The deal about passwords

In August 2017, the National Institute of Standards and Technology (NIST) issued new recommendations on passwords that received significant play in the popular press.

The core of the reportage focused on two points:
• Scheduled change of a password should not be enforced.
• Passwords do not need to be complex if they are long.

That means you can use a password like “Now is the time for all good folk to come to the aid of their party.” instead of “Kk*Uw#eAsk ”. And you don’t have to change it ever.

But removing strict requirements does not mean you have to stop using them. The good practices you’ve already been following are still good.

Is a memorable phrase still memorable when you have a dozen of them for a dozen different sites? And is it really easier to enter 60 letters and spaces perfectly with your thumbs four or five times a day than 8-12 random characters?

Background

We must remember that NIST writes standards for government agencies. If organizations outside the government find their standards useful (such as the amount of coffee in a pound), they are free to adopt them. But NIST password recommendations apply primarily to large organizations whose users log into a small number of services with unique identities.

In reality, most consumers of this news need passwords primarily in the course of business, research, commerce, or social networking on the internet. In a family there may be some sites (such as mail accounts) where every member has their own identity and others (such as a magazine subscription) where they all share a logon. For an active family, the number of identities could add up to hundreds.

Still the best recommendations

The old security rules still apply:
1.    Identify whether a site needs high security or low security.
2.    Identify whether a site’s password needs to be memorable or can be looked up in a secured list as needed. There may be other special needs depending on the use.
3.    Use a unique password for every site that deserves any security.
4.    Every high security password needs high entropy.
5.    Humans are very poor at creating good randomization.
6.    The best practice is to use a well rated password manager.

The “Technology Interpreted”

The popular press, for the most part, are getting it right … as far as they go.

• Requiring ordinary users to change their password every 180 or 90 – or even 60! – days has always been a boneheaded policy. These may be often-used passwords that the users must remember. In that case, the new password is frequently a derivative of past passwords easily deduced from social engineering.

• Choosing a memorable sentence instead of complexity is merely trading the method to achieve the same level of entropy.

There’s that word again: “entropy.” In the context of stealing a password, the assumption is that the only way to crack a logon is by brute force. This is the measure that is given in the discussion of password haystacks (https://www.grc.com/haystack.htm). That is, try every possible combination of passwords from “a ”, “b ”, to “z ”, and then “aa ”, etc.

In fact, a brute force password crack starts with “123456 ”, “password ”, “12345678 ”, etc. It continues through a dictionary of words, sorted by their frequency of use from previous cracks. As the new guidelines and examples come into use, you can be sure the dictionaries will add combinations of words and common phrases to the list. Soon, “now is the time for all good men to come to the aid of their country ” will be in the test right after “monkey ”.

What we really need in passwords

Effective use of a password depends on who’s using it and the effort to enter it. A skilled typist on a full keyboard could enter a 15-word passphrase in 10 seconds. On a phone that same phrase could take excruciating minutes with every character and capitalization another opportunity for error. Worse, in most cases, characters are blacked out so there’s no way to discover and edit errors.

Some logons require a memorable password while others only need to be available for a look up. You want the code to abort the bomb on the tip of your thoughts. But you can trust your video device to remember your streaming account and only reenter the password when the power blinks.

It is critical that every high-value site have a unique, strong password. Ideally, low-value sites should also be unique. The reason not to share passwords is because sites have been known to be sloppy about protecting your password. If a blogging site loses its database and hackers see that John.Doe@doe.com has the password 1qaz2wsx (the #15 most common password for 2015 – where’d that come from?); they might also try those credentials at banks and stores.

Two-factor authentication is a system where you enter a second, one-time credential in addition to or in lieu of a password. The most common form of second factor is for a website to send a code to a previously verified text, email, or voice account. You then enter the code to proceed. If you choose to use two-factor regularly, the least secure method is to receive an SMS message on your phone. The best method is with a time-based system such as Google Authenticator.

Final recommendations

• Short or long, choose a password that is appropriate to what you’re protecting.
• Never reuse a password you’re actively using elsewhere.
• If you hear that a site has been hacked or otherwise think a password has been compromised – change it now.
• Use a well-rated password manager and take advantage of all its features.

There are more notes on this topic. Download the document at:
https://zaitech.com/downloads/TheDealAboutPasswords_notes.pdf

---------

. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.
(cc) 2017- Bill Barnes - Disclaimer - Home Page -

"Your connection is not secure"

A user asks …

« From time to time I update my notebook, Windows 10, with the usual Windows random updates and some others like Firefox and now I seem to be locked out of accessing most of my favorite sites by Firefox. I can get to them through Internet Explorer and Edge, but I don’t know how to move my favorites file over to either of those two browsers. Anyway, I want to correct my Firefox if I can. I have attached a print screen file to show you what I am getting. »

--- Techy alert – How we know a connection is secure ---

First, some background. More and more websites are available with https secure connections. This is good. At its most basic level it prevents anyone (such as your ISP or the government) between you and the website from seeing what you send out (a search on a touchy topic) or getting back (the newest unreleased tune or TV episode). This is desirable because it protects the privacy of good people as well as bad. It’s even better because when you’re communicating with financial, shopping, medical, legal, and other sites; the enhanced version of https verifies not only that no one can eavesdrop on your conversation, but that the owner of the website is who they claim to be.

Some browsers have announced that they will soon flag any non-https website as potentially risky. They also will scare you if some component, such as a picture, of a truly secure site is not delivered by https. This is a nuisance for many websites, such as my blog, that are not dealing in money matters or confidential information. Fortunately most servers are now able to install basic https with no cost and minimal skill.

When you connect to an https site, you receive a certificate from the site that is validated by a Certificate Authority. If the CA is not built in to your browser from when the browser was installed, you will get a message that the certificate is not recognized. The certificate also has to match specifics to the web page and have appropriate valid dates. For example, if the certificate is issued to website.com and you browsed to www.website.com, it may not be accepted. Similarly, if it expired yesterday, it may be appropriate but not valid.

Certificates also could be counterfeited, giving you confidence in your session while it’s being managed by a Man In The Middle. The MITM would typically involve malicious action starting at the first connection between you and the internet. For example, an ISP, a business, or a bogus “free WiFi” connection could be reading your session while the lock on your screen is for their own certificate. Protect against this potential privacy leakage by checking the certificate fingerprint you get against a known unspoofable fingerprint from GRC at https://www.grc.com/fingerprints.htm.

--- end Techy Alert – Back to your question ---

Funny thing about that. Welcome to nanny computing. Software from Windows to Notepad to my new car all want to tell you what to do and protect you from skinning your knees. Of course, the first thing they’re going to do is put squirrel guards up so you can’t climb any trees.

I had no problems getting into the website with Firefox 54.0.1 (32-bit) by typing the exact address you had. I also got to their secure (https) homepage by typing website.com in the address bar and hitting Enter. Try starting from that point and working your way to the signin screen. You may need to re-save your bookmark to the screen before signin because for many sites that is not a real web destination, but created on-the-fly for your environment.

By the way, if you click Advanced on the blocked page, you may be able to see why Firefox thinks this site is not good and decide to override their restriction. You want to override only if it shows a trivial error. I consider “trivial” to be something like a recently expired certificate if you trusted it previously or a slightly different domain name such as connecting to www.website.com and the cert is for website.com. Do not trust it if you’re looking for website.com and the cert is for a different extension like website.cn!

You can also double-check the cert fingerprint to protect from a Man In The Middle. Go to https://www.grc.com/fingerprints.htm and enter the exact address between “https://” and the next “/”. Read the details on the page to learn how to find the fingerprint from your session. Sadly Edge does not have an interface to show details of the certificate. Microsoft’s “solution” is to view the cert with Internet Explorer on the same computer. (Opera and Google Chrome use the same certificate store as Edge/IE so, if they say it’s OK, it’s OK in Edge.)

1a) All browsers have some means to export and import bookmarks (favorites), and possibly history and cookies, to and from a file. When you first install them, most browsers will also grab bookmarks directly from another browser in the same session without your needing to export them. Check your browser’s Help pages or your favorite search engine for instructions (always start at the publisher’s site before you go to third-party advisors).

However, most browser settings are user specific. If you’re moving to another computer or a different user on the same computer, you will have to go through the export to file process. Some browsers will sync their settings to other devices – if you’re willing to give a lot of personal information to the publisher.

1b)    While you’re playing with your browsers’ settings, go on and look through the privacy settings. In particular, enable Do Not Track (many browsers leave it off by default) and disable 3rd party cookies and allowing your browser to save passwords. Tracking and 3rd party cookies are just cowardly ways for browsers and websites to make money off you. Browsers have historically poor control over protecting stored passwords. Instead, opt to use a recommended password manager such as LastPass or PasswordSafe.

Open links:
Fingerprint    https://www.grc.com/fingerprints.htm
Me    https://technologyinterpreter.info
Last Pass    https://s.zaitech.com/SignupForLastPass
PasswordSafe    https://pwsafe.org/

---------

. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.
(cc) 2017- Bill Barnes - Disclaimer - Home Page - Blogs Home

The most basic protections

If you haven’t done so since details about the WannaCry ransomware attack started dominating the news cycle, go right now and verify that all your computers have their current software update. That’s not just the computer you’re sitting at, but the rest of your family’s computers, your office mates’, and especially the 10-year-old computer in the spare room that you use to download pictures off the old video camera.

Start with any updates for your operating system. Microsoft sends updates the second Tuesday of every month and occasionally a special update in between. These automatic updates frequently require an irritating computer reboot that comes just as you’re completing a critical project. Search for “Windows update” from the Windows search bar in or near the Start button to verify you're up-to-date. Do not use web search as those may include ads that may give you malicious results. Always install all important updates and any Microsoft Office, Defender, or Security Essentials updates that apply to you (you don’t need to install language packs or other unusual accessories).

Now check that your other software is up-to-date, starting with your web browsers and document viewers. Many programs include a “check for updates” link under the Help menu. Unfortunately, few notify you or install updates automatically. Some may even want to charge for an update or new version.

If you find that you have Java from Oracle installed, be sure it is up-to-date. If you find Flash or Shockwave from Adobe, uninstall it now. Flash has officially been declared obsolete and will be abandoned by Adobe. Any computer that still has it will be vulnerable far into the future.

Other details

If you leave your computer running all the time the Windows and antimalware updates will usually be installed automatically including automatically rebooting. But still verify the installation monthly.

Although they may not be susceptible to this attack, don’t forget about the computers in your purse or pocket. Apple is pretty reliable at getting the latest software to i-devices as soon as it’s available. Android users aren’t as lucky since updates have to be mediated through Android, the device manufacturer, and then the carrier before they get to you. Apps may get updated frequently or never and can have less-than-desirable actions even when functioning as intended.

Many devices that users don’t think about as “computers” also need frequent updates. If you have a computer professional, they should be aware of the risks posed by equipment such as routers and WiFi. At home you may find that equipment such as DVRs, streaming media, security systems, and personal assistants also pose a risk to your personal information or the internet.

The slippery slope

I fell into a well. I knew it was there. The field is pockmarked with many wells and I knew they were out there. Some are camouflaged while others have a big sign that says “jump in here!” Some of the shallower ones are actually more dangerous.

The well I landed in is one of the deepest, but, hopefully, one of the less dangerous. Even so, I caught myself near the top and set a bosun’s chair, but it keeps slipping farther down the well.

The well is called an ecosystem and its purpose is to ensure that once you are in one company’s ecosystem, you will consume more and more of their products to the exclusion of their competitors.

In personal computing the first serious ecosystem competition was Apple vs Microsoft. Once you made a commitment to one operating system or the other, your choice of software was pretty much determined with little overlap. With the beginning of broadly available online connectivity the battle was between networks such as AOL and CompuServe which initially couldn’t trade email. Now the competing ecosystems are the likes of Amazon and EBay for merchandise and Facebook and Google for everything else.

Why does business need an ecosystem? It’s branding to the nth degree. When I was growing up, you were either a Chevy or a Ford person. Later it was Coke or Pepsi. Loyalty to a name could ensure prosperity for a company, independent of the quality of the product. Now it’s “do you live on a wall or in a hangout?”

Say you want an e-reader with a mostly broad and reliable supply of books. You download the Kindle apps and register for an account to buy books and synchronize your desktop reader with your phone’s. The next best seller you buy “you can get the Audible version too for $3.” And, “this book was made into a movie – watch it on Prime.” Later you need a toaster for a cousin’s wedding – order from Amazon because you get free shipping. That’s an ecosystem.

The ecosystem I fell into is Google. Beware the credo of the internet that “if you can’t figure out what the website is selling, you are the product.” Google delivers us to its advertisers. More than that, it delivers our profile to its advertisers.

Early in the commercialization of the web online advertising was like magazine advertising. A site might attract sci fi junkies or wine aficionados, but if one person moved from one site to the other there was no way to know it was the same person. Then along came DoubleClick. They realized if everyone had ads from them, they could read their own cookies regardless of who owned the content. Then they would know that I drink wine, watch Dr Who, and also am shopping for a snowmobile. So, I get skiing ads on Wine Spectator and comiccon ads at Eddie Bauer.

Google’s got a pot of money and is looking for synergistic businesses to buy. So they pick up DoubleClick and then YouTube (lots of interest-specific profiling to do there). Hop over to their core product and what takes up the prominent position in any search? Ads. Ads that not only apply to your current search, but also all of your web surfing.

They also created an email service where people spend lots of time and provide a pretty decent online office suite. Of course, to use those personalized services, you have to sign in to their system. For convenience, one sign in gives you access to all these services and leave the “keep me signed in” box checked so you don’t even have to enter your password every time you restart your browser. Now your searches are not just an anonymous cookie, but you with a detailed profile with a name, email address, chronic diseases, and more. Don’t worry, Google’s motto is “Don’t be Evil.”

How do I cope with the ecosystem?

I take the effort to uncheck “keep me signed in” and try to remember to sign out when I’m done. I avoid logging into other sites while logged into high value sites (financial or personal information). I have four browsers and never sign in to any account from two of them. I seek out my browser’s configuration to ensure “do not track” is enabled and third party cookies are disabled. I also set all cookies to be cleared when I close the browser – but that can be a real nuisance sometimes. I use the Firefox plugins Ghostery to alert me who (besides the site I actually went to) is watching what I do and NoScript to ensure those third parties can’t sneak malicious or tracking code onto the pages I’m viewing.

By the way, if you carry a smartphone, you’re permanently in Google’s or Apple’s ecosystem (or Microsoft’s for a couple of you). This is in addition to Verizon’s and ATT’s ecosystem, or whoever your carrier is, which has been true as long as there have been portable phones. You might also be in Samsung’s or Amazon’s or HTC’s ecosystem if the phone manufacturer chooses to watch over you for more than system upgrades.

If you’ve installed an app from Facebook, Twitter, or a myriad of others; they also could be watching over you even if you’re not actively using the app. And now some retailers and entire malls have technology that can identify the radio signals your phone is constantly putting out to track you from sweaters to socks or from Gap to Banana Republic to Sears Automotive.

The only way to stay out of the well is to stay out of the field. But we know that means living in the 20th century. Why did we so expectantly await the future?


NOTE: Products and companies are named as representative. It is not my intention to imply any one person or company is better or worse than any other.


. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home

No phishing

Did that email really come from my bank, or is it just a good imitation? Phishing is a message that purports to come from one source, but actually comes from a bad guy; usually trying to steal your valuable personal information.

Last month we discussed ways to recognize whether an email was probably legitimate. Here is an example of a good email I received from one of my financial institutions.

First of all, notice that I have disabled automatically showing pictures in email I receive (green circle). The critical content of the message is completely contained in text. Pictures can hide links or silently allow the sender to track that you actually opened the email and might be susceptible to more like this. Sloppy phishers may also use pictures wholesale to copy the look of the legitimate mailer rather than recreating the text from scratch.

Secondly, there are only two places (red circles) where they give you the specifics to contact them: one is a phone number and the other an email address. Neither of these contact points asks directly for your personal information.

As a reminder of good practices, the central part of the message advises you to type their website into your browser - no links to hide a bad connection - and log on to your account.

A few other financial institutions use similar good practices to send you critical information. Others - credit cards are notoriously bad - wrap their status updates around a myriad of pictures and links. Some of these links may not even go back to the sender, but to advertisers or other third parties. That type of email may be acceptable for a newsletter, but don't ever log in to your account from a link in a congested email.

Read more
Windows Secrets article on "Whether Windows is safe for banking"

And then, there's a bad email from a financial company:

 

 . This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2012 Bill Barnes - Disclaimer - Home Page - Blogs Home

Should I open this email?

Should I open this email?

A client asks:
I received an email from someone I don’t recognize. The email had an attachment (document) he wanted me to evaluate. Do I dare open the attachment?  Is there any way I can do so and guarantee it is not a virus? 

Basically, no. You can’t guarantee it’s benign.

In this sort of circumstance, either as sender or recipient, I try to validate the legitimacy of the contact. In the text of the email I identify myself and the attachment by filename and size. Sometimes I will make non-email contact to alert the recipient or verify the sender. Unless you or the data on your system are particularly high value, it’s unlikely a random attack would take the effort to pass these tests.

If you can’t make this “out of band” contact and still want to open the message or its attachment, there are some unilateral assessments you should make first. Start with the anti-spam / anti-phishing / anti-virus triggers you apply to every subject line, message, and attachment.
In the preview, before you open the email:
•    Are you expecting this?
•    Do the From and To addresses look reasonable. For example, do names look random or made up, are there multiple similar addressees at the same domain, or is your exact address missing from the list? If it makes reference to an account, especially a financial account, and is not directly and exclusively addressed to you; it’s probably a phishing attack.
•    Is the subject line meaningful and relevant?
•    If it refers to an “issue with your account;” does it identify the account or describe the problem?
•    Does the content apply to you? (Immediately trash a notice from BigBank if you don’t do business with them.)
•    Do the grammar, writing style, and content ring true to the request? If it comes from someone you know, do the style and content match what they usually send?
•    Are there excessive links and do they connect to what you expect? Hover your mouse over the link and look at the entire URL. Work back from the first “/” after “http://.” A link of “http://BigBank.com.BadGuys.ru/...” will actually take you to BadGuys’ site. While you’re looking at the links, pay attention to the top level domain (TLD). That is the letters left of the “/” until you hit a period – classically “.com” or “.org.” The “.ru” in the example above refers to Russia; along with China, a common starting point for malware. This is a minor indicator as bad guys can buy a .com and good things can come from unexpected countries such as bit.ly (a useful URL-shrinking service), where the “.ly” stands for Libya. (http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains#Country_code_top-level_domains)
•    Are the attachment’s name and file type what they appear to be? It’s an old trick to name the attachment “CuteKitty.jpg” and then pad the name out with many spaces before giving the actual functional name of “…virus.exe” which falls off the edge of the page.
•    Is it delivered primarily as pictures? Your previewer should be set not to download pictures automatically, but only on your request. Downloading the pictures can deliver malware and return significant tracking information about you. If you can’t comprehend the gist of the message from the text it doesn’t deserve further analysis.
•    Look at the source of the message. In Microsoft Office (retail) Outlook, right-click on the message and choose View Source. This is very geeky and includes a lot of garbage; but, with experience, you may be able to spot something suspicious. Backtracking the internet headers is even more obscure, but can reveal that the sender is not who he appears to be.
•    Did it pass your up-to-date virus and spam checker? Antivirus programs often remove the malware attachments and deliver a message that contains very little text. There’s usually a good reason for it to be labeled spam.
•    Right-click the attachment and save it to a temporary folder on your computer or sacrificial thumb drive. Run an on-demand virus check on it.
•    Be sure all your viewing software is up-to-date. There is often a “check for updates” option under the Help or Tools menu or you can go to the publisher’s website. Especially visit adobe.com, java.com, and microsoft.com at least monthly to check for updates for Adobe Reader, Flash Player (hopefully, you’ve never installed Shockwave Player), Java, and Windows.
•    Open the attachment in less common programs. For example, use foxit (www.foxitsoftware.com) for .PDFs rather than Adobe Reader or send office documents to Google Documents (docs.google.com).
•    Open the attachment on a Linux or Apple computer as malware is often (but not necessarily) Windows-specific. You can get a CD to boot your PC directly into Linux. Everything runs in memory and when you reboot there’s no record (and hopefully, no residual evil) from what you just did.
•    If this were a legitimate email and you trashed it without opening would it really cause any problems?

Surf - and email - safe!

Read more:
An example of a "good" email from your bank. 


 . This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

Google … evil?

According to a recent story, federal investigators are revisiting the question of whether Google Street View did anything wrong when they captured individuals’ WiFi data in the process of taking pictures the view along every inch of the worlds’ roads and streets.

To refresh, Google drives around in funny looking cars with posts sticking out of the roof. On these posts are cameras looking in every direction taking pictures of what you’d see if you were driving down this street. When you’re looking at Google Maps, click on the little guy above the scale slider. These cars also collected data on all the WiFi routers they could detect from the street. Their mobile GPS service can triangulate off these radio signals to give you a more accurate location, just like your cell phone company can find you from which towers are picking you up. In the process of fingerprinting WiFi signals, they also “inadvertently” recorded the data that was being broadcast.

If they scanned through the petabytes of data they might have collected, would they find anything interesting about you? Probably not. Did they steal your banking password? Definitely not. Was this illegal? In my opinion, not under US law. Is Google evil? That’s a point of opinion.

Technical discussion

How does it work?

A WiFi router can be identified by its name and radio channel. You have to verify this information when you go to a friend’s house so you use his internet and not a neighbor’s. By accurately knowing the car’s location, and monitoring the signal’s strength as it moves, Google can get a good feel for where your router is located. Since in most neighborhoods you can detect signals from several to many routers it’s easy to determine where you are; even if it’s not strong enough to get online.

What did they record?

Allegedly, in the process of collecting identifying details, they also recorded everything that was in the air as they went by. The cars are driving down the public street, not doing anything to intentionally invade anyone’s privacy. What they got was snippets of electronic conversations, just as if you were to cruise through a cocktail party in Tokyo.

Would they find anything interesting about you?

Firstly, you’re only picking up a couple sentences from any one in particular so you may hear them asking for another drink or even just stuttering a couple words – nothing malicious there. Plus, most people are speaking a foreign language – just like most WiFi connections are encrypted with their security password.

Did they steal your banking password?

Even more secure than your protected WiFi signal, not only financial sites; but every reputable site uses SSL (https) at least for password protected signs. Services like gMail, Twitter, or Facebook also are or can be accessed through secure SSL.

Was this illegal?

For the life of the wireless industry the rule has been that any signal accessible on the public airwaves is fair game. As long as they don’t try to invade your computer or decrypt or make fraudulent use of what they hear, listening in and recording it is not illegal. Think of the decades of big satellite dishes along rural highways just grabbing the networks’ unscrambled feeds or the celebrities whose cordless (not cell) calls got exposed.

Is Google evil?

Maybe, but not for this misdemeanor. I am much more concerned that my ISP might throttle my internet just because I’m a heavy user. Or that Hollywood is trying to get a fishing license to track down and prosecute anyone for a single, possibly illicit, song or video. Or that the NSA is analyzing a yottabyte (1,000 times the entre global internet traffic for a year) in a $2 billion bunker in Utah.

Let’s give Google a pass this time. And take it as a reminder to be sure your WiFi connection is protected with WPA and a good password.



 . This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

Block that cookie - more than you want to know

Please come back soon for more details.




 . This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

Block that cookie

Note: The tips that follow reference one or all of Firefox, Google Chrome (Chrome), or Microsoft Internet Explorer (IE). Other browsers probably have similar features; but when I say “all,” I’m referring to all of these three. Examples come from recent versions of the browsers: Firefox 11, Chrome 18, and IE 8.

The good news is that you should be able to ameliorate a lot of the techniques to track you that web sites use. Much internet tracking is based on good old-fashioned web (html)  cookies. It’s easy to block cookies. Unfortunately, being followed by cookies is also vital to much of the productivity of the internet. They allow sites to remember who you are as you move from page-to-page; for example, from Add to cart to Continue shopping and back. They come in 2 basic flavors: first party and third party. (To find out about first and third parties, read our next post.) First party cookies are good to OK; but you might think twice about third party.

The easiest and most powerful way to protect yourself from tracking is by using a private browsing session. (instructions: next post). In this case, nothing, about your session stays on your computer when you close the browser. You can’t come back to a search or be automatically logged in at any site. You should always use private browsing on a computer you don’t control.

If that is too aggressive, your browser can control what it does with cookies. With greater or lesser ease (instructions: next post), you can usually tell the browser to block all cookies or only third party cookies. You can also accept cookies but tell your browser to throw them away at the end of the session. This gives you the advantages of using cookies; but websites won’t know about you the next time you go there. FireFox also allows you to choose your action for every cookie you’re given. This gets tedious fast, but is revealing as to how pervasive cookies are.

Another option is to choose a browser that you never sign to a site or fill out a form. Use another browser for your shopping, Gmail, or social networks. Financial transactions ideally should be transacted only in a private session. Although you trust your financial institution; you may be logged in, either temporarily or permanently, to another site which might benignly or maliciously have a small chance of tracking you there.

Unrelated to cookies; if you follow a link to a site, it knows where you came from and, if a search engine, what the search terms were. So if you got here by searching “Block that cookie” on Bing; Blogspot (a Google service) knows that. Although this form of tracking is relatively benign and primarily used by a site to fine tune its own advertising, you can avoid it by not clicking the link, but type it into another browser.

On the other hand, there are ways that your computer may be tracked that don’t rely on html cookies or a specific browser.



 . This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home

Are You Following Me?

Did you read Google’s new privacy policy as of March 1? Nope, neither did I.

The primary piece of news is that Google is now consolidating tracking information from all of their services. This means you have the same login, profile, and preferences for Gmail, Google Apps, YouTube, and more. That’s not scary – since before Google was a college project; AOL and Microsoft, among many other services, have had a single login so your mail and instant messenger shared contact lists.

What is scary is that Google can consolidate your information across sites that you don’t log in to explicitly or sites you don’t realize are part of the Google family. For example, if you read a blog about the Parthenon on Blogspot and search for information on passports; the next time you check your mail you may see ads for Mediterranean cruises.

This is because one web service can track you across multiple websites. Since ads on many websites may come from the same ad server, you can be tracked even if the address you enter is a completely unrelated to any other place you’ve been.

Many web services pay close attention to where you came from, what you do, and where you go to build a profile of you. The more they know about you, the more valuable you are to advertisers and the more they can charge. (They’re not necessarily identifying you as a person by name and credit card number, but you as a 45-55-year-old male in a large southern city with 2 kids in college and an income over $80,000.)

However, if you’ve been logged in to a site that tracks you – such as Google – then they can tie your information to a real person with a name, address, credit card number, and possibly other details you’ve given them or their partners. They may not use all that information, but it makes your ads – and search results – more focused. (It may also make your search results less diverse. If you have previously selected the Washington Post, you may never again see a result from Fox News.)

I’m not picking on Google exclusively. Google just happens to be the biggest target today. I am less concerned being tracked by Google than I might be by a lot of other services.


The good news is that you should be able to ameliorate a lot of the techniques to track you that web sites use. Keep reading here:

But if you really want to be scared about tracking, your smartphone itself and many of the apps you’ve installed may be able to track you – not on the web, but in real life. And at the moment, there may be no way to control that tracking while still taking advantage of the reasons you got a smartphone.


 . This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(c) 2011 Bill Barnes - Disclaimer - Home Page - Blogs Home