Episode 6 of the Your Secure Life podcast.
In Episode 6 of the Your Secure Life Podcast, Garrett shares privacy and cyber security news from January 2020.
Resources Mentioned in the Episode
Watch the Episode
Listen to the Episode
Read the Transcript
Welcome to the Your Secure Life podcast. My name is Garrett. I am your host.
This is episode six which is the first news episode of 2020.
Last news episode was in October, and a lot has happened since then, but I’m going to try to keep this not to be a ridiculous length because we have another news episode, part two for January, 2020 will be in two weeks.
Next week we’re going to talk about two factor authentication, which is pretty exciting if I do say so myself, but let’s jump in to this week’s podcast episode right now.
First thing’s first big conversation lately is that windows 10 support has ended. That means if you have windows 10 you need to update.
You need to not only update, but you need to upgrade. You need to go to. Well, obviously, whatever the most recent Windows is… Some sort of Windows 10. I don’t know exactly which version is the latest, but you need to upgrade to that. I’m pretty sure it is cheap or free.
I’m not really much of a Windows user, but I know that a lot of you are, and that is okay.
There’s lots of ways you can protect your Windows computer and we will talk about them in future episodes, but right now the main thing is, and I cannot help you… No future episode will help you… If you’re on Windows 7 because Windows 7 is done. That’s it. That’s the end of Windows 7.
If you have Windows XP then you are way behind. Windows XP stopped support years ago, and I know that some places, some businesses are still using Windows XP.
I was in a hotel recently and one of their displays for advertising was one of those big screen TVs on the wall for advertising different things in the hotel.
It had logged out and I was looking at a login screen for Windows XP, and honestly that was a bit surprising.
Maybe it shouldn’t have been, but I would expect a hotel like this, which had a casino in it, to have quite a bit more cybersecurity, at least as far as not having their advertising displays be Windows XP.
But it is what it is.
So if you go to Microsoft.com they have the steps.
They want you to buy a new computer. You might not have to buy a new computer, but I don’t know. It depends on how old your computer is. You definitely want to back up all your files and photos and everything else before you update or upgrade.
Regardless, that is something that you should always be doing. I personally use Backblaze to update everything. It’s $5 a month per computer for unlimited backup. Like you could have terabytes . I have seven terabytes. I do have a Windows computer. I know I said earlier, I don’t really use windows, but I do have a Windows computer, but I only use it as my home server.
It runs Windows 10 Business and it is strictly a seven terabyte home server that I use to connect to all my media.
That computer is connected to the internet pretty consistently, but only because I use Backblaze . And like I said, $5 a month for full backups, all seven terabytes. I haven’t used all seven terabytes, but I have seven terabytes of storage and it’s all backed up for five bucks a month.
I am not paid by Backblaze to promote them. They are not a sponsor. I do not accept sponsors on this podcast, but I do have an affiliate link for them so that if you do decide to subscribe to Backblaze’s services, I can get a little bit of a kickback at no extra cost to you.
Considering it’s $5 a month, I want to let you know that the kickback is very small, but every little bit helps to keep this podcast going. So if you’d like to subscribe to Backblaze through this podcast, you can go to YourSecure.Life/backblaze.
Again, they are not a sponsor. They do not directly pay me to talk about them. I am only recommending them because that is what I personally use.
They also allow encrypted backups. They encrypt it themselves, but you can also add your own encryption to it before it goes to them. And of course, I recommend that.
They have real simple how to guide on their website. So check that out.
After that you just update and upgrade and you get your stuff and then keep your Windows 10 updated because there are very frequently security flaws being found in Windows computers. And that’s not a slight to Windows, to be honest with you.
If you have a Linux computer and you don’t really know how to take care of a Linux computer, there’s tons of security flaws in those, too.
And I obviously recommend Linux all the time because you can make it more secure than anything else. But of course you kind of have to know what you’re doing.
Next, another big thing in the news is that yet again, Apple is saying no to the FBI and unlocking a shooter’s phone. This happened in California a couple of years ago.
There was a terrorist couple who shot up a workplace and they had information on their iPhone, supposedly, and the FBI went to Apple and said, Hey, we need you to unlock the iPhone. And Apple said, Nope, we can’t. And also we probably wouldn’t, even if we could.
Here we go in another situation, another shooting this time was at a Navy base in Pensacola, Florida.
And Apple is saying, Nope, that is not part of our M.O. That is not what we do.
We do not have back doors. We do not provide weak encryption. It’s just not what we do. Our phones are safe, they are secure, they are private, except of course Apple is mining your data for their own uses.
However, they do not share that data with anybody else, and it’s pretty hard actually to get into an iPhone other than if you can figure out somebody’s pass code or they have a really bad password.
As far as the software goes, it’s pretty difficult to get into an iPhone. That is what I generally recommend, so that’s what I use.
I have a pretty secure iPhone. I have it locked down. There’s lots of extra things you can do to make it more private and more secure. Obviously going to have a podcast about that coming up soon.
So what does this mean? Does this mean that Apple is anti-patriotic? Does it mean that they like terrorists?
No, of course not.
It means that they are dedicated to creating a secure phone.
The problem is that if we open a back door to the FBI we open a back door to anybody.
This is mentioned in episodes two and three of the Your Secure Life podcast where we talk about that, and I’m not going to go into big detail because you can just go back and listen to those episodes, but in a nutshell, basically, think of your device as a castle.
This is your castle. It’s where you live. It’s got all your stuff in it. You put a wall around that castle. Every door to that castle is a new attack vector. And even if a door is a secret, it’s still not as strong as the wall.
Even if it’s a secret, someone can walk around the wall and keep pushing and knocking on the wall until they find that secret door.
Cause guess what? It sounds different because it’s hollow cause it’s not a secure wall.
This is pretty much the same thing that goes on with a back door. If you open a back door to the FBI ideologically, only the FBI is going to have access to that back door. Realistically, that’s not what happens.
What happens is security researchers find the back door. Criminals find the backdoor, criminals start poking the back door.
Eventually they find a flaw in the door. They get in and now we have two attack vectors for them to get into: the regular attack vector, that is the front door, and now the FBI is backdoor.
So if we allow the FBI to have a backdoor into the phone, basically what we’re doing is allowing anybody a backdoor into the phone. And that’s the main problem.
Also, talking about Apple and iPhones, if you use iCloud to store your photos, Apple is scanning your iCloud for child abuse images.
Generally I support finding and ending child abuse and any sort of sex trafficking, human trafficking, all of those sorts of bad things that are hurting people.
At the same time, Apple scanning my iCloud for child abuse images is kind of concerning because on one hand, I don’t know how accurate their scanning is. Obviously when they’re scanning the iCloud photos for child abuse images, if something comes up as a positive, that doesn’t mean that it necessarily is a child abuse image.
So let’s suppose an image gets flagged and someone has to review it. There’s a couple problems that could happen. One is that they could automatically lock you down just to be safe until someone can review it. If they’re doing that, that’s a big problem because a false positive is going to lock down your account, which could make your Apple device useless for the time being.
Well, if they’re not doing that, if they’re instead checking before they locked down, that means a human is going to have to be double checking. So if it’s a false positive, that means a human is looking at my private photos that are not illegal and I’ve done nothing wrong. And yet a person is looking at those photos.
I don’t know what that person is doing with those photos, after that. In a perfect world, they would obey all of the laws and all ethics and look at the photo, decide what it is or isn’t, delete it and keep it to themselves forever. Forget it even existed. Move on with their lives, move on with my life and nothing happens.
But the reality is that a human is looking at your private photos. If one comes up, whether it is a real child abuse image or a false positive. We saw this sort of problem with Tumblr when Yahoo decided to stop allowing all porn images, there were false positive photographs of deserts, a photograph of the desert because of the skin tone, and I guess the curves of the dunes gave a false positive.
There was lots of other false positive and people’s tumblers got locked down and some of their posts got deleted altogether. That’s the problem with this sort of technology. The problem is that the technology is not there yet to handle this stuff, and even when it will be, we’re still never going to trust it enough to not have a human double check and confirm that yes, the scanning software is correct and that’s what I don’t like about this sort of intrusion into my iCloud storage.
Real serious privacy buffs are going to tell you that you shouldn’t be storing anything in iCloud in the first place. I generally do agree with that. I don’t like to store my stuff in iCloud personally, but a lot of people do.
It is very convenient. I do use iCloud for moving things around between my Mac book and my iPad and my iPhone, but other people are using iCloud for everything and I don’t think that’s the worst thing you can do. If I were to recommend a simple solution for non tech savvy people, this is the solution I would recommend.
iCloud is fairly secure if you follow the guidelines that I provide in episodes one and five, which episode one talks about using password managers, and episode five talks about how to come up with a secure and memorable password for your password manager.
Following all of the guidelines that I provided in those episodes will help you have a very secure iCloud.
And next episode, episode seven, we’re going to be talking about two factor authentication. iCloud does support two factor authentication. You can really lock down your iCloud, but the fact is is that it’s still on somebody else’s servers and Apple does have some level of access to it. Obviously, if they’re scanning our images.
All right. Moving on. Let’s stick with the same sort of topic, slightly adjacent. Let’s go to apps. Apps are sharing some of your data with the ad industry to help create more specific ads.
This is not iPhone specific. This is just apps in general between your iPhone, your tablets, your Android device, if that’s what you have possibly, even if any of these apps have a desktop app, then you can assume that their desktop app is using it.
Even if they have a website that you can log into and you’re not using any apps, let’s just suppose that’s possible with any of these.
I think ads are poison in general. I think advertising is a toxic industry overall.
I think that there are ways to advertise that are not toxic. I believe that providing value is not toxic if you are benefiting people directly on the things that they already need, that is not toxic, but it is toxic to advertise things that people don’t need for the sake of buying it.
I suppose I should probably create a whole nother podcast about that because that doesn’t have much to do with privacy or security, but the ad industry does have a lot to do with privacy because of this.
Whether your ethics believe in advertising or you think advertising is toxic, maybe you even support custom advertisements because, hey, let’s be honest, we would all rather see ads that are targeted to us than ads that are completely irrelevant to us.
For a while, and I don’t know why this is, but for a while I was getting advertisements on my personal Instagram, which I don’t have anymore, but back when I used Instagram, I was getting advertisements for feminine hygiene products.
These are products that biologically are useless to me because I do not have the biological organs that these hygiene products are meant for.
I was getting these ads for about a month and I was checking Instagram daily and I was getting them every day. It was kind of weird because I don’t know how.
I probably marked my Instagram account as male if that was possible. And I understand the whole gender thing about sexual reproductive organs have nothing to do with gender because gender is a societal thing. I understand all of that. I see why someone could be more to male and still need feminine hygiene products.
I don’t need to be lectured on the difference between biological sex and gender. I know all that. I get it and I don’t disagree at all. I’m totally on board with that.
But I just don’t understand why I was getting those ads when the advertisements were supposed to be targeted. So I’m probably dragging this on longer than it needs to be.
My point is that we’d all prefer to get ads if we’re going to get ads that are relative to the things that we need or care about.
That said, I don’t really want apps sharing certain personal data. The ones that we’re talking about here specifically.
The reason why I bring this up is because this article that I read on Naked Security, which is by Sofos, which is a fantastic security software company, and also an amazing new source, the apps that they’re discussing in this particular article were studied by the Norwegian Consumer Council, and I believe these apps have a little bit more importance for privacy considering their purposes.
So some of these apps were dating apps. These dating apps were Grindr, OkCupid, Tinder, and Happen, which I’m under the impression are all pretty popular.
Two of them were period tracking apps, period as in menstrual, and they are Clue and My Days.
One of them was a virtual makeup app, perfect 365; I’m not exactly sure what that is. I haven’t checked it out. I don’t wear makeup. Personally. I think makeup is pretty cool, but I don’t wear it, and as I’ve expressed in previous episodes, especially previous news episodes, I generally do not like any kind of app that is looking at my face because I don’t know what they’re doing with that photo.
One of the apps was a keyboard theme app, which is called Wave. Some people like to install custom keyboards on their devices. That’s cool. I generally don’t for these reasons because guess what? Even keyboard apps, even custom keyboards are getting your data and if I don’t know what they’re doing with it I don’t trust it.
One of them was, and I’m sorry to my Muslim listeners if I’m mispronouncing this, but it’s Qibla Finder. For those who are not Muslim or Muslims who don’t know what this app does, it helps Muslims find which direction they should be facing while praying. Very cool app. A great idea, very disappointed to hear that they are in fact sharing data.
Especially considering it says here that they’re sharing it with ads and they’re sharing it with ad companies specifically.
But considering the way Muslims are treated in many countries these days, if I were Muslim, I would be very concerned about what kind of data is being shared with who, because I don’t want to be targeted by anyone for a hate crime or what we often see: mishandling by the government, especially in TSA, but in other situations as well.
And then perhaps the one that’s most concerning for many of us: My Talking Tom 2, which is a children’s game.
I am particularly against sharing any sort of data that is coming from children and children’s apps.
So what kind of data did the Norwegian Consumer Council find?
They found that these apps were sharing everything from GPS location to some of their personal question answers on the dating websites.
OkCupid specifically has a feature that obviously is very cool in a dating app where you answer questions and it gives you a percentage of people who answered questions the same way as you so that you can find people who have the same values as you.
These aren’t necessarily questions of interests, although some of them probably are, but certain things like how you feel about holidays or how you feel about certain animals to how you feel about animal rights, all that sort of stuff.
Really cool stuff for a dating app to have, but they’re sharing it outside of their app and that’s not cool.
Perfect 365 was found to be sharing the data with a very large number of third parties and had everything from IP addresses to GPS locations. They said that this app was, and this part is a quote, “to collect and share as much user data as possible”. That’s Perfect 365. That’s the app that was just to try on make up. Ridiculous.
Grindr and other dating apps were found to be including IP addresses, location, age, gender.
this is really bad stuff.
Obviously taking this sort of information for a dating app is a no brainer. I feel that that’s obvious and sharing this with third parties is just unacceptable.
I’m not exactly sure how much money Grindr makes. I’m not sure how much money OkCupid makes. I don’t know how many of them offer subscribing as an option.
I know a while back, I used OkCupid and it had a subscription service where you could sign up. It wasn’t very expensive and you got some extra features, and I enjoyed that and I signed up for it.
I thought it was totally valuable.
This is not an OkCupid commercial, by the way. They’re not a supporter or anything. I’m just sharing my experiences with OkCupid.
And they also had ads for free users and less features, and I think that that is the proper way to do things.
So bottom line is, not not to harp on these specific apps, but to show you that these are popular apps that lots of people use. And that means that your other apps are also probably doing the exact same things. And that’s what we need to be aware of.
In the last news episode, I had mentioned TikTok and not really being sure what’s going on with TikTok, as far as it being a Chinese based app and what information is being shared with the Chinese government.
Again, TikTok has swore up and down that they have nothing to do with the Chinese government, that the Chinese government has nothing, no access, or anything to their app.
I don’t know if you’ve ever used TikTok; TikTok is addicting.
There is a ton of hilarious stuff on TikTok; I get why people like TikTok, but the U S military has banned TikTok because of a warning from the Pentagon that we really don’t know what’s going on.
So any government issued device is now not allowed to use TikTok at all. This only applies to government issued mobile devices.
If you are a military personnel and you have a private device, you are still allowed to install TikTok on your private device because it’s your device.
But no military devices, no government devices at all, are allowed to have TikTok.
The exact quote is that “TikTok is a cybersecurity threat. Users are instructed not to install the application on their mobile device. Do not install TikTok on your government furnished mobile device. If you have this application on your device, remove it immediately.”
This to me is the right way to go.
It is a bad idea to be using any sort of app like this on a government device, especially a device that has anything going through it that is top secret or not even top secret.
I mean, just any secret, anything that you wouldn’t just post openly on the internet.
I have been playing around with TikTok myself. I am going to set up a TikTok for this podcast, but it is not set up as of the recording of this episode.
Like I said, TikTok is addicting and it’s fun and it is a great place to share information, which is why this podcast will be on TikTok.
However, this podcast is also completely free and open on the internet. The transcriptions are posted on YourSecure.Life as well as other places.
The podcast is syndicated; it’s all public. It’s all free.
Posting short clips on TikTok is not going to be any sort of breach of security on my part.
That said, I would not have a TikTok showing any of my personal life at all.
I do not recommend that for anybody, not just because that it might be connected to the Chinese government, but because I don’t know what they’re doing with that anyway.
We don’t know, and that is concerning to me.
Let’s talk about my least favorite social media website in the world.
Facebook has recently gone through and deleted 188 groups because of fake reviews as well as other just junk.
So 188 groups, they deleted 24 user accounts and all of this was just junk.
It was mostly spam or fake reviews and just a lot of crap and we don’t need that. And that’s kind of the problem with these websites is that there is a lot of that.
You can’t really tell what is a real review on the internet anymore. Whether that’s on Facebook or Yelp or any other website.
Companies are able to spend a good amount of money buying legit looking fake reviews, and that’s just not great as well as the fact that a lot of bad reviews that you’ll see out there are actually just really bad reviews in themselves.
The review itself is a bad review because it doesn’t give the right information or it’s a completely irrelevant review.
For example, a lot of times on Amazon, you’ll look at a review and someone got a damaged package and they complain about that and they give the item one star or two stars because their package arrived damaged.
That clearly has nothing to do with the item. That has to do with shipping, but they give a review of the item, a bad review, and that is something that you see across the entire spectrum of internet reviews and that’s why you just can’t trust reviews.
But a big problem that we see on Facebook, not just fake reviews, but we see lots of fake discussions on politics that are sharing, not necessarily quote “fake news”, but also sharing misleading news or news that is real, but poorly worded. Or just echo chamber type stuff.
I strongly believe, and I don’t want to get into it real bad, but I strongly believe that we should be introducing ourselves to as many different ideas and beliefs and philosophies and topics as we possibly can as human beings, because that is what keeps life interesting.
That is what keeps us interesting and it is what keeps us smart.
But social media, especially places like Facebook, tend to build these sort of echo chambers, or these very divisive locations for arguments that just makes it very difficult to actually learn anything.
And that’s not even getting into what Facebook is doing with the data that they’re grabbing from all of this.
Facebook knows what your political leanings are if you’ve ever posted anything political. They might even know if you haven’t posted anything political because you were logged into Facebook and went to read political news.
Because of that, they’re using that information to show you specific ads.
That’s stuff we’ve already discussed in this episode, so I’m not going to repeat it.
Let’s move on to the last little bit I want to talk about, because this episode is already getting pretty long.
This one’s for anybody who has their website being hosted on WordPress.
If you ever hear me talking about WordPress, I’m not particularly a big fan. The first YourSecure.Life website was a WordPress.
I have recently moved it to static hosting via Jekyll, and it runs so much faster, but of course is less convenient to update.
There’s trade offs, all of that, but my point is, is that WordPress is notoriously insecure and easy to hack, and so guess what? It was found that some very popular WordPress plugins have huge password bypass flaws.
These are from the company RevMakX, I don’t know how to pronounce that, but it’s spelled R, E, V, M, A, K, X, all one word, R, E. V. M. A. K. X.
RevMakX, two of their biggest tools that are installed between 300,000 and 500,000 WordPress’s. That’s 300,000 to half a million WordPress’s that could have this security flaw in them right now.
The two apps are Infinite WP Client, which is a tool to help manage multiple WordPress sites from one place.
Extremely useful for WordPress users, especially people who have multiple blogs.
And the other one is WP Time Capsule, which is a backup tool.
Again, something that’s extremely useful for WordPress users. Things that I, myself, would be found to use were I a WordPress user still.
The fact that up to half a million WordPress’s have these installed right now is a pretty big problem.
Luckily there are updates that you can update to fix this. You just need to make sure that you update all of your plugins, keep them updated all of the time.
This is something that is true about WordPress all the time, and I suppose because so many people use WordPress, I should probably do an episode in the future about WordPress security, so I will, but here’s some real quick tips.
You need to minimize the number of plugins you use.
If you’re not using a plugin, you need to remove it. I don’t mean to just set it as not active, but you need to completely remove the plugin from your install entirely because even if it’s sitting inactive, that’s still an attack vector.
For the plugins that you do need, the plugins that you do use, you need to keep them up to date all the time. I generally recommend checking at least once a week, but if you log in more than once a week, you should just update them as you log in and see that they need updated.
The same thing goes with themes. You should not have any themes installed except for what is required to run the theme currently on your WordPress, and you need to keep that theme up to date at all times.
Any plugins or themes that have not had any recent updates for awhile mean that they’re not getting any regular attention from their developers, which means that they aren’t getting security fixes.
If that’s the case, you should find alternatives for these themes and these plugins.
My friend has a funny saying that if there’s something you need your WordPress to do, there’s a plugin for it, and there’s probably a free plugin for it.
Free doesn’t necessarily mean it’s the best, but, the main thing is that you want to find plugins and themes that are actively updated by their developers so that you know that all of the security holes are fixed.
That’s all I’ve got for you this episode.
This episode has already run way longer than I like my episodes to be, but I hope that it is extremely useful for you.
I hope that I drove some points home about app use and device use and security and privacy and ads.
You can find the episode, show notes, I’ll link to articles about this stuff and anything else that is pertinent to this episode at YourSecure.Life/6.
That’s the number 6, not the word spelled out, and you can use that same naming convention to find any of the past episodes, episodes 1 through 6 and any future episodes if you’re in the future.
I also want to mention that this podcast, as I’ve said earlier in the episode, has no sponsors. That is on purpose. I don’t want sponsors for a couple of reasons. One, I hate commercials. Two, I don’t want to be beholden to any specific companies. I don’t want some company to sign a contract with me about me advertising them, and then I decide I don’t like that company and I can’t say anything bad about them because I’m locked into an advertising contract.
I want free reign to be able to tell you what is good, what is not, what I recommend, what I don’t recommend, and not worry about any repercussions from advertising contracts that I have signed with some company.
That said, podcasts cost time and money to make.
Doing this research costs time, having access to a lot of the stuff that I use costs money.
If you’re enjoying this podcast, there’s a couple ways you can support it.
One, you can go to YourSecure.Life/guide and you can get the free guide that puts you on our email list, which I do not share, I do not sell, and I do not spam.
The only things that I will send you are emails that are relevant to any very important security stuff that I think needs to go out before I even have time.
If something really important suddenly happens, I send out an email because the next podcast is at most a week away. That’s too long for some important things.
I will send out an email immediately and tell you, Hey, this thing needs fixed.
Aside from that, I will also share future episodes, anything else that I find important and anything that I think is important to your privacy or security as an individual or small business.
Another way that you can support this podcast is by giving it a review.
We are distributed through multiple platforms, especially Apple, Google, and Spotify.
If you use any of those, please go to those particular podcast places and leave a positive review if you’re enjoying the podcast.
If you’re not enjoying the podcast, go ahead and leave a negative review. I want to know what is bad about this podcast. I want to know what I can improve and I want to know what you think.
That said, I would greatly appreciate that if and when I do improve on the things that you don’t like, you go back and change that review to a positive review. If there’s a problem with the podcast and you want to leave a negative review, that’s fine, but if I fix that problem, please, please, please go back and change that negative review so that your review represents your current feelings about the podcast.
For those three platforms, Apple, Google, and Spotify, you can go to YourSecure.Life forward slash (
/ ) the name of that platform, Apple, Google, or Spotify, and it’ll take you straight to where that is in their platform, where you can leave reviews.
And so that I quit harping on all the different ways you can support this free podcast, the last and possibly the most important thing you can do is share it with your friends. Anybody that you think can learn from this podcast should be listening to it.
My main goal with this podcast is herd immunity, and the more of us that are private and the more of us that are safe and secure, the safer, secure, and more private, all of us are.
That’s the goal with the podcast.
The podcast is for you to get safe, for me to get safe, for you to get private, for me to get private, for all of us to be safe and private.
So that’s all I got for you.
I look forward to recording next week’s episode and getting that out to you.
I hope you have a great week and I will see you next time.
Sometimes stuff pulls the wool over our eyes and gets us. Sometimes our information gets out there other ways (like through breaches). We can minimize the damage with just a few actions. Get the free 5 step guide to clean up your digital footprint.