How to protect yourself against the CIA (or anybody with their files)

By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.

First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks  released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.

But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.

There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:

What you can do

Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.

Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).

For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.

To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.

Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.


1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.

Pokémon Go—the best thing since sliced bread (or Tinder)

By now you’ve undoubtedly heard about Pokémon Go, the ridiculously popular new phone app based on the Pokémon franchise. In the relatively new development space of augmented reality it blends fantasy characters with the real world. It uses your phone’s GPS and superimposes Pokémon[1] on a map, like this:

Near CIT

This is a screenshot taken outside my office, standing next to I-94 at Woodward.

It was released last week and is now more popular than Tinder, and is rapidly catching up with active users of Twitter. Since I’ve only just begun playing I can’t report a great deal about what it does (there are various kinds of critters that you can ‘capture’, and there are ‘gyms’ where you can have fights (the platform-like object in the image above is a gym at the church across the street from the main C&IT building at Woodward and 94), and I’m told there’s one near the Science and Engineering Library. In addition there are ‘Pokespots’ all over campus, including one inside UGL.

Here is an excellent, if a little snarky, introduction to the whole thing.

The social fall-out from Pokémon Go has been quite astonishing. There are stories of folks making friends through the app (which is perhaps why it’s surpassed Tinder 🙂 ), and a few cases of accidents of various types. Apparently, in the space of a week some folks have started playing a NSFW[2] version. There was originally a security issue because the first version of the app was able to access all your Gmail contacts if you had an iPhone, but an update has assigned appropriate security levels.

There is going to be a Pokémon Go event here in the Cultural Center on Friday.

So it really seems to be ‘a thing’, and probably worth learning more about. I haven’t yet had a chance to wander around looking for Pokespots yet, but probably will. Don’t forget to be very careful if you are walking around holding your phone. There are two dangers:

  1.  Apple Picking
  2. Immovable objects

In the end, have fun. And let me know what you think. Is this the greatest thing since Twitter? Or a flash in the pan?
_____________________________________________________________________

[1]  Since I’m a linguist you’re gonna get some linguistic commentary here too. Like several other words borrowed from Japanese (emoji, for example), purists insist that the plural is unmarked (that is, that you don’t add an ‘s’). This is analogous to those who insist that ‘data’ is plural and that the correct plurals are ‘stadia’, ‘podia’ and ‘octopi’. Or perhaps it’s analogous to the animals that have what we call ‘zero plurals’, like ‘sheep’ or ‘deer’.

[2] ‘Not safe for work’. You can probably figure out why, given that the game uses your phone’s camera, which can take selfies.

Creepy new smartphone surveillance tricks

One of my favorite gadget gossip websites, Engadget, had a post last week from Violet Blue, an internet privacy activist, about a cute new piece of snooping software called SilverPush. (Warning: Violet Blue is an internet privacy activist. But she’s also a porn artist and porn philosopher (!). Also a somewhat radical feminist. Visiting some parts of her own website can be ‘not safe for work’.)

It seems that some phone apps (but it’s not clear which ones) activate your smartphone’s microphone, and listen for signals being sent from your TV or computer. When it hears that signal (it’s not clear whether the signal is inaudible or masked in other noise) it sends a bunch of information about you to the advertiser you are listening to on your TV or computer.

What happens next is that your phone, or another computer you are logged into, or a tablet or whatever, will serve you up ads based on the signal that was sent to your phone. As Ms Blue puts it

The service it delivers to advertisers is to create a complete and accurate up-to-the-minute profile of what you do, what you watch, which sites you visit, all the devices you use and more.

The result is that your phone is watching you all the time, and making note of which ads you’ve seen so that it can send you more, including being able to text or phone you (one of the pieces of information that it ‘shares’ is your cellphone number).

Apparently the Federal Trade Commission was a little creeped out by this too, and told them to start warning people they were doing this. Apps that use SilverPush apparently include some Samsung apps and Candy Crush. They claim that no US companies are using their service, but some have questioned that, since the list of companies they contract with is a secret.

Here’s another, perhaps a little less panicked view. Still, I’d recommend that when you install a new app, and it asks whether you want it to use the microphone, you might want to say ‘no’.

Interestingly, the Neilsen company (the ones who track who’s watching which TV shows) uses a similar technology, but on a much more open and aboveboard basis. They ask their raters to wear a ‘pager’ that also listens to the TV or radio for subsonic tones identifying which program is on. But of course, Neilsen contracts with the people wearing the pager, and pays them to do so.

For more general musing on the state of privacy with respect to the data that companies collect about us, you can watch this rather long, but entertaining talk by Bruce Schneier at a recent Cato Institute Conference on Surveillance.

Tomorrow I’ll post a blog on how to check to see if your smartphone is using your camera or microphone for things you might not know about.

The latest on the Apple-FBI Battle

Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.

Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.

It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.

Go here for a comprehensive guide to all the issues.

Tim Cook and the FBI will testify before Congress this afternoon.

The terrorist’s iPhone is probably just a ruse.

Now that it’s getting national play, people have noticed that this isn’t the first time the Government has attempted to get Apple to break their own iPhone security. Months before the San Bernadino attacks they tried a couple of times to get Apple to do the same thing. A  judge for the US District Court refused the same order in a case unrelated to national security in October of last year.

So one could conclude that the government’s purpose here is to wrap itself in the flag because it really doesn’t like the idea of security without back doors. If they win this case, of course, the world will continue to write secure software. Since the number of iPhones in the world is nearly 50 million that’s an enormous market for truly secure smartphones, and if the the US government breaks them I’m sure there will be Chinese, Indian or Finnish companies eager to supply truly secure phones we can use for online banking, shopping at Amazon, remote desktop connections and other totally legitimate reasons to have security without back doors floating around waiting to be exploited.

Amazon and Bestbuy are following me, and it’s creeping me out

BeAwareofWhatsBeingSharedYesterday I needed to find a price for a box of inkjet printer cartridges I have but no longer need (the printer broke and I bought a new one that uses different cartridges). I was trying to sell them.
This morning I visited my favorite political blog site, Reason Magazine’s Hit and Run and guess what showed up on the right hand side of the page–ads for Canon printers and HP inkjet cartridges. How did Hit and Run know?

Of course, they didn’t. But Amazon and Best Buy purchase ad space on lots of web pages, and my IP address is stored in various cookies, so totally unrelated sites know who I am and their ads target me. And what’s worse, one of those searches was on my iPhone, but the ad showed up on my office desktop.

So remember–if you’re searching for something sensitive, use an anonymized browser page (on Firefox select ‘New Private Window’, ‘New incognito window’ in Chrome, or in Safari a ‘Private Window’–these choices are usually available under the File menu, or at the three horizontal lines icon at the top left). Otherwise you may find ads for pregnancy tests or online tests for symptoms of schizophrenia showing up in your USA Today.

Bruce Schneier, my favorite IT security and privacy guru has a great column about how our mobile devices are now talking to our laptops and desktops and vice versa–long but worth a read:

Bruce Schneier on the Internet of Things

If this bothers you, or you are just interested in learning more about the relationship between privacy and Big Data, come hear Sol Bermann on January 26.

 

Thoughts and tips on using Academica

Academica has been the University’s official portal for a few days now, and the Feedback section has been filling up with likes, dislikes and assorted comments. I’ve combed through the comments so far and have a few thoughts I’d like to share.

Appearance

First, there is the notion of a ‘portal’. In contemporary computing terms, a ‘portal’ is a webpage that leads you to facilities that permit you to do stuff. It’s different from an organization’s ‘website’, which is a webpage that allows you to find out stuff. So a portal should be interactive, while a website should be like a reference work (an almanac or a phone book, or even an encyclopedia).

Categorization

So, most of the links that appear in Academica are either interactive (‘see my paystub’, ‘check my grades’, ‘search for a journal article in the Library’) or lead to interactive links (‘Benefits and Deductions’).

Of course, some lead to other portals, such as the link to the IRB in the Office of Research, and a few are there even though they are static, simply because of popular demand (‘Campus Map’, ‘Research Compliance’), but the principle distinction was between ‘doing things’ and ‘finding out stuff’.

Finding stuff

If you want to use Academica as your portal for everything, you can use the search box at the top and select (with the drop-down arrow) to search the WSU Website, where you can find anything that is searchable (parking structure maps, English major requirements, General Counsel’s office) on the wayne.edu domain.

Appearance

A number of folks commented on the visual appearance (some in less than complementary terms), and seemed to think Pipeline was more visually appealing—an opinion I’d challenge, myself. However, the main reason Academica looks the way it does it that it was designed from the ground up to be easy to use on any device, and particularly to be easy to use with smaller devices, like phones and tablets. It actually detects the size of your display and customizes itself automatically. The reason for this is that increasing numbers of us use mobile devices as our primary means to access the electronic world. A recent study showed that ninety percent of Wayne State students bring smartphones to their classes, and now they can use their phones to check the status of their bursar’s account, or their final grades, and employees can check their paystubs (I just checked mine with my iPhone 5s in three ‘clicks’).

Why did we do this?

Pipeline is at the end of its development cycle–the company that made it is no longer supporting it. That makes it like a car whose spare parts are unavailable. It could keep running, but if it broke suddenly it can’t be repaired. C&IT decided it was better to replace it before that happened, and our local app-programming gurus built something for the twenty-first century. In addition to being usable on all devices it is very adaptable. It will not break a sweat if twenty thousand students check their grades all at once. Those who used Pipeline over the years know that it tended to roll over if demand got heavy. Academica is pretty resilient and should not do that.

Help us help you–participate in the ECAR survey

Many WSU faculty (50% of them, to be precise) have been receiving requests to take part in a national survey of faculty attitudes towards technology at the university. The survey is being run by Educause, the national educational IT organization. This is the second year this survey has been run, and last year’s survey produced some interesting results about faculty interests and desires around everything computing-related.

Last year’s results, which are available in ‘infographic’ format here:

http://net.educause.edu/ir/library/pdf/ers1407/eig1407.pdf

Some relevant findings from last year:

  • Nationally, fewer than fifty percent of faculty are satisfied with IT support for research.
  • Opinions on the use of smartphones in class are mixed, with about half of faculty banning or discouraging them and only a third encouraging or requiring laptops (I myself don’t see how I could ban smartphones, and I’ve taught classes where laptops were required because we were all learning how to use some online tool).
  • Many faculty feel they could be better at using web-based content and online collaboration tools in their courses, but there was less enthusiasm about social media as a teaching tool.

There are two versions of the survey, one that takes about twenty minutes to half an hour, and another that takes only ten minutes. Whichever one you choose, your participation will be greatly appreciated, and will help C&IT plan our investments for the next couple of years.

Look for a reminder and your personalized invitation to join in the survey tomorrow. If you don’t get one, you’ll be asked to participate in a more general survey of IT satisfaction that all other faculty, staff and students will take part in later this semester.

Blackboard is getting more mobile

Blackboard has released the free version of their mobile app. Previously it came with a small charge, but the latest version is free for all WSU faculty, staff and students. It’s available for both major platforms, iOS and Android, in the usual places (iTunes App Store and Google Play Store). Your students can use it to check their grades and assignments, view documents and web links, and create discussion and blog posts. Instructors can also post announcements (handy if you’re snowed in or forgot to mention something in class), create and edit assignments (although not grade them), email your class or create new discussions.

To get it, just go to the relevant store and search for Blackboard Mobile Learn. Once it’s installed, open it and log in using your normal Wayne State credentials (yes, it’s safe–it goes directly to Blackboard).

Some FAQ’s about what you can do with it are here