Internet Safety Tips

Lots of weird things just happened at once.

It’s always important to be cognizant of what and who you interact with online, but phishing is way up right now, so be extra careful with emails, links, and articles sent to you that you didn’t initiate or request. And while email phishing is often a main focus for scams, there are additional methods to be aware of and keep in mind. Reseller and rental sites like eBay, Craigslist and Airbnb present similar opportunities for scams, however these scams are crafted differently since you are often the one initiating the contact with an unverified third party (instead of the other way around).

So weirdness, here’s what happened

Over the course of the afternoon, 5 phishy things happened to three different groups of people I know.

  1. Three people in the same family individually received notices that a PayPal, credit card, and Instagram account were hacked.
  2. A friend got an email that someone signed into their Instagram on a new device.
  3. Another fiend stumbled across a Craigslist apartment rental phishing scheme. (The exact one covered in this report. Word for word, save for a change in company name and a different person in nearly identical photos)

This very coincidental timing, but it’s a good opportunity for an internet safety refresher!

Safety tips & reminders:

I shared these with family and friends after all this weirdness, but will aggregate them here.

1. When in doubt, go to the actual site

If you get an email from PayPal (or your bank or Instagram) about an account issue, go to the PayPal website yourself to check out the notification. Don’t click on any links sent to you. You can hover over links to see where they really go, but even then, it can be easy to miss smaII deta1ls.

paypa1

So to be safe, go to PayPal using the app, by searching for PayPal (trusting the wisdom of the search engine crowd), or by manually going to https://www.paypal.com.

Better yet once your are on the PayPal.com that you know is the actual PayPal.com, add it to your favorites and use your own personal trusted bookmark to get back to the real PayPal every time. This way you don’t make a mistake later by mistyping the url and ending somewhere you don’t expect. (And yes, I’m purposefully not linking to PayPal from here. Go build that muscle)

This tip applies to phone calls too!

Summary: It’s your best bet to search for the site/article/etc or go directly to the url if you have it saved somewhere.

2. Use a password manager

You can visit every site you go to as carefully as possible, but if you reuse passwords, one security breach can cause issues across your accounts.

A password manager creates strong, unique passwords for every one of your accounts and securely keeps track of them all for you. You only need to remember your master password to unlock the account.

Some good options are LastPass, Dashlane, and 1Password.

They can also help you more easily change passwords if one is stolen or part of a data breach. You can check to see if your accounts have been part of a data breach using Have I Been Pwned (just don’t enter your current passwords).

Password managers can be difficult to transition to at first, as you need to manually change passwords one at a time, but if you use a password manager solely to keep track of new accounts, you can quickly start to see the benefit.

Read this exhaustive post to learn more before you set up a password manager. A quote:

Password managers are programs that remember passwords for you, along with the email address or other user identifier you use for each account. They make it easier to use strong passwords: those that are sufficiently random, long, and different for every one of your accounts. They also make it easier to lose all your passwords at once, or for attackers to steal all your passwords in one instant.

Summary: See above quote, but you should probably be using one of these.

3. Set up two factor authentication (2FA)

After setting up strong passwords, you can go a step further to safeguard that even if one of your account credentials is compromised, you are still in control of signing into the account.

Two factor authentication satisfies the “something you know, something you have” paradigm for online security (or the first two parts of multi-factor authentication). You know your password and have either a code or USB key or app to verify you are you. If your password is compromised, the second factor of authentication ensures someone with just your password cannot log in.

Needing a second factor can cause problems, however, if you (who is in reality, is you) loses the second factor of authentication. Then you can be locked out just as if you were an attacker.

Also, if multiple people use the same account, two factor authentication can be difficult. With 2FA enabled someone may try to log into an account and the 2FA code can be sent so someone else (which also happened to my family today).

Read this other equally exhaustive post to learn more before you set up 2FA.

Summary: Two factor auth can help keep your accounts secure, but comes with some extra challenges.

4. Keep third party communication within app and website services

This one is related to staying safe when reaching out to others you don’t know online. Talking to strangers! 😱

Whenever possible, keep communication within the app or website service you are using. If buying on eBay, communicate on eBay. If renting on Airbnb, use their chat functionality. Let the site intermediate communication. Don’t share your email or phone number to talk with a third party seller or host outside of the service. Major sites like eBay and Airbnb have measures in place to help you stay safe (and allow you to provide evidence in case of an issue), but only if you leverage their tools.

Be extra cognizant on Craigslist where direct email communication is the standard! I’ll put this Anatomy of a rental phishing scam post here again as a reminder to read it. A quote:

The first red flag was “So we’ll keep our communication to email if that’s ok with you”.

This tip also applied to articles you read or videos you watch. If you aren’t sure of the source, don’t trust, verify 🙃

Summary: There are more signs of a scam than only asking for your bank account and credit card information.

5. Bonus Tip: Use Zoom on your phone or browser

If you use Zoom, you should know that Google banned it’s employees from using the desktop app, and suggests to use mobile or web.

Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile

Google’s guidance is to uninstall and block the app completely (maybe because they prefer everyone to use Hangouts 🤷‍♂️). In any case, if you’re interested, here’s how you can uninstall the desktop version on Mac and PC.

A legitimate reason behind allowing mobile and web, but blocking desktop, stems from the fact that mobile and web platforms have security and containment measures in place that limit sites and apps from accessing your underlying device. Whereas apps installed from the internet can do whatever they want after you type in your computer account password to allow higher level device access.

To continue using Zoom on a desktop, here’s Zoom’s support article on how to join a call using your web browser. The link is a bit hidden (and misleading), but it looks like this:

zoom

Summary: Use your phone to show off your Zoom backgrounds

 

That’s all for now

Stay safe. Wash your hands. Wear a mask. Don’t touch your face or click on links in your email 🧼

Learnings From My First Conference Talk

This past Tuesday I gave my first conference talk at View Source in Amsterdam! It was an awesome experience at an amazing venue in a rainy city where people from all corners of the web came together to discuss many of the challenges, opportunities, and learnings for browsers, web development and the overall landscape of the internet.

I work on creating experiences to help people stay safe and have greater privacy online, so it was enlightening to hear from such a wide range of topics about the web. I’m always impressed by the depth of understanding and passion people have about their subjects of work, and the speakers and attendees at View Source carried an overwhelming amount of inspiration.

Just to name a few, gaming, entertainment, monetization, accessibility, connectivity, and rethinking digital utopianism were all covered. I love hearing about what people are working on. It shows how there is so much to think about and is a humbling reminder that my work is a small piece of a vibrant community.

I was fortunate to attend the conference with a group of us from the Microsoft Edge team. It was a great team bonding experience to get to know others from different parts of the team who I don’t normally work with. While it’s not always possible, I would highly recommend going to conferences with folks from your team. It’s great to have others with a similar frame of reference to talk about new ideas and to be more connected when you get back to work.

My colleague Lillian Kravitz and I spoke about the privacy principles we’ve developed for Edge. Melanie Richards gave a talk about the simple and actionable steps to help make your site accessible to everyone by considering of various contrast and theme settings, and others on the team held “conversation corner” discussions about web compatibility and more. The talks were recorded, and I’ll post a link here when it’s available.

A main theme of our privacy talk was listening, learning, and trying to gain a fresh perspective on a topic we thought we were familiar with. I know I am not at all familiar with giving talks on a big stage, but the aspect of learning something new and having a different perspective on presenting my work still felt as fitting to the process of giving the talk as it did to the contents of the talk itself.

I can come back to more about the talk when the recording is posted, but for now, while the experience is still fresh in my mind, I wanted to reflect on the things I learned, what went well, and what I could improve for next time. Because, yes, giving a talk is exhilarating and this one will not be my last.

IMG_9365

Preparing

Our talk was second to last on the last day of the conference. It’s tough having a time slot late in the day on a later day of a conference (this post and comments came to mind when I learned of our time). You almost need to leave something small to clean up and keep working on during the conference because if you show up on day 1 ready to go, you’ll have to keep your excitement and preparedness high for quite a while.

It would be great to be at peak preparation the night before the talk, but even then, we ended up waiting 8 hours the day of as our talk was at 5pm and the events started at 9am. At breakfast the morning of, excitement needs to be reserved because adrenaline could give out well before the talk. I likened the situation to an athlete or musician where a game or performance is late at night (worth looking more into how they manage energy). You need you energy and focus to be up at an hour different than your normal operating schedule.

Which leads to another interesting aspect of this conference. Traveling to a different time zone can be debilitating for the first few days. Especially when it’s many hours different than you’re used to (And seemingly more-so when going east around the globe?).

I am not one to take naps normally, but when your schedule is turned upside down, naps can be your friend.

Luckily the hotel was nearby the conference theater, so it was easy to go back to sleep. I was conflicted because I wanted to listen to all the talks, but I knew if I wanted to have the energy for my talk, I’d need sleep a bit before we were up.

My pre-talk routine (but maybe not a routine because I only did it once), was check the slides early in the morning before the first talk, listen to the first few talks, go for a nap, head back for lunch, listen to more talks (three hours before ours), regroup for a bit just before getting mic’ed up, the go on stage. Seemed fine. I think the whole process would have been easier in my normal time zone, but this helped manage energy and focus well enough.

The talk

It’s impossible to even scratch the surface of all you need to know going into something you’ve never done before. You have to put yourself out there and figure things out as you go.

There’s a lot of “tribal speaker knowledge” I learned from this first talk. Questions I hadn’t considered asking because they didn’t even come to mind before, and issues I could have mitigated had I known a bit more about the process. All good takeaways though. Makes me want to try again soon to test out my new perspective.

First, I think I was a little too reliant on my slide notes. I wanted to be sure to hit the speaking points we planned, but the talk felt less conversational as a result. The story we were going for lent itself to a more prescription presentation style, as we were sharing a process others might be able to apply, but I enjoyed the more casual and friendly sounding style of some other presenters that was more akin to giving a well thought out answer to a question rather than reading a speech.

Awareness of my over reliance on notes cropped up when, under some unforeseen circumstances, a few of my notes got cut off from the presenter screen. Without the expected cue, I stumbled a bit to keep with the flow I’d practiced when leading from an idea on one slide to the next. This was unfortunate because we checked the presenter screens before the talk, I just missed the few slides that had issues.

But when things don’t go according to plan, you’ve got to improvise! You can’t do a dance and walk off stage. You have to keep going!

Second was a simple problem of struggling with the clicker having issues advancing slides. At one point I thought I was ahead of where I was only to realize I missed a slide. (Sorry folks, that one image transition really made the talk 🙃).

After the talk when we went backstage to the “green room” talking about how it went, in an eye opening detail to me, another presenter mentioned that before his talk he asked the AV team where to point the clicker. I hadn’t even considered doing that. I figured the thing would just work (and I really think it just should), but for such a simple, yet crucial piece of presentation consistency, it was important to understand. This was some tribal knowledge that one who had given talks might know from variance of venues and presentation setups, but for me, it had not even crossed my mind.

Overall though, I think we did well. We connected ideas from other talks in the conference about privacy, collaboration, and the future of the web, and presented our customer focus as a way to reframe thinking about developing experiences. We realized there is always more to learn, and listening to feedback to spur continuous improvement was a common theme encompassing our time at the conference.

So yeah, that was the talk. Lots to think about for next time, but mostly minor tweaks to smooth out delivery. It was a great start to what I am look forward to as the beginning of many more to come. I definitely have areas to improve, and am anxiously awaiting the recordings to come out to kick myself over all the little things I didn’t get quite right. But I’m not going to hark on the mistakes. I’m going to learn from them to make my next talk even better. Can’t wait.

Touristing

Oh, and I mentioned the talk was in Amsterdam!? How about a quick travel update to round out the trip.

Side note, I think the concept of being a tourist and trying to avoid touristy things is funny. Why try so hard? Just go, enjoy the culture, and have a good time!

Side side note, a couple weeks ago at an organized bike ride in Seattle, which I would consider a very local thing to do, I met a couple who traveled from Missouri (I think it was Missouri, can’t remember exactly) who were visiting specifically to do the bike ride. No idea how they found out about it, but I was amazed at their ability to be local tourists. Pretty cool.

Anyway, I really like Amsterdam. The bikes, canals, frites, stroopwaffles, and tiny red cars all come together into a bustling culture. People are friendly, even if I often misunderstand what’s said under a Dutch accent (a taxi driver asked me how long I had to wait for the ride, and I answered I would be returning to the US. Thought he asked where I was heading… Sorry!).

Amsterdam is the first country outside of USA and Canada I’ve now been to twice, and I would definitely go again. Here are some photos from the rainier and sunnier parts of quickly playing tourist while on a trip for work.

Learning to Row

Well this post has been sitting as a draft since the end of last summer. I started classes again, so now seems like a good time go over notes from last time!

On learning a new skill

It’s almost commonplace in Seattle, for people to have read or remembered the story of The Boys in the Boat. The book tells the history of the University of Washington rowing team that competed in the Berlin Olympics in 1936. It captures the feel of the sport through the teamwork, bonds, and drive of those on the UW crew, but also recounts what life what like in Seattle years ago.

Continue reading “Learning to Row”

Flash Seats Usability, Security, and Privacy

The Quora Conundrum

Quora reported a data breach earlier this month and the company outlined the stolen data, what they are doing, and what you can do in an email to those affected:

The following information of yours may have been compromised:

  • Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
  • Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
  • Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)

Continue reading “Flash Seats Usability, Security, and Privacy”

Facebook Privacy Report from The New York Times

As Facebook is upending the journalism industry, the New York Times is continues their campaign of exposing Facebook’s questionable data use.

Summary from The Download via the MIT Technology Review

https://www.technologyreview.com/the-download/612642/facebook-gave-more-than-150-companies-special-access-to-your-data/

Continue reading “Facebook Privacy Report from The New York Times”

Google transferred ownership of Duck.com to DuckDuckGo

This made quite the ruffle today when Google transferred the domain duck.com to the privacy focused search engine DuckDuckGo.

Google’s ownership of Duck.com was previously a source of frustration for DuckDuckGo, when it would redirect users to Google’s rival homepage instead of DuckDuckGo. Google kindly tried to clear up this confusion in July by adding a DuckDuckGo link to the page. Visiting Duck.com now redirects users straight to DuckDuckGo.

via The Verge

The best part is the previous page for duck.com

Continue reading “Google transferred ownership of Duck.com to DuckDuckGo”

Location Data Privacy in Apps

The New York Times released a report (with some fancy graphics) detailing location data use by apps for advertising, outside the main purpose of the app. Only 10 apps were covered in depth, but the findings reveal how some advertising companies aggregate location data from apps.

Continue reading “Location Data Privacy in Apps”

What the Marriott Breach Says About Security

Your personal data is already stolen. Here’s what you need to be doing:

via Krebs on Security

 

How Criminals Steal $37 Billion a Year

It is increasingly difficult to trust someone calling from a phone call you don’t recognize. Not only are scammers calling from numbers that seem to be in your area, but they are also impersonating family members in distress.

The dirty little secret about elder exploitation is that almost 60 percent of cases involve a perpetrator who is a family member, according to a 2014 study by Lachs and others, an especially fraught situation where victims are often unwilling, or unable, to seek justice. Such manipulation sometimes involves force or the threat of force

via Bloomberg

This trick has been around for a while, but there are new defenses available to guard against the scam.

On Feb. 5, the Financial Industry Regulatory Authority, an industry body, put into effect “the first uniform, national standards to protect senior investors.” It now requires members to try to obtain a trusted contact’s information so they can discuss account activity. It also permits firms to place temporary holds on disbursements if exploitation is suspected.

Bloomberg

Interesting idea; a two person authentication for account transactions, but it still may be easy to beat the system.

Loewy, who left her job as a prosecutor in 2014 to join EverSafe, a startup that makes software to monitor suspicious account activity, is underwhelmed by the industry projects.

“They may say they’re focused on it, but they aren’t really doing much more than training employees,” she says. “Exploiters know what they’re doing. They take amounts under $10,000 that they know won’t get picked up by fraud and risk folks at banks. And they steal across institutions over time.”

Bloomberg

And remember, if you get a text from a short-code number with 5 or 6 digits, you can verify the identity of the sender with the Short Code Directory.

Nobody is immune to ads

In his post Nobody is immune to ads, Georges Abi-Heila explores the psychology of how humans react to the barrage of brands and ads we see every day.

There’s no scientific consensus on the number of ads we’re exposed to daily, as estimates vary from a few hundreds to thousands. Why is it so hard to get a reasonable figure? Because it depends on a variety of factors that greatly affect the final result (sorted by level of importance):

What is considered an ad?
Including brand labels and logos can increase 10x the final result.
Think about every time you pass by a brand name in a supermarket, the label on everything you wear, the condiments in your fridge, the cars on the highway…
Where does the subject live?
The denser your living environment, the more ads you’re exposed to as companies fiercely compete for your attention (and, ultimately, your wallet). Visual pollution is one of the drawbacks of living in big city…
What is the subject’s job?
During work hours, a hotel receptionist sees a lot less ads than a truck driver which is less exposed than a social media manager.

Want to see an interesting example? Have an iPhone? Ignore for a moment all the brands you see from the icons on your home screen, this one is more subtle. What does it say in the top left corner? 

https://cdn.vox-cdn.com/thumbor/prj_rjURjKC1ZVVlVmhOuMUrbso=/0x0:2040x1360/1720x0/filters:focal(0x0:2040x1360):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/9276345/jbareham_170916_2000_0088.jpg
The Verge iPhone 8 Review

So every time you pick up your phone you are served an ad for your cell carrier. Why does it exist? Do you frequently forget you are on the AT&T network?

It is worth noting, the notched iPhones no longer show the carrier name, so his redditor has the right idea.

https://cdn.vox-cdn.com/thumbor/PZtyF3VgyktMRvvz5AciV-borm8=/0x0:2040x1360/1920x0/filters:focal(0x0:2040x1360):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/9597629/jbareham_171101_2099_A_0104.jpg
The Verge iPhone X Review

Is it a big change? No. But one less ad in the thousands you see in a day.

As a bonus, check out the streets of Sao Paulo. The city has a law that prohibits outdoor advertising. The story is covered in a post by 99% Invisible.

21 Lessons for the 21st Century

Yuval Noah Harari on the Talks at Google podcast (and in video form)

He’s marketing his new book extremely well and a New York Times interview on the subject garnered attention:

It made him sad, he told me, to see people build things that destroy their own societies, but he works every day to maintain an academic distance and remind himself that humans are just animals. “Part of it is really coming from seeing humans as apes, that this is how they behave,” he said, adding, “They’re chimpanzees. They’re sapiens. This is what they do.”

. . .

“It’s just a rule of thumb in history that if you are so much coddled by the elites it must mean that you don’t want to frighten them,” Mr. Harari said. “They can absorb you. You can become the intellectual entertainment.”

. . .

He told the audience that free will is an illusion, and that human rights are just a story we tell ourselves. Political parties, he said, might not make sense anymore. He went on to argue that the liberal world order has relied on fictions like “the customer is always right” and “follow your heart,” and that these ideas no longer work in the age of artificial intelligence, when hearts can be manipulated at scale

Not the most heartening view of the future.

21 Lessons is also recommended by Bill Gates as one of 5 books he loved in 2018 (to further corroborate Harari’s points)

The trick for putting an end to our anxieties, he suggests, is not to stop worrying. It’s to know which things to worry about, and how much to worry about them. As he writes in his introduction: “What are today’s greatest challenges and most important changes? What should we pay attention to? What should we teach our kids?”

Or maybe we should be a bit more like Newt Scamander

My philosophy is that worrying means you suffer twice.