Summer is here, and that means vacation travel is up. At U.S. borders, customs officers may ask for your passwords to unlock your devices, or provide access to online accounts, especially social media.
According to many experts, you can refuse, but your devices could be seized and retained for an extended period of time and/or the data copied (even if it’s encrypted and effectively unretrievable). If you’re not a permanent resident of the U.S., you might be denied entry.
If you're worried that you might have to hand over a device with valuable information, then consider this: the less data on hand, the less risk of exposure you have. With this in mind, you could choose to agree to allow device inspection, because there would be nothing of importance to disclose.
Read more »
HTTP over Transport Layer Security, also know as https, can go a long way to improving the security and privacy on a website. When you see a site's URL with
https://, that site exercises good care on its internal security to protect user data and against break-ins
Here are several approaches you can take to improve web security in the way you browse, share links, and configure your own sites, using https.
Install HTTPS Everywhere in Firefox and Chrome. HTTPS Everywhere from the Electronic Frontier Foundation (in conjunction with the Tor Project) automatically redirects from an insecure to a secure site wherever possible. The browser plug-in is available for Chrome, Firefox, and Opera, and Firefox for Android. Safari (and Internet Explorer) aren’t supported because of design choices in the extension architecture in those browsers.
Read more »
I’m glad to see a positive security trend: more companies have software available for hosted backups and cloud-based storage access that incorporates user-owned encryption. With these products and services, you are the only person or entity that controls the encryption key or passphrase that unlocks the key. The company that makes the software or runs the service not only never sees it, they have no way to access it.
Apple engages in this only with iCloud Keychain and iMessage. While Apple doesn’t know your Apple ID password, you do have to enter it for the company to transform it into a cryptographically securely formed version that it can compare against what it has stored for you.
But with iCloud Keychain, it doesn’t have enough information to extract information from the middle, because it uses a process that creates encryption keys on the endpoints on your devices. The data sent through Apple’s services is locked away from its eyes. I wrote about how AgileBits and LastPass used a similar approach for their synced services. (Apple’s system could be changed in such a way that it would be able to sniff that data, which is one of the weaknesses of its current model that needs to be and could be changed.)
Read more »
When is an “a” not necessary the “a” you think it is? When a browser shows it as part of the URL in the location or smart-search field. Due to the late entry of non-Roman characters to domain names, a backwards-compatible method of representing them aids phishing.
Unicode allows the representation of nearly all the glyphs—characters, symbols, ideograms, script element, and more—that form the basis of language and other written subjects, like math and games, in use around the world. While the Unicode Consortium started its work decades ago, but it’s only in the last few years that it’s finally permeated operating systems, browsers, and apps to the point where you can almost rely on it working almost everywhere.
But the Domain Name System (DNS) that operating systems use to turn human-readable location and resource names into the numeric and other data needed to make a connection dates back even before Unicode. And because of its ubiquity, making any change could break compatibility for hundreds of millions of people and devices—maybe more. This is why some sensible improvements, like having a cryptographic component to a domain name that prevented its being spoofed by a party that didn’t own the domain, has still not been rolled out.
Read more »
If you use iCloud for email, calendar events, or contacts with any apps other than those made by Apple, and you haven’t upgraded the security on your account to use two-factor authentication (2FA), syncing and other interaction will fail starting June 15. That’s when Apple imposes a new security requirement that requires unique passwords for all third-party software that works with iCloud accounts. That includes apps like BusyContacts, Fantastical, and Thunderbird, to name a few of hundreds, as well as online services that sync with iCloud or retrieve email.
That sounds a lot more secure, but there’s less there than meets the eye. Apple’s method of allowing third-party access has significant flaws in containing abuse if one of these unique passwords gets discovered. There’s a better way with its own set of problems, but Apple doesn’t appear to be moving in that direction. (Here’s our how-to guide on setting up iCloud/Apple ID 2FA.)
Blocking easy account hijacking
Read more »
A friend of mine who advocates against a form of health stigma has been targeted for many months by those who prefer to keep the stigma active. (Yes, there is pro-shame harassment in the world. Go figure.) The intensity of this opposition leaks way over from nasty email and social-media messages to account hacking.
While my friend has secured all their accounts as tightly as possible, using an email address that’s protected by two-factor authentication (2FA) coupled with enabled 2FA everywhere that supports it, their problem is that they receive a continuous stream of email about login attempts. Because of strong passwords and other choices, their accounts aren’t being hijacked.
But they wondered: Is there a way to remain protected by not receive a well-meaning onslaught of such emails? The short answer is no. Facebook, Google Mail, WordPress, and many other services aimed remain naively predicated on the idea that nobody will see that many attempts by someone unauthorized to try to gain access to their users’ accounts through a “forgot your password” or other links.
Read more »
Uber reportedly tagged iPhones with persistent IDs that allowed it to identify devices uniquely after a phone had been wiped and configured from scratch. The company said it was about fraud detection, but its history makes many people dubious, whether that’s true or not.
Bigger issues were raised, however. It’s Apple who discovered the violation of its terms, news about which never appeared until last week. Is Apple acting in our best interests as proprietary and quiet stewards of our identities? This tagging also raises the spectre of a silent ban by app makers, in which consumers could buy a second-hand phone previously employed for fraud that can’t be used ever again with many services.
Let’s start with what happened two years ago, and which would have destroyed Uber’s business.
Read more »