Month: December 2018

If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember — and just when you did, you’re told to change it again. And sometimes passwords can be guessed and are easily hackable.

Nobody likes passwords but they’re a fact of life. And while some have tried to kill them off by replacing them with fingerprints and face-scanning technology, neither are perfect and many still resort back to the trusty (but frustrating) password.

How do you make them better? You need a password manager.

What is a password manager?

Think of a password manager like a book of your passwords, locked by a master key that only you know.

Some of you think that might sound bad. What if someone gets my master password? That’s a reasonable and rational fear. But assuming that you’ve chosen a strong and unique, but rememberable, master password that you’ve not used anywhere else is a near-perfect way to protect the rest of your passwords from improper access.

Password managers don’t just store your passwords — they help you generate and save strong, unique passwords when you sign up to new websites. That means whenever you go to a website or app, you can pull up your password manager, copy your password, paste it into the login box, and you’re in. Often, password managers come with browser extensions that automatically fill in your password for you.

And because many of the password managers out there have encrypted sync across devices, you can take your passwords anywhere with you — even on your phone.

Why do you need to use one?

Password managers take the hassle out of creating and remembering strong passwords. It’s that simple. But there are three good reasons why you should care.

Passwords are stolen all the time. Sites and services are at risk of breaches as much as you are to phishing attacks that try to trick you into turning over your password. Although companies are meant to scramble your password whenever you enter it — known as hashing — not all use strong or modern algorithms, making it easy for hackers to reverse that hashing and read your password in plain text. Some companies don’t bother to hash at all! That puts your accounts at risk of fraud or your data at risk of being used against you for identity theft.

But the longer and more complex your password is — a mix of uppercase and lowercase characters, numbers, symbols and punctuation — the longer it takes for hackers to unscramble your password.

The other problem is the sheer number of passwords we have to remember. Banks, social media accounts, our email and utilities — it’s easy to just use one password across the board. But that makes “credential stuffing” easier. That’s when hackers take your password from one breached site and try to log in to your account on other sites. Using a password manager makes it so much easier to generate and store stronger passwords that are unique to each site, preventing credential stuffing attacks.

And, for the times you’re in a crowded or busy place — like a coffee shop or an airplane — think of who is around you. Typing in passwords can be seen, copied and later used by nearby eavesdroppers. Using a password manager in many cases removes the need to type any passwords in at all.

Which password manager should you use?

The simple answer is that it’s up to you. All password managers perform largely the same duties — but different apps will have more or relevant features to you than others.

Anyone running iOS 11 or later — which is most iPhone and iPad users — will have a password manager by default — so there’s no excuse. You can sync your passwords across devices using iCloud Keychain.

For anyone else — most password managers are free, with the option to upgrade to get better features.

If you want your passwords to sync across devices for example, LastPass is a good option. 1Password is widely used and integrates with Troy Hunt’s Pwned Passwords database, so you can tell if (and avoid!) a password that has been previously leaked or exposed in a data breach.

Many password managers are cross-platform, like Dashlane, which also work on mobile devices, allowing you to take your passwords wherever you go.

And, some are open source, like KeePass, allowing anyone to read the source code. KeePass doesn’t use the cloud so it never leaves your computer unless you move it. That’s much better for the super paranoid, but also for those who might face a wider range of threats — such as those who work in government.

What you might find useful is this evaluation of five password managers, which offers a breakdown by features.

Like all software, vulnerabilities and weaknesses in any password manager can make put your data at risk. But so long as you keep your password manager up to date — most browser extensions are automatically updated — your risk is significantly reduced.

Simply put: using a password manager is far better for your overall security than not using one.

Check out our full Cybersecurity 101 guides here.

Source: Tech Crunch

If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.

Simply put, two-factor authentication adds a second step in your usual log-in process. Once you enter your username and password, you’ll be prompted to enter a code sent as a text message or an email, or sometimes as a push notification on your phone.

In all, it usually only adds a few extra seconds to your day.

Two-factor authentication (sometimes called “two-step verification”) combines something you know — your username and password, with something you have — such as your phone or a physical security key, or even something you are — like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in. You might not have thought much about it, but you do this more than you think. Whenever you withdraw money from an ATM, you insert your card (something you have) and enter your PIN (something you know) — which tells the bank that it’s you. Even when you use your bank card on the internet, often you still need something that you know — such as your ZIP or postal code.

Having a second step of authentication makes it so much more difficult for a hacker or a thief to break into your online accounts.

Why is two-factor important?

Gone are the days where your trusty password can protect you. Even if you have a unique password for every website you use, there’s little in the way to stop malware on your computer (or even on the website!) from scraping your password and using it again. Or, if someone sees you type in your password, they can memorize it and log in as you.

Don’t think it’ll happen to you? So-called “credential stuffing” or brute-force attacks can make it easy for hackers to break in and hijack people’s online accounts in bulk. That happens all the time. Dunkin’ Donuts, Warby Parker, GitHub, AdGuard, the State Department — and even Apple iCloud accounts have all fallen victim to credential-stuffing attacks in recent years. Only two-factor accounts are protected from these automated log-in attacks.

Two-factor also protects you against phishing emails. If someone sends you a dodgy email that tries to trick you into logging in with your Google or Facebook username and password to a fake site, for example, two-factor can still protect you. Only the legitimate site will send you a working two-factor code.

Enabling two-factor is a good start, but it’s not a panacea. As much as it can prevent hackers from logging in as you, it doesn’t mean that your data stored on the server is protected from hackers breaching a server elsewhere, or a government demanding that the company turns over your data.

And some methods of two-factor are better than others. As you’ll see.

The best way to two-factor your accounts

Let’s get something out of the way real quick. Even if you want to go all-out and secure your accounts, you’ll quickly realize many sites and services just don’t support two-factor. You should tell them to! You can see if a website supports two-factor here.

But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.

There are four main types of two-factor authentication, ranked in order of effectiveness:

A text message code: The most common form of two-factor is a code sent by SMS. It doesn’t require an app or even a smartphone, just a single bar of cell service. It’s very easy to get started. But two-factor by text message is the least secure method. These days, hackers can easily exploit weaknesses in the phone networks to steal SMS two-factor codes. Because SMS messages aren’t encrypted, they can also just leak. More recently, researchers found that this can be done on a massive scale. Also, if your phone is lost or stolen, you have a problem. A text message code is better than not using two-factor at all, but there are far more secure options.

An authenticator app code: This works similarly to the text message, except you’ll have to install an app on your smartphone. Any time you log in, you’ll get a code sent to your app. There are many authenticator apps to choose from, like Authy, Duo, and Google Authenticator. The difference here is that they are sent over an HTTPS connection, making it near-impossible for anyone to snoop in and steal the code before you use it. But if you lose your phone or have malware on your phone — especially Android devices — those codes can be stolen once they arrive on your device.

A biometric: Smile! You’re on camera. Often, in industrial or enterprise settings, you’ll be asked for your biometrics, such as facial recognition, an iris scan or, more likely, a fingerprint. These usually require specialized hardware (and software) and are less common. A downside is that these technologies can be spoofed — such as cloning a fingerprint or creating a 3D-printed head.

A physical key: Last but not least, a physical key is considered the strongest of all two-factor authentication methods. Google said that it hasn’t had a single confirmed account takeover since rolling out security keys to its staff. Security keys are USB sticks that you can keep on your keyring. When you log in to your account, you are prompted to insert the cryptographically unique key into your computer and that’s it. Even if someone steals your password, they can’t log in without that key. And phishing pages won’t work because only the legitimate sites support security keys. These keys are designed to thwart even the smartest and most resourceful attackers, like nation-state hackers.

There are several security keys to choose from: Google has its Advanced Protection Program for high-risk users, like politicians and journalists, and its Google Titan key for everyone else. But many security experts will say Yubikey is the gold standard of security keys. There are a few things to note. Firstly, not many sites support security keys yet, but most of the major companies do — like Microsoft, Facebook, Google and Twitter. Usually, when you set up a physical key, you can’t revert to a text message code or a biometric. It’s a security key, or nothing. A downside is that you will have to buy two — one as a backup — but security keys are inexpensive. Also, if one is stolen, there’s no way to determine your account from the key itself. But, if you lose them both, you might be done for. Even the company that stores your data might not be able to get you back into your account. So, be careful and keep one safe.

That’s what you need to know. You might want to create a checklist of your most valuable accounts, and begin switching on two-factor authentication starting with them. In most cases, it’s straightforward — but you can always head to this website to learn how to enable two-factor on each website. You might want to take an hour or so to go through all of your accounts — so put on a pot of coffee and get started.

You should see two-factor as an investment in security: a little of your time today, to save you from a whole world of trouble tomorrow.

Check out our full Cybersecurity 101 guides here.

Source: Tech Crunch

Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.

You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!

Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.

Why you need to protect your phone number

Your cell phone number is a single point of failure.

Think about it. You use your cell phone number all the time. You use it when you sign up to sites and services, and sometimes you’ll use it to log into an app or a game on your phone. Your phone number can be used to reset your account if you forget your password. And, you use it for two-factor authentication to securely login to your accounts.

If someone steals your phone number, they become you — for all intents and purposes. With your phone number, a hacker can start hijacking your accounts one by one by having a password reset sent to your phone. They can trick automated systems — like your bank — into thinking they’re you when you call customer service. And worse, they can use your hijacked number to break into your work email and documents — potentially exposing your employer up to data theft.

Just think of every site and service that has your phone number. That’s why you need to protect your phone number.

How do hackers steal cell phone numbers?

It’s easier than you might think. Phone numbers can be found anywhere – thanks in part to so many data breaches.

Often, hackers will find the cell phone number of their target floating around the internet (or from a phone bill in the garbage), and call up their carrier impersonating the customer. With a few simple questions answered — often little more than where a person lives or their date of birth, they ask the customer service representative to “port out” the phone number to a different carrier or a SIM card.

That’s it. As soon as the “port out” completes, the phone number activates on an attacker’s SIM card, and the hacker can send and receive messages and make calls as if they were the person they just hacked.

In most cases, the only sign that it happened is if the victim suddenly loses cell service for no apparent reason.

From there, it’s as simple as initiating password resets on accounts associated with that phone number. Facebook, Gmail, Twitter — and more. A hacker can use your hijacked phone number to steal all of your cryptocurrency, take over your vanity Instagram username or maliciously delete all of your data.

You can read what happened to TechCrunch’s own John Biggs when his phone number was hijacked.

In the worst cases, it can be difficult or impossible to get your phone number back — let alone the accounts that get broken into. Your best bet is to make sure it never happens in the first place.

What you can do to protect your phone number

Just like you can apply two-factor authentication to your online accounts, you can add a secondary security code to your cell phone account, too.

You can either call up customer services or do it online. (Many feel more reassured by calling up and talking to someone.) You can ask customer service, for example, to set a secondary password on your account to ensure that only you — the account holder — can make any changes to the account or port out your number.

Every carrier handles secondary security codes differently. You may be limited in your password, passcode or passphrase, but try to make it more than four to six digits. And make sure you keep a backup of the code!

For the major carriers:

• AT&T has a guide on how to set up extra security on your account.
• T-Mobile allows you to set up a customer passcode.
• Verizon explains how you can add a PIN to your account.
• Sprint also lets you add an account PIN for greater security.

If your carrier isn’t listed, you might want to check if they employ a similar secondary security code to your account to prevent any abuse. And if they don’t, maybe you should port out your cell phone number to a carrier that does.

Check out our full Cybersecurity 101 guides here.

Source: Tech Crunch

So you want to browse the web securely and privately? Here’s a hard truth: it’s almost impossible.

It’s not just your internet provider that knows which sites you visit, it’s also the government — and other governments! And when it’s not them, it’s social media sites, ad networks or apps tracking you across the web to serve you specific and targeted ads. Your web browsing history can be highly personal. It can reveal your health concerns, your political beliefs and even your porn habits — you name it. Why should anyone other than you know those things?

Any time you visit a website, you leave a trail of data behind you. You can’t stop it all — that’s just how the internet works. But there are plenty of things that you can do to reduce your footprint.

Here are a few tips to cover most of your bases.

A VPN can help hide your identity, but doesn’t make you anonymous

You might have heard that a VPN — or a virtual private network — might keep your internet traffic safe from snoopers. Well, not really.

A VPN lets you create a dedicated tunnel that all of your internet traffic flows through — usually a VPN server — allowing you to hide your internet traffic from your internet provider. That’s good if you’re in a country where censorship or surveillance is rife or trying to avoid location-based blocking. But otherwise, you’re just sending all of your internet traffic to a VPN provider instead. Essentially, you have to choose who you trust more: your VPN provider or your internet provider. The problem is, most free VPN providers make their money by selling your data or serving you ads — and some are just downright shady. Even if you use a premium VPN provider for privacy, they can connect your payment information to your internet traffic, and many VPN providers don’t even bother to encrypt your data.

Some VPN providers are better than others: tried, tested — and trusted — by security professionals.

Services like WireGuard are highly recommended, and are available on a variety of devices and systems — including iPhones and iPads. We recently profiled the Guardian Mobile Firewall, a smart firewall-type app for your iPhone that securely tunnels your data anonymously so that even its creators don’t know who you are. The app also prevents apps on your phone from tracking you and accessing your data, like your contacts or your geolocation.

As TechCrunch’s Romain Dillet explains, the best VPN providers are the ones that you control yourself. You can create your own Algo VPN server in just a few minutes. Algo is created by Trial of Bits, a highly trusted and respected security company in New York. The source code is available on GitHub, making it far more difficult to covertly insert backdoors into the code.

With your own Algo VPN setup, you control the connection, the server, and your data.

You’ll need a secure DNS

What does it mean that “your internet provider knows what sites you visit,” anyway?

Behind the scenes on the internet, DNS — or Domain Name System — converts web addresses into computer-readable IP addresses. Most devices automatically use the resolver that’s set by the network you’re connected to — usually your internet provider. That means your internet provider knows what websites you’re visiting. And recently, Congress passed a law allowing your internet provider to sell your browsing history to advertisers.

You need a secure and private DNS provider. Many use publicly available services — like OpenDNS or Google’s Public DNS. They’re easy to set up — usually on your computer or device, or on your home router.

One recommended offering is Cloudflare’s secure DNS, which it calls 1.1.1.1. Cloudflare encrypts your traffic, won’t use your data to serve ads, and doesn’t store your IP address for any longer than 24 hours. You can get started here, and you can even download Cloudflare’s 1.1.1.1 app from Apple’s App Store and Google Play.

HTTPS is your friend

One of the best things for personal internet security is HTTPS.

HTTPS secures your connection from your phone or your computer all the way to the site you’re visiting. Most major websites are HTTPS-enabled, and appear as such with a green padlock in the address bar. HTTPS makes it almost impossible for someone to spy on your internet traffic intercept and steal your data in transit.

Every time your browser lights up in green or flashes a padlock, HTTPS encrypts the connection between your computer and the website. Even when you’re on a public Wi-Fi network, an HTTPS-enabled website will protect you from snoopers on the same network.

Every day, the web becomes more secure, but there’s a way to go. Some websites are HTTPS ready but don’t have it enabled by default. That means you’re loading an unencrypted HTTP page when you could be accessing a fully HTTPS page.

That’s where one browser extension, HTTPS Everywhere, comes into play. This extension automatically forces websites to load HTTPS by default. It’s a lightweight, handy tool that you’ll forget is even there.

Reconsider your web plug-ins

Remember Flash? How about Java? You probably haven’t seen much of them recently, because the web has evolved to render them obsolete. Both Flash and Java, two once-popular web plug-ins, let you view interactive content in your web browser. But nowadays, most of that has been replaced by HTML5, a technology native to your web browser.

Flash and Java were long derided for their perpetual state of insecurity. They were full of bugs and vulnerabilities that plagued the internet for years — so much so that web browsers started to pull the plug on Java back in 2015, with Flash set to sunset in 2020. Good riddance!

If you don’t use them — and most people don’t anymore — you should remove them. Just having them installed can put you at risk of attack. It takes just a minute to uninstall Flash on Windows and Mac, and to uninstall Java on Windows and Mac.

Most browsers — like Firefox and Chrome — let you run other add-ons or extensions to improve your web experience. Like apps on your phone, they often require certain access to your browser, your data or even your computer. Although browser extensions are usually vetted and checked to prevent malicious use, sometimes bad extensions slip through the net. Sometimes, extensions that were once fine are automatically updated to contain malicious code or secretly mine cryptocurrency in the background.

There’s no simple rule to what’s a good extension and what isn’t. Use your judgment. Make sure each extension you install doesn’t ask for more access than you think it needs. And make sure you uninstall or remove any extension that you no longer use.

These plug-ins and extensions can protect you

There are some extensions that are worth their weight in gold. You should consider:

• An ad-blocker: Ad-blockers are great for blocking ads — as the name suggests — but also the privacy invasive code that can track you across sites. uBlock is a popular, open source efficient blocker that doesn’t consume as much memory as AdBlock and others. Many ad-blockers now permit “acceptable ads” that allow publishers to still make money but aren’t memory hogs or intrusive — like the ones that take over your screen. Ad-blockers also make websites load much faster.
• A cross-site tracker blocker: Privacy Badger is a great tool that blocks tiny “pixel”-sized trackers that are hidden on web pages but track you from site to site, learning more about you to serve you ads. To advertisers and trackers, it’s as if you vanish. Ghostery is another example of an advanced-level anti-tracker that aims to protect the user by default from hidden trackers.

And you could also consider switching to more privacy-minded search engines, like DuckDuckGo, a popular search engine that promises to never store your personal information and doesn’t track you to serve ads.

Use Tor if you want a better shot at anonymity

But if you’re on the quest for anonymity, you’ll want Tor.

Tor, known as the anonymity network is a protocol that bounces your internet traffic through a series of random relay servers dotted across the world that scrambles your data and covers your tracks. You can configure it on most devices and routers. Most people who use Tor will simply use the Tor Browser, a preconfigured and locked-down version of Firefox that’s good to go from the start — whether it’s a regular website, or an .onion site — a special top-level domain used exclusively for websites accessible only over Tor.

Tor makes it near-impossible for anyone to snoop on your web traffic, know which site you’re visiting, or that you are the person accessing the site. Activists and journalists often use Tor to circumvent censorship and surveillance.

But Tor isn’t a silver bullet. Although the browser is the most common way to access Tor, it also — somewhat ironically — exposes users to the greatest risk. Although the Tor protocol is largely secure, most of the bugs and issues will be in the browser. The FBI has been known to use hacking tools to exploit vulnerabilities in the browser in an effort to unmask criminals who use Tor. That puts the many ordinary, privacy-minded people who use Tor at risk, too.

It’s important to keep the Tor browser up to date and to adhere to its warnings. The Tor Project, which maintains the technology, has a list of suggestions — including changing your browsing behavior — to ensure you’re as protected as you can be. That includes not using web plug-ins, not downloading documents and files through Tor, and keeping an eye out for in-app warnings that advise you on the best action.

Just don’t expect Tor to be fast. It’s not good for streaming video or accessing bandwidth-hungry sites. For that, a VPN would probably be better.

Check out our full Cybersecurity 101 guides here.

Source: Tech Crunch

Text messaging has been around since the dawn of cellular technology, and sparked its own unique language. But it’s time to put sending regular SMS messages out to pasture.

If you have an iPhone, you’re already on your way. iPhones (as well as iPads and Macs) use iMessage to send messages between Apple devices. It’s a data-based messaging system reliant on 3G, 4G, and Wi-Fi, rather than SMS messaging, which uses an old, outdated but universal 2G cellular network. iMessage has grown in popularity, but has left Android devices and other computers out in the dark.

That’s where other messaging services have filled a gap in the market.

Apps like Signal, WhatsApp, Wire and Wickr are also data-based and work across platforms. Best of all, they’re end-to-end encrypted, which means sent messages are scrambled on one end of the conversation — the device — and unscrambled at the other end on the recipient’s device. This makes it near-impossible for anyone — even the app maker — to see what’s being said.

Many popular apps, like Instagram, Skype, Slack and Snapchat don’t offer end-to-end encryption at all. Facebook Messenger has the option to use “secret” end-to-end encrypted messaging, but isn’t enabled by default.

Here’s what you need to know.

Why hate on SMS messaging?

SMS, or short messaging service, is more than three decades old. It’s generally reliable, but it’s outdated, archaic and expensive. There are also several reasons why SMS messaging is insecure.

SMS messages aren’t encrypted, meaning the contents of each text message are viewable to mobile carriers and governments, and can even be intercepted by organized and semi-skilled hackers. That means even if you’re using SMS to secure your online accounts using two-factor authentication, your codes can be stolen. Just as bad, SMS messages leak metadata, which is information about the message but not the contents of the message itself, such as the phone number of the sender and the recipient, which can identify the people involved in the conversation.

SMS messages can also be spoofed, meaning you can never be completely sure that a SMS message came from a particular person.

And a recent ruling by the Federal Communications Commission now gives cell carriers greater powers to block SMS messages. The FCC said it will cut down on SMS spam, but many worry that it could be used to stifle free speech.

In all of these cases, the answer is an encrypted messaging app.

What are the best encrypted messaging apps?

The simple answer is Signal, an open source, end-to-end encrypted messaging app seen as the gold standard of secure consumer messaging services.

Signal supports and encrypts all of your messages, calls and video chats with other Signal users. Some of the world’s smartest security professionals and cryptography experts have looked at and verified its code, and trust its security. The app uses your cell phone number as its point of contact — which some have criticized, but it’s easy to set the app up with a dedicated phone number without losing your own cell number. Other than your phone number, the app is built from the ground up to collect as little metadata as possible.

A recent government demand for Signal’s data showed that the app maker has almost nothing to turn over. Not only are your messages encrypted, each person in the conversation can set messages to expire — so that even if a device is compromised, the messages can be set to already disappear. You can also add a separate lock screen on the app for additional security. And the app keeps getting stronger and stronger. Recently, Signal rolled out a new feature that masks the phone number of a message sender, making it better for sender anonymity.

But actually, there is a far more nuanced answer than “just Signal.”

Everyone has different needs, wants and requirements. Depending on who you are, what your job is, and who you talk to will determine which encrypted messaging app is best for you.

Signal may be the favorite app for high-risk jobs — like journalism, activism, and government workers. Many will find that WhatsApp, for example, is good enough for the vast majority who just want to talk to their friends and family without worrying about someone reading their messages.

You may have heard some misinformed things about WhatsApp in recent years, sparked largely by incorrect and misleading reporting that claimed there was a “backdoor” to allow third parties to read messages. Those claims were unsubstantiated. WhatsApp does collect some data on its 1.5 billion users, like metadata about who is contacting whom, and when. That data can be turned over to police if they request it with a valid legal order. But messages cannot be read as they are end-to-end encrypted. WhatsApp can’t turn over those messages even if it wanted to.

Although many don’t realize that WhatsApp is owned by Facebook, which has faced a slew of security and privacy scandals in the past year, Facebook has said it’s committed to keeping WhatsApp messages end-to-end-encrypted by default. That said, it’s feasibly possible that Facebook could change its mind in the future, security researchers have said. It’s right to remain cautious, but WhatsApp is still better to use for sending encrypted messages than not at all.

The best advice is to never write and send something on even an end-to-end encrypted messaging app that you wouldn’t want to appear in a courtroom — just in case!

Wire is also enjoyed by many who trust the open-source cross-platform app for sharing group chats and calls. The app doesn’t require a phone number, instead opting for usernames, which many who want greater anonymity find more appealing than alternative apps. Wire also backed up its end-to-end encryption claims by asking researchers to conduct an external audit of its cryptography, but users should be aware that a trade-off for using the app on other devices means that the app keeps a record of everyone you’ve ever contacted in plain text.

iMessage is also end-to-end encrypted and are used by millions of people around the world who likely don’t even realize their messages are encrypted.

Other apps should be treated with care or avoided altogether.

Apps like Telegram have been criticized by experts for its error-prone cryptography, which has been described as “being like being stabbed in the eye with a fork.” And researchers have found that apps like Confide, once a favorite among White House staffers, don’t properly scramble messages, making it easy for the app’s makers to secretly eavesdrop on someone’s conversation.

How to verify someone’s identity

A core question in end-to-end encrypted messaging is: how do I know a person is who they say they are?

Every end-to-end encrypted messaging app handles a user’s identity differently. Signal calls it a “safety number” and WhatsApp calls it a “security code.” Across the board, it’s what we call “key verification.”

Every user has their own unique “fingerprint” that’s associated with their username, phone number or their device. It’s usually a string of letters and numbers. The easiest way to verify someone’s fingerprint is to do it in person. It’s simple: you both get your phones out, open up a conversation on your encrypted messaging app of choice, and you make sure that the fingerprints on the two sets of devices are exactly the same. You usually then hit a “verify” button — and that’s it.

Verifying a contact’s fingerprint remotely or over the internet is tricker. Often it requires sharing your fingerprint (or a screenshot) over another channel — such as a Twitter message, on Facebook, or email — and making sure they match. (The Intercept’s Micah Lee has a simple walk-through of how to verify an identity.)

Once you verify someone’s identity, they won’t need to be reverified.

If your app warns you that a recipient’s fingerprint has changed, it could be an innocuous reason — they may have a new phone number, or sent a message from a new device. But that could also mean that someone is trying to impersonate the other person in your conversation. You would be right to be cautious, and try to reverify their identity again.

Some apps don’t bother to verify a user’s identity at all. For example, there’s no way to know that someone isn’t secretly snooping on your iMessage conversations because Apple doesn’t notify you if someone is secretly monitoring your conversation or hasn’t somehow replaced a message recipient with another person.

You can read more about how Signal, WhatsApp, Telegram, and Wire allow you to verify your keys and warn you of key changes. (Spoiler alert: Signal is the safest choice.)

There are some other tips you should know:

Encrypted message backups are usually not encrypted in the cloud: A very important point here — often, your encrypted messages are not encrypted when they are backed up to the cloud. That means the government can demand that your cloud provider — like Apple or Google — to retrieve and turn over your encrypted messages from its servers. You should not back up your messages to the cloud if this is a concern.

Beware of desktop apps: One of the benefits to many encrypted messaging apps is that they’re available on a multitude of platforms, devices and operating systems. Many also offer desktop versions for responding faster. But over the past few years, most of the major vulnerabilities have been in the buggy desktop software. Make sure you’re on top of app updates. If an update requires you to restart the app or your computer, you should do it straight away.

Set your messages to expire: Encryption isn’t magic; it requires awareness and consideration. End-to-end encrypted messaging won’t save you if your phone is compromised or stolen and its contents can be accessed. You should strongly consider setting an expiry timer on your conversations to ensure that older messages will be deleted and disappear.

Keep your apps updated: One of the best ways to make sure you stay secure (and get new features!) is to make sure that your desktop and mobile apps are kept up-to-date. Security bugs are found often, but you may not always hear about them. Keep your apps updated is the best way to make sure you’re getting those security fixes as soon as possible, lowering your risk that your messages could be intercepted or stolen.

Check out our full Cybersecurity 101 guides here.

Source: Tech Crunch

Twas the last trading day before Christmas, and on the trading floor
Most stocks were falling, and then falling some more;
Treasury Secretary Steven Mnuchin all the banks had called,
In hopes that full coffers were still in their vaults;

The analysts were shaken by news of the call;
which initially caused the stock market to fall;
Then President Trump took to Twitter, to blame the Federal Reserve,
Which was something the Fed chairman just didn’t deserve

So banks and traders rushed to their phones with a clatter,
Causing stock market value further to shatter.
Markets don’t like decisions made in a flash,
And criticizing sound economic policy can exacerbate a crash.

Mnuchin made his call with banks from a tropical isle,
and analysts criticized his decision’s lack of guile,
They were more concerned with policy stupidity,
Since there’s already enough administrative volatility.
Like threatening to oust the chairman of the Federal Reserve,
Someone whose position it would be better to preserve.

So now the Dow has fallen some 653 points
And doctors may advise traders to light up their joints
Because U.S. indices are on track for their worst December
Since the 1930s, which almost no one alive remembers.

Source: Tech Crunch

Tech companies have always branded themselves as the good guys. But 2018 was the year that the long-held belief that Silicon Valley is on the right side of progress and all things good was called into question by a critical mass.

As startups grow bigger and richer, amassing more power and influence outside of the Valley, a reckoning has played out in government and business. Mission statements like “connecting the world” and “don’t be evil” no longer hold water.

A look at a few of this year’s most impactful news themes underscore why; we’ve racked up too many examples to the contrary.

Android co-creator Andy Rubin’s $90 million payout and sexual misconduct revealed

Since the #MeToo movement opened the floodgates on the importance of fighting for gender equality and fair treatment of women and underrepresented minorities at a large scale, the tech industry was rightfully singled out as a microcosm for rampant misconduct.

In October, a New York Times investigation detailed how Android co-creator Andy Rubin was paid out a $90 million exit package when he left Google in 2014. At the time, Google concealed that the executive had multiple relationships with Google staffers and that credible accounts of sexual misconduct had been filed against him during his time at the company. It was an all-too-familiar story recounting how women in tech aren’t safe at work and misbehaved executives are immune from penalty. Google employees didn’t stand for it. 

At a rally in San Francisco, Google staffers read off their list of demands, which included an end to forced arbitration in cases of harassment and discrimination, a commitment to end pay and opportunity inequity and a clear, inclusive process for reporting sexual misconduct safely and anonymously, reported Kate Clark.

Rubin has since taken leave from his smartphone company, Essential.

The first self-driving car fatality occurred when an Uber SUV struck and killed a woman in Arizona

In March, the first self-driving car fatality occurred in Tempe, Arizona when 49-year-old pedestrian Elaine Herzberg was struck by an Uber autonomous test SUV. The car was in self-driving mode, and there was a safety driver behind the wheel who failed to intervene.

Investigators determined the driver had looked down at a phone 204 times during a 43-minute test drive, and that the driver was streaming “The Voice” on Hulu, according to a police report released by the Tempe Police Department. Law enforcement determined her eyes were off the road for 3.67 miles of the 11.8 total miles driven, or about 31 percent of the time.

Uber paused all of its AV testing operations in Pittsburgh, Toronto, San Francisco and Phoenix as a result, and released a safety report detailing how it will add precautions to its testing of self-driving cars. Two employees will be required to sit in the front seat at all times, and an automatic braking system will be enabled.

The incident immediately raised questions about insurance and liability, along with the investigation from the National Transportation Safety Board. As mobility companies charge full speed ahead in developing solutions that will shape the future of urban transportation, tragedies like this remind us that while AVs and humans share the roads, these programs are rife with risk. Has Uber learned a lesson? We’ll find out soon, as the company received permission by the state of Pennsylvania to resume autonomous vehicle testing.

Jamal Khashoggi was assassinated by Saudi agents, prompting Silicon Valley to think about how it got so rich

Silicon Valley companies are used to getting away with a lot. Larger orgs like Uber, Tesla and Facebook rotate in and out of the hot seat as security breaches wreak havoc and sexual harassment scandals are exposed, only to be washed out of the news cycle by a viral image of Elon Musk sampling marijuana the next day.

But one story shocked the public for weeks, after agents of the Saudi government assassinated Washington Post columnist Jamal Khashoggi at the Saudi Arabian consulate in Istanbul as he was trying to obtain marriage license papers.

The tech industry was collectively upset by its proximity to a government and funding source that blatantly misused its power. Silicon Valley gets most of its money through SoftBank’s Vision Fund and by proxy the Saudi kingdom. About half of SoftBank’s massive $93 billion tech-focused fund is powered by a $45 billion commitment from the Saudi kingdom. This means the total invested by the kingdom alone into U.S. startups is far greater than the total raised by any single VC fund. Did we see a single example of a startup that refused to work with SoftBank in the aftermath? No. Will we? Probably not. Because Silicon Valley players are mostly only political and activist when it’s convenient for them.

Silicon Valley companies that have accepted money from this source have a vested interest in keeping the peace with Saudi Arabia and its Crown Prince Mohammed bin Salman — the leader known for getting friendly with tech CEOs in the past. But where does this leave us now as Saudi Arabian money continues to distort American venture? SoftBank has sustained countless startups with round after round of funding as it plunges into debt.

With SoftBank money inflating round sizes and therefore valuations, tech founders and CEOs are faced with the age-old question of whether or not it’s okay to use dirty money to do “good things.” SoftBank’s 2018 culminated in a record IPO that saw a 15 percent drop in value on its debut. Regardless, the aftermath of the Khashoggi assassination could signify the end of an era in American venture if founders begin to think critically about the source of their funding — and act on it. 

Facebook’s struggle

Facebook’s 2018 kicked off with Zuckerberg’s wishful, vague post about his personal challenge to “fix Facebook.” The social network bowed out of 2017 with critics saying Zuckerberg hadn’t done enough to combat the proliferation of fake news on Facebook or block Russian interference in the 2016 U.S. election. Online abuse had never been so bad. All of this was happening just as people started to realize that mindlessly browsing the newsfeed — Facebook’s core product — is a total waste of time.

What better timing for not one, but two massive security scandals?

Zuckerberg answered to Congress after Facebook was infiltrated by Cambridge Analytica, a data organization with ties to the Trump administration. In the beginning of 2014, the organization obtained data on 50 million Facebook users in a way that deceived both the users and Facebook itself. 

If that weren’t enough, just months later Facebook revealed at least 30 million users’ data were confirmed to be at risk after attackers exploited a vulnerability allowing them access to users’ personal data. Zuckerberg said that the attackers were using Facebook developer APIs to obtain information, like “name, gender, and hometowns” linked to a user’s profile page. Queue #deletefacebook. 

A Pew report detailed how Facebook users are becoming more cautious and critical, but they still can’t quit. News and social networking are like oil and water — they can’t blend into coexistence on the same news feed. In 2018, Facebook was caught in a perfect storm. Users started to understand Facebook for what it actually is: powered by algorithms that coalesce fact, opinion and malicious fake content on a platform designed to financially profit off the addictive tendencies of its users. The silver lining is that as people become more cautious and critical of Facebook, the market is readying itself for a new, better social network to be designed off the pioneering mistakes of its predecessors.

Apple hits a $1 trillion market cap and celebrates the anniversary of the iPhone with design changes

This was a hardware-heavy year for Apple. The MacBook Air got Retina Display. The Apple Watch got a big redesign. The iPad Pro said farewell to the home button. We met the new mac Mini and an updated Apple Pencil. In September, Apple held its annual hardware event in Cupertino to announce three new iPhone models, the XS (the normal one), XR (the cheap one) and the XS Max (the big one). We also learned that the company went back to the drawing board on the Mac Pro.

In August, Apple won the race to $1 trillion in market cap. It wasn’t the frayed cords or crappy keyboards that boosted the company past this milestone, but rather price hikes in its already high-margin iPhone sales. But while Apple remains wildly profitable, growth is slowing notably.

Tech stocks took a beating toward the end of the year, and although Apple seems to have weathered the storm better than most companies, it may have reached a threshold for how much it can innovate on its high-end hardware. It may be wise for the company to focus on other methods of bringing in revenue like Apple Music and iCloud if it wants to shoot for the $2 trillion market cap.

As the biggest, richest companies get bigger and richer, questions about antitrust and regulation rise to ensure they don’t hold too much economic power. Tim Cook has more authority than many political leaders. Let’s hope he uses it for good.

Tesla CEO Elon Musk sued by the SEC for securities fraud

In August, Tesla CEO Elon Musk announced in a tweet heard around the internet that he was considering taking Tesla private for $420 per share and that he’d secured funding to do so. The questioning started. Was it legit? Was it a marijuana joke? The tweet caused Tesla’s stock price to jump by more than 6 percent on August 7. Musk also complained that being a public company “subjects Tesla to constant defamatory attacks by the short-selling community, resulting in great harm to our valuable brand.”

Turns out, Musk had indeed met with representatives from the Saudi sovereign wealth fund, and that the fund’s lead rep told Musk that they’d bought about 5 percent of Tesla’s stock at a stake worth $2 billion, were interested in taking the company private and confirmed that this rep had the power to make these kinds of investment decisions for the fund. However, nothing was written on paper, and Musk did not notify the Nasdaq — an important requirement.

At the end of September, the SEC filed a lawsuit against Musk for securities fraud in regards to his “false and misleading” tweets, seeking to remove him from Tesla. Musk settled with the SEC two days after being charged, resigning from his chairman position but remaining CEO. Musk and Tesla were also ordered to pay separate $20 million fines to “be distributed to harmed investors under a court-approved process,” according to the SEC.

Public companies are supposed to value the interests of their shareholders. Pulling the trigger on an impulsive tweet breaks that trust — and in Musk’s case, cost $40 million and a board seat. This is why we should never put too much fear or faith in our leaders. Musk is brilliant and his inventions are changing the world. But he is human and humans are flawed and the Tesla board should have done more to balance power at the top. 

The great Amazon HQ2 swindle

Tech jobs bring new wealth to cities. Amazon set out on a roadshow across America in what the company described as a search for its second headquarters, or “HQ2.” The physical presence of Amazon’s massive retail and cloud businesses would undoubtedly bring wealth, innovation, jobs and investment into a region.

There was initial hope that the retail giant would choose a city in the American heartland, serving as a catalyst for job growth in a burgeoning tech hub like Columbus, Ohio, Detroit, Mich., or Birmingham, Ala. But in the end, Amazon split the decision between two locations: New York (Long Island City) and Arlington, Virginia, as the sites for its new offices. The response? Outrage.

Jon Shieber noted that cities opened their books to the company to prove their viability as a second home for the retailing giant. In return, Amazon reaped data on urban and exurban centers that it could use to develop the next wave of its white-collar office space, and more than $2 billion worth of tax breaks from the cities that it will eventually call home for its new offices.

Danny Crichton argued that Amazon did exactly what it should have with its HQ2 process. Crichton wrote that Amazon is its own entity and therefore has ownership of its decisions. It allowed cities to apply and provide information on why they might be the best location for its new headquarters. Maybe the company ignored all of the applications. Maybe it was a ploy to collect data. Maybe it wanted publicity. Regardless, it allowed input into a decision it has complete and exclusive control over.

Let’s hope that in 2019, Silicon Valley will hold on to some of its ethos as a venture-funded sandbox for brilliant entrepreneurs who want to upend antiquated industries with proprietary tech inventions. But let it be known that sleeping at the wheel while your company gets breached, turning a blind eye to the evil doings of your largest funding sources and executive immunity from sexual misconduct violations no longer have their place here. 

Source: Tech Crunch