania Trump, defined as in she performs oral sex on the boys’ penis and anus, as a child rapist like Henry Porter would, while trying to remove fecal matter from the boy prior to handing them over to be raped and then subsequently murdered, for Supreme Court Justice Samuel Alito, who apparently decides he would rather just have ten billion doll...
I've directly sampled a lot of mobile location data. The data is sparse. Most people do not have their location data distributed, and of those who do most have very few pings, and with Apple/Android now explicitly asking for location permissions the utility of the data which is available will decrease dramatically. Google, Apple, Verizon etc have significantly more due to their centrality in the technology but to my knowledge directly sell none of it. I understand the concern to for privacy but NYT makes the issue seem larger than it is.
Do you believe the piece linked in the first paragraph[0] describes an outlier in terms of data collection? It shows how location data from a single low-lying location tracking company had enough pings to reliably pinpoint home and work locations of individuals, enough to de-anonymize and interview them. This does not seem like sparse data.
It's definitely possible, but when I have looked at the movement data myself maybe 0.5% of houses in my city had any pings. Half the time there is no way to tell if the pings come from residents or visitors. So the odds of being one of those people is low. Minimal effort to secure your privacy can prevent you from being one of these people. People should also be aware that their name and addresses are already available without mobile data.
My opinion is that the data has tremendous potential to make retail/housing markets more energy efficient and should be available for commercial applications, though maybe sellers/consumers of the data should be licensed. Won't go into detail but I think it will ultimately help in the fight against climate change.
Are most people not worried that at one point, algorithms will understand us on a subconscious level? Like the existing algorithm that can tell if somebody is depressed by the way they are dancing?
Life will be like entering an evil cult, where advertisers can abuse our deepest vulnerabilities to the benefit of whoever pays the most.
36 comments
[ 3.5 ms ] story [ 84.8 ms ] thread> Alice, YOU were exposed in the XYZ breach. Your $identifiable_information IS publicly available. If you used the same password on XYZ as you do on other services, those services ARE vulnerable. If any of those services allow you to access your email, ALMOST ALL of the services you used are vulnerable. You should change them as soon as possible.
Joking aside, hardware keys will absolutely get lost. Even car keys get lost around here on a fairly regular basis.
Fingerprints maybe?
This happened with the opm hack and a big one in India or Indonesia or something not too long ago I think.
The problem is that the first one is frowned upon for good reasons (but maybe not as good as they seem), while nobody supports the second one. So, yes, currently depending on hardware keys is dangerous.
That would change things.
Just look how Apple now inserts long random passwords in registration forms and immediately saved it. That's how users will use secure authentication. By helping them, not telling them to do better on their own.
In my experience there is a realization that its not about hiding your data, its about hiding from a particular type of netizen that amplifies to an extreme
While there are others, Troy Hunt’s HIBP is a great resource, and we are indebted to his work there.
The NYTimes article attempts to answer that question but I’m not sure how successful it is. The gist seems to be that your data affects others, and you may case later about data that you don’t care about now. Nothing about identity theft, answers to secret questions, etc.
Some people I talk to already get it, that it’s hard to foresee the abuses, but for most people, if it doesn’t end with a hacker raiding their bank account then it’s not really a problem .
Another way to shock your colleagues is making them point their browsers at https://myactivity.google.com
(and let them scroll down)
Part of the information shown there is likely to be part of what's in their phones.
> So you took a private email address I gave you in confidentiality and handed it over to some hacker site which, without making any verification that you own that address, gave you a list of services I'd signed up for? Bob, YOU are now on my shit list. Your face IS punchable. You should get lost as soon as possible.
Maybe it would be better to tell them something along the lines of: "I just improved my internet security, and so can you! Check out these resources, plus some background information from trustworthy sources."
But which tools and reports should I recommend? In this context, "that talk I saw at Defcon" doesn't cut it. Recommending a site that endorses exactly one password management service also seems questionable; I'm concerned that if I tell colleagues to trust HIBP, I'm priming them to fall for anti-malware protection rackets.
How about the venerable NYT? They must have some great stuff. But then there's also content such as TFA, in which a graphics director and a writer from the opinion desk deliver bons mots such as: "None of us really has a choice to participate in tracking or not — the system just serves up location data, usually without us noticing. […] When we participate in this system, we're tacitly endorsing it." On a page that attempts to contact DoubleClick and Google Analytics. (Which I did notice, and, unlike the NYT, chose not to participate in.)
When someone asks for advice or I noticed them make a security boo-boo, I can teach them the bare minimum (basic stuff such as how to use unique credentials for every site and service). But when it comes to doing my part in spreading the word about being more proactive than the bare minimum … halp!
Edit: Credit where credit is due: I just finished reading TFA and discovered the section "What about The Times?", which has links to "This Article Is Spying on You" [0] and "How The Times Thinks About Privacy" [1].
[0] https://www.nytimes.com/2019/09/18/opinion/data-privacy-trac...
[1] https://www.nytimes.com/2019/04/10/opinion/sulzberger-new-yo...
A few people will go off with their lighthearted hyperbole "I'm moving to a cabin in the woods!" To which I respond, it's much easier to track a n=1 with a unique heat signature in the middle of nowhere - should someone be so inclined.
Milly Dowler, was a 13 year old girl who was abducted and murdered on her way back from school. It took months to find her body. During this time her family keep leaving desperate messages on her phones answering service. What they didn't know what that, news papers had hacked her voice mail and listened to and printed their pleas for her to return their calls.
When the voice box eventually became full, the reporters deleted messages from the phone service so that they could get new materiel. When the family noticed that the voice box had been emptied, it gave them hope that she was still alive and was listening to her messages. Much later they where devastated to learn the body had been found.
If you would have asked anyone in the Dowler family the day before Milly's disappearance if they where worried that some one might hack their voice mail they would probably have replied "No, Not really, we have nothing to hide and who would really care to listen to that?"
As I remember he wanted a job and wanted to hide the fact he is blind because most companies just turned him down immediately.
now all of your daughters pics are autouploaded to fbook (not just the ones you chose to share, all photos on the device) - you agreed to those terms of access remember? and lots of enginerds get to see them. microsofts drive app autodetects nude and almost nude pics and sends a copy to humans for verification automatically. snap gets lots of pics that your kids are trying to hide, and keeps a copy for thousands of people to access behind closed doors. Same with instagram, which also allows us to buy pics of your kids and use them in ads for dirty dating sites and herpes commercials..
since you don't use signal you are making your children's texts, pics and videos less safe.
Oh, and the banks auto sell your shopping buys to groups of us enginerds. we may have you or members of your fam on the list of buyers of 'massagers' from certain stores.. we love those walgreens points cards, and so does google and fbook who also collect your offline purchasing data and share.
thanks for participating in our surveillance economy, we love to watch, and we give you cheaper things for letting us. its win win.
don't believe me? call your bank and ask them if they share your debit card purchases with me. have a nice day.
Did the family suffer harm through other people listening to their messages?
The false hope is unrelated to a privacy violation; it came from unauthorized message deletion. It would have happened equally if messages had been deleted unheard. And, for related reasons, there are already laws against this type of conduct which do not draw on the privacy concept. ("Ownership" is sufficient.)
Was the family interested in hiding the fact that their daughter was missing? That they were desperate to get her back?
How would more privacy have helped?
The argument that
1. A bad thing happened;
2. Behavior X occurred while it was happening
does not actually show that behavior X is bad or had bad consequences. And a case in which all the relevant parties were intentionally publicizing their affairs seems like an odd vehicle to draw privacy concerns from.
You are using a unique definition of privacy here to say that meddling with data you have understood to be private is not a privacy violation.
> How would more privacy have helped?
Unscrupolous journalists would not have had any reason to hack the phone to listen to and delete messages. Ultimately, because there wouldn't be any messages or because their storage was encrypted and guarded beyond reasonable means to access it without permission.
I'm saying that meddling with someone else's data isn't a privacy issue in the same way that if I enter your home and cut your table in half, the destruction of your table isn't a privacy issue. It's a destruction-of-property issue.
If I had written a message on the table that directed the recipient to destroy it to communicate something to me, it would be. Then you'd have entered our correspondence and communicated on their behalf in a setting I understood to be private, which in turn might prompt me to change my course of action and further correspondence.
FBI Director Wray, AG Barr, SoD Shanahan, & SoS Pompeo all raped boys & were paid billions in bribes for a Soros & Koch funded child rape org. So did Trump & his 'impeachment' team Nadler,Schiff,Mueller.So did media moguls Redstone,Murdoch,Moonves. What are they setting up? Who can arrest them?
Download the video\audio file, put on headphones and turn up the volume. You will hear these people committing these crimes. Audio was broadcast into my apartment by outdated surveillance equipment illegally embedded within my walls. This very same technology was being used to broadcast me to the internet for five years without my consent. I own this footage. Please use this to prosecute all found within. Note:: I am obliviously speaking throughout the video, and it can be quite loud at times relative to the desired content. The are dozens more links, including these, that can be found in this 139 page PDF doc, last updated four days ago:
https://drive.google.com/file/d/1Sj9EN_pHmicKS6rFQlmk67knMdJ...
All members of the "Illuminati"; "....an underground organization of homosexuals and child rapists..." (from page 26: Barack Obama with Jack Dorsey).
President Donald Trump:
Accepting a $4 billion dollar bribe here at 10:18 am on the 4thJan2019:
3JanCh3_900-1100.avi
https://drive.google.com/file/d/1Grdr8xF2psKNsuYlEnl9dIRV-77...
3JanCh2_900-1100.avi
https://drive.google.com/file/d/1LUmVygl_q0XVs8h2cWr8jZl-24f...
3JanCh4_1000-1100.mp3
https://drive.google.com/file/d/1ZpP1pJbJakBgg-y-MWNozTxp3wJ...
President Trump rapes and kills a 12 boys, including five5 boys in a who can rape five boys to death the fastest' game:
14JanCh3_600.mp3
https://drive.google.com/file/d/1ufPmglde9Mep0m6xYMJ9c4TWTjj...
14JanCh2_600-700.mp3
https://drive.google.com/file/d/136qLJdEn8eCs9tI4QtIxl4opW_L...
Speaker of the House Nancy Pelosi:
-Accepting a $3 billion dollar bribe at 1033 am on the 17th of Jan 2019 to ensure Asian boys can get through the border at "Monterey" undocumented to be raped:
17JanCh3_949-1100.avi
https://drive.google.com/file/d/1eodHu4o5Cm3xEWhDqipSuTj-M1C...
17JanCh4_1017-1100.avi
https://drive.google.com/file/d/1y-nWEQbempkVZSz230j9wTyduZN...
Speaker Nancy Pelosi also "preps" boys with First Lady Melania Trump, defined as in she performs oral sex on the boys’ penis and anus, as a child rapist like Henry Porter would, while trying to remove fecal matter from the boy prior to handing them over to be raped and then subsequently murdered, for Supreme Court Justice Samuel Alito, who apparently decides he would rather just have ten billion doll...
[0] https://www.nytimes.com/interactive/2019/12/19/opinion/locat... (discussion https://news.ycombinator.com/item?id=21833718)
My opinion is that the data has tremendous potential to make retail/housing markets more energy efficient and should be available for commercial applications, though maybe sellers/consumers of the data should be licensed. Won't go into detail but I think it will ultimately help in the fight against climate change.
Life will be like entering an evil cult, where advertisers can abuse our deepest vulnerabilities to the benefit of whoever pays the most.
You add another power source the user doesn’t know about.