Sunday, January 15, 2017
Phishing for Friends
This is about how impersonators may try to pass for some of the people you consider friends and acquaintances, and what I suggest one do about it, with little explanation of why they do so. Impersonation on Facebook does not imply "I was hacked" or that it is imperative to change password. It might just mean one or more of your friends is too friendly (and not wary enough) with strangers, that you are too free with information about who your friends are, or both.
I received an invitation to become "Friends" on a popular social network today, once again. I recognized the name, it was that of someone who might conceivably want to become more intimate, since we had friends and experiences in common, but why now? And I have seen enough impersonators of other friends by now to be wary: I always check out the available information on the source of the invitation before replying, now, but have not always done so. It was clearly a new account, with only two friends as yet.
It wasn't long ago that I received a similar invitation, but from someone with whom I was already connected (if one believes the name given). It was easier to check that said person was already in my contacts list, refuse the invitation, report the invitation to "the powers that be," and post a message on the original's stream to warn any other friends; the warning may not be very helpful, who knows who will see it in time (before accepting the impersonator' invitation) but one hopes. And I hope he was not actually the original trying to replace his account (he hasn't responded one way or the other, so I have a slight lingering doubt).
How does this happen? Common reaction is "I've been hacked! Must change password!!" Let's think about it. The new profile, that of the imitator, typically shows cover page and profile portrait pictures, and may not show much else, as if it is the account of someone starting over because they got locked out somehow. The imitator also has a list of people to invite to connect. The pictures are easy, on a network like Facebook they are necessarily public--anybody can see and copy them, knowing whose they are. I presume that the imitator/impersonator gets access to the list of friends of the impersonated, then sends invitations. Many of us leave our friends lists visible to at least some others, for various reasons. The friends list may not be public, that is one of the privacy settings one may tighten; one may even make it completely only-me private. Important (as stated in the sequence of texts on the page cited above)
If you’re friends with someone, you’ll be on their friend list and it’s up to that friend who sees their list.
The impersonation does not require "being hacked" or having an impersonator acquire access to one's account. It only requires an impersonator having access to a list of people to "invite" to connect.
The impersonator might, if the impersonated person keeps the list my-eyes-only or friends-only, use the friends lists of one of the friends of the impersonated (or more friends' lists, particularly if they overlap). So one is a candidate for impersonation if any or several of one's friends share their lists of friends, even if one does not, oneself. And the impersonator is probably, depending on sharing policies, a friend or a friend of a friend, and I am tempted to add "new" to friend unless there is some reason to imagine that they have been dormant and suddenly decided to start impersonating.
Why do they bother? That I find harder to say. What is clear is that with their impersonation account, they will have a view of all information their new "friends" share only with friends, be that photos, timeline posts, contact information, friends list. They will also enter the category of "friends of friends" of all those new friends, and gain access to everything other friends of those new friends share with that category. There is thus a wide range of information they might be seeking, and they might just be trawling to see what they can happen upon, and where they can extend their imposture-based web.
What to do about it as individual users is not a simple question to answer. I suggest three axes: what one shares even only with friends, one's privacy settings for information imposters might exploit, and one's vigilance when one receives invitations.
First, one should recognize the risk of making a mistake and connecting with an imposter. What they see you cannot make them un-see. Same as for friends with whom you later have a quarrel and end your connection. As my grandmother used to say, twirl your tongue in your mouth some number of times before speaking (to give yourself time to recognize something better not said); same goes for sharing, especially since everything you share in digital media is recorded and impossible to deny.
Second, privacy settings for friends list, especially. One can make one's friends list private, and check that all one's friends do, too, and estrange any friends that don't: that will make it much harder for the potential imposter to know who to invite. It may be dissuasive. But one might lose a lot of friends that way, and one might--as one's friends might--have good reason to display one's friends list: to help disambiguate for people who are looking for you (my room-mate from 1975-6 I still haven't found, and his name is much more common than mine so I'm counting on him to find me) and want to be sure they have the right one. One of the things that soured the invitation today was the lack of friends; if the phisher is lucky, that may change, and snowball as people recognize the others who have already "arrived."But had the friends not been visible to me at all, I would have considered that suspicious and would have been at least as wary of the invitation.
What one can and should do is not click on "accept invitation" until one has vetted the source of the invitation. In some cases it is easy because one has communication through other channels (real life, telephone, etc.) or the invitation is apparently redundant (connection already existed). In others it may be harder, and I have failed in at least one instance when I recognized a dozen friends in the new account's list and assumed it was a replacement account (someone was hacked or locked out and began anew) rather than an imposter; I realized too late, and someone may have learned whatever I share with friends and nobody else. When in doubt, hesitate, wonder what you'll lose by waiting, think about who to ask, and then do ask.
Addendum
On Facebook, one can use the "Report" procedure, initiating it on the suspect profile page. It is accessed by clicking on the little "..." button next to"Following", "Message" in the lower right corner of the cover photo area. For yesterday's invitation, I did so, choosing "fake" as my objection. Facebook replied just a few hours later,Thanks for your report - you did the right thing by letting us know about this. After reviewing the profile you reported, we've decided to follow up with the account owner directly. When we think a profile may be fake or pretending to be someone else, we ask them to confirm their identity. If we see something on a profile that goes against the Facebook Community Standards, we remove it.
Tags: :
Sunday, January 08, 2017
Waze and Means
I have used the Waze application (for mobile phones with the Android OS) for a few road trips. I like its "updatedness"--timeliness, its provision of information on incidents and solicitation of revisions from later drivers. I dislike the inefficiency caused by poor mobile phone coverage, and suspect that Waze avoids routing through such areas even if they might provide advantageous itineraries.
I have been using ViaMichelin to prepare driving plans for many years; sometimes I would print out the whole long itinerary, sometimes I would prepare (and print or hand copy) my own distilled version of the key turns and changes of direction. That mostly worked well. However, there were a couple of times their route instructions referred to signs which did not match those we saw (I had trouble navigating one junction with a competent navigator reading the instructions to me), and they tend to use street names for which one has difficulty finding signs, if there are any. Their instructions through Besançon pretty much always leave me lost in the middle of town wondering which way to head out. Once I pulled in to a bakery's parking lot and asked the first person who came by for directions; her first response was "show me your itinerary," presuming I had one (ViaMichelin or Mappy or something else) because, well, one should have a computer-issued itinerary, at that time in the progress of technology. Then one of the last times I tried to get through Besançon with a pre-calculated itinerary, I hailed a couple of young men I supposed competent to answer my question about where next to turn while we were waiting at a traffic light; they suggested we pull over to discuss it, and I accepted. They did not rob me, at knife point or otherwise, they indicated a right way to go, and suggested I buy I GPS navigation aide.
I don't consider a GPS navigation aide worthwhile for the little I travel. But when I was buying a next car, I did not reject one just because it had been equiped with a Garmin GPS navigation aide; nor did I commit to buying the Garmin map updates. For the few automobile trips I make to places I haven't been I can buy paper maps from IGN and others.
I used the Garmin GPS navigator on a trip a few months ago. I was annoyed by its insistance on using theoretically faster roads even if that meant a detour and a toll to pay. I later learned how to set it to avoid toll roads, but not how to accept them for a worthwhile time savings. It did not have real-time traffic information. It was no better than ViaMichelin for traversing a town center like that of Carpentras, which I think took me three loops (twenty minutes or more) to succeed. And then it took me up a mountain to a closed road, then around and down through a tourist-crowded village. I'm inclined to use it for details when close, not for choice of longer distance roads and routes.
The application Waze for "smartphones" equipped with GPS offers an alternative to devices like the Garmin navigator/navigon. It has the advantage of enabling users to annotate current conditions, providing reports of vehicles on the shoulder, dead animals on the road, mobile radar monitors, congestion, and so on. Or, for those who pass later, indicating whether or not the condition is still the case. And not asking for money.
Waze benefits from the interaction with its users, whether that be to monitor their progress and deduce driving conditions, or to provide a set of notifications of distractions and dangers.
Waze has a problem with areas having poor or no mobile phone coverage. It cannot provide information about current conditions if it cannot receive bulletins, which is understandable, but worse, it seemingly cannot track one's progress with GPS-only data, it needs to check back via a phone/data link to get server-side comments and recommendations. When coverage comes and goes, it may not "know" whether one is on the right road, may beep frequently while recommending to get on some road or other--which may be the one one is currently on. {comment from 2015)
To avoid this inconvenience, Waze may well--I would--avoid recommending routes through areas with poor mobile phone coverage, so as to prevent disappointment and frustration of users who expect constant tracking of their progress and next instructions. But then how does one navigate from Pirmasens to Niederbronn or Bitche?
Probably, Waze will transfer more data and software to the phone to navigate seat-of-the-pants and log and take notes and feed back recommendations, decisions, and outcomes later. But that is just a guess. Tags: :
[Draft] Download to Ciphered File -- Tool Not Found
"Cloud storage" --redundant (or not) -- has become popular over the past five
or more years. This provides a certain workstation independence, access
to one's data from any connected device (phone, PC, television set),
continuity if one loses one's phone, tablet, computer. But it also
provides vast collections of information one would like to keep private,
and others might like to copy or take hostage, stored "somewhere" one
has never been. Let's neglect, for now, the "take hostage" aspect,
assuming Google, Microsoft, Box, Dropbox, hubIC, iCloud and others take
sufficient precautions to ensure that user data is backed up and can be
restored after any event of malicious "ransomware" ciphering or similar
attack. How does one make sure (as sure as possible) that what one stores in "the cloud" remains confidential?
Let us acknowledge that breaches of cloud storage providers have also occurred, as these stores have become more attractive to cyber-burglars. For the most part, these breaches have acquired passwords and useful login information; sometimes more, like payment card information and electronic correspondence; sometimes much more (like the OPM breach[FIXME]). Storage in "the cloud" (i.e. someone's Internet-connected computer) is safer if what one stores is ciphered and very hard for others to read; ciphering does not prevent piracy and a degree of theft, but it does improve privacy. So how does one cipher one's files before storing them in "the cloud"?
Some storage providers, such as rsync, encourage and claim to expect clients to cipher their content before sending back-up copies to remote storage; enveloc, I believe, provides the ciphering (AES256?) as part of the transfer-to-storage mechanism for their commercial clients. One can use BitLocker or alternative (non-Windows) systems to have ciphered disks or partitions, but aren't files stored in this way automatically deciphered before transfer to cloud storage? How should one store ciphered files one want to keep ciphered, even during replication, until use?
One's bank statements, for instance: how might one automatically save one's downloaded bank statements (or sextapes, heh heh) to a ciphered, less-vulnerable file? Available locally (to decipher when wanted), to move or replicate to the cloud for safekeeping. The browser typically uses https for the transfer from the bank to one's terminal, which is pretty fine, but then deciphers and saves an ordinary file. One should cipher (encrypt) such files (then remove traces of what was first saved --how?), particularly if one is going to keep back-up replicates of the file in the "cloud". Wouldn't it be nice if the browser fed the downloaded file into a ciphering engine (such as gnupg) or itself re-ciphered with AES or another symmetric key cipher on the way to saving locally? That would be safer, and more convenient for automatic copies to redundant storage.
I have used emacs with GnuPG to edit and to store ciphered files, which works fine for locally-created files almost all of the time--it did hang once during a save of changes I did not want to lose. But this incident notwithstanding, it is the reference for me of pipelining ciphering. I ask emacs to open a .gpg file, it calls GnuPG to prompt me for the pass phrase, it then receives the deciphered file from GnuPG (I suppose) after I enter the pass phrase correctly. And then when I save (changes) it hands the stream off to GnuPG to cipher and record.
What I would like is simply a browser extension to which I could pipeline a downloaded file to cipher with a key I would provide and method I would choose, prior to writing to storage. Like the way emacs will write agpg file using gnupg when called to save a file.
Then I would have files I could easily and confidently back up off-site, and confidently leave on my computer.
Tags: :
Let us acknowledge that breaches of cloud storage providers have also occurred, as these stores have become more attractive to cyber-burglars. For the most part, these breaches have acquired passwords and useful login information; sometimes more, like payment card information and electronic correspondence; sometimes much more (like the OPM breach[FIXME]). Storage in "the cloud" (i.e. someone's Internet-connected computer) is safer if what one stores is ciphered and very hard for others to read; ciphering does not prevent piracy and a degree of theft, but it does improve privacy. So how does one cipher one's files before storing them in "the cloud"?
Some storage providers, such as rsync, encourage and claim to expect clients to cipher their content before sending back-up copies to remote storage; enveloc, I believe, provides the ciphering (AES256?) as part of the transfer-to-storage mechanism for their commercial clients. One can use BitLocker or alternative (non-Windows) systems to have ciphered disks or partitions, but aren't files stored in this way automatically deciphered before transfer to cloud storage? How should one store ciphered files one want to keep ciphered, even during replication, until use?
One's bank statements, for instance: how might one automatically save one's downloaded bank statements (or sextapes, heh heh) to a ciphered, less-vulnerable file? Available locally (to decipher when wanted), to move or replicate to the cloud for safekeeping. The browser typically uses https for the transfer from the bank to one's terminal, which is pretty fine, but then deciphers and saves an ordinary file. One should cipher (encrypt) such files (then remove traces of what was first saved --how?), particularly if one is going to keep back-up replicates of the file in the "cloud". Wouldn't it be nice if the browser fed the downloaded file into a ciphering engine (such as gnupg) or itself re-ciphered with AES or another symmetric key cipher on the way to saving locally? That would be safer, and more convenient for automatic copies to redundant storage.
I have used emacs with GnuPG to edit and to store ciphered files, which works fine for locally-created files almost all of the time--it did hang once during a save of changes I did not want to lose. But this incident notwithstanding, it is the reference for me of pipelining ciphering. I ask emacs to open a .gpg file, it calls GnuPG to prompt me for the pass phrase, it then receives the deciphered file from GnuPG (I suppose) after I enter the pass phrase correctly. And then when I save (changes) it hands the stream off to GnuPG to cipher and record.
What I would like is simply a browser extension to which I could pipeline a downloaded file to cipher with a key I would provide and method I would choose, prior to writing to storage. Like the way emacs will write a
Tags: :