EXTRA CREDIT

MOST IMPORTANT CARDS/PAPERS

Take pictures of your most important cards/papers and keep them both secure and available. What cards/papers? For example:

1. Drivers license
2. Medical insurance cards (in the US at least)
3. Birth Certificate
4. Passport
5. If you own a car, your automobile registration
6. In the US, a Social Security Card
7. For older Americans, a Medicare card
8. For a time, a COVID vaccination card was in this small group
9. For a homeowner, pictures of their home for insurance purposes
10. Maybe credit cards? If for nothing else, to have the phone number to call when the card is lost/stolen
11. etc. etc. etc.

It is important to keep these photos secure because they would easily lead to identity theft if a bad guy got ahold of them. But every coin has two sides, if they are stored in an extremely secure manner, they may be hard to get at in an emergency. One suggestion is to store them in a password manager on your phone and/or on a computer. I would suggest not using that password manager for anything else and not using its master password anywhere else either. These pictures are the key to our personal kingdoms.

Personally, I make one encrypted and password protected file out of all these photos and store that file both in my home and in the cloud using a secure storage provider, one of those listed on the Secure File Storage page.

Still another tactic, for anyone with an all-in-one printer/scanner/whatever, is to simply make copies of these important cards/papers. Where to store the copies is a matter of opinion, but certainly keep them somewhere other than where the originals are kept.

ASSORTED STUFF

• Web Browsing: Maybe install the Google Analytics opt-out browser add-on. This a browser extension for Chrome, Safari, Firefox and Edge. It lets you prevent your data from being used by Google Analytics.
• October 3, 2023: How to Take Back Control of Online Data With Apps Like Consumer Reports' Permission Slip by Kaveh Waddell of Consumer Reports. State laws passed in recent years give consumers the right to tell companies to stop selling their data to others, or telling them to delete it altogether. It takes a while to make each request, though, and hunting down all the different places your information lives would be an unending battle. Permission Slip is a free app, available on iOS and Android that provides information on how more than 100 companies use your personal information, and lets you request that they stop selling it, or that they delete it. FAQ.
• If you are going to buy an external hard drive with a mechanical 3.5 hard disk, don't. This from the October 5, 2023 episode of the 2.5 Admins podcast where Jim Salter recommended buying the hard disk on its own and putting it in a case/caddy/enclosure that you also buy on your own. He claimed that mechanical 3.5 inch hard disks used in external hard drives are of lower quality than those sold on their own.
• September 3, 2023: How to Use Proton Sentinel to Keep Your Accounts Safe by David Nield for Wired. Proton describes their Sentinel feature as offering more protection than most people will need. It is aimed at people that need the most security such as journalists, government officials, high-profile public figures, anyone who deals with sensitive data or anyone who might be a target for cyberattacks for whatever reason. It requires a paid account, the cheapest of which is the $10/month Unlimited account. It is also available on the $11/month Business account and the $20/month Family account. More from Proton: The Proton Sentinel high-security program (Aug 16, 2023).
• Be very wary of files sent to you that you did not ask for. This applies on both desktop and mobile Operating Systems. Sometimes, just downloading them is enough to get infected with malware. Open these files on a Chromebook running in Guest Mode.
• Do not trust the Geek Squad (which operates out of Best Buy). In June 2023 they sent someone to the home of someone I know to install a new all-in-1 HP printer. Then they called me. The printer was not USB connected to the PC, not Ethernet connected to the router and not on the WiFi network. Malpractice. And, the guy did not leave any cables behind. The Geek Squad said the Windows 10 computer was too old for the printer. This is a lie. All the Geek Squad person did was install HP software on an iPhone for someone who only uses Windows 10.
• Kaspersky has an Online Privacy Checker that is not that. It is a static list of configuration suggestions for Instagram, Facebook, WhatsApp, TikTok, Twitter, Youtube, Google, Skype, LinkedIn, VK, Windows, macOS, iOS, Android, Edge, Firefox and Chrome. Each product has three levels of privacy options. The site is very slow and amateurish. There are no last update dates and it does not say which version(s) of the software it is targeting. Also, the navigation is confusing. The site copyright is 2021, so it may have already been abandoned. Not that it can't be useful. Here are some examples:
  1. Firefox on Windows Medium Privacy
  2. Facebook on Android High Privacy
  3. Android High Privacy
• The website JustGetMyData is a directory of links for you to obtain your data from assorted services. It rates each company as to whether the process is easy,medium or hard. Easy: Google, Facebook, Apple, Tinder. Hard: Zoom, Microsoft, Adobe, Craigslist. A companion website, JustDeleteMe offers links to delete your account from assorted services. More: This Simple Tool Will Help You See What Websites Know About You by Matthew Gault of Vice (Jan. 2021). Michael Bazzell has a Data Removal Guide for removing your personal information from data broker and credit reporting services (Last updated April 2022).
• Don't take computing advice from the mainstream media. Many reporters that cover technology are Art History majors that do not understand the stuff they write about. Thus, they often make bad Defensive Computing suggestions. For example, have you ever seen an article suggest using a Chromebook in Guest Mode when accessing sensitive/financial websites? I have not.
• Mobile Device Best Practices from the National Security Agency. October 2020. A two page PDF. Some of it is just a round-up the usual suspects. But also: disable Location, Bluetooth and Wi-Fi when not using them. Power cycle the phone weekly.
• Thinking about selling your Echo Dot - or any IoT device? Read this first by Dan Goodin of Ars Technica (July 2021). Wiping your data from any IoT device before getting rid of it can be hard.
• The more you know about DNS the better. My Router Security website has both a short and long explanation along with a list of websites that show your currently used DNS servers. Get in the habit of checking the active DNS servers, especially when traveling.
• Before you use a new USB flash drive, plug it into a Chromebook running in Guest mode and format it from there. In the same vein, If you don't know where a flash drive came from, the only computer you should plug it into is a Chromebook running in Guest mode. Malicious USB flash drives are a common tactic for infecting the computers of people who have not read this website. Running Linux off a bootable CD/DVD disc is also a safe environment. However, a USB flash drive can also destroy a computer. The usbkill.com drive overloads the circuits, converting a computer into a paper weight. So, a low end Chromebook is probably best. More on the USB Flash Drive page.
  
  Also, there is a Malicious Cable Detector by O.MG that claims to detect all types of malicious USB cables. As of August 2023, it sold for $40.
• There is a chance that the camera on a computing device could be activated without your being aware of it. The defense is old school: cover the camera lens with something opaque (band-aid, tape). Try to avoid adhesive directly over the lens.
• Speaking of laptop computers, they have microphones that are typically impossible to mute. This article: Why your laptop's always-listening microphone should be as easy to block as your webcam (June 2019) mentions some models that can disable the microphone. My T series Thinkpad can. Laptops from Framework have hardware off-switches for both the microphone and webcam. They are also extremely repairable (Sept 2021). The $200 PineBook Pro Linux laptop can also mute the mic. On macOS, you can install OverSight to be warned both when the mic is activated and when something accesses the webcam. Or, you can buy the Mic-Lock microphone blocker for $7 (as of Feb 2020). It plugs into the 3.5mm microphone/headphone port on a laptop, phone, or tablet and tricks the device into thinking that a microphone is connected. For more on this, see the Dec 13, 2019 episode of the Privacy, Security and OSINT podcast, Camera & Microphone Blocking. In Windows 10, turn off the mic at: Settings -> Privacy -> Microphone. In macOS turn it off at: System Preferences -> Security & Privacy -> Privacy -> Microphone.
• Scam Alerts from the FTC
• Defensive search engine: This article describes a search engine trick pulled off by special interest groups. They scam people by abusing the data void for newly invented keywords. See The far right is dominating the information wars through keyword signaling by Corey Doctorow October 2019
• Whenever you are offered the choice to Login With Google or Login With Facebook, don't do it. iOS 13 will introduce a new competing system: Login with Apple. As of July 2019, it is too soon to form an opinion on it, but it will let Apple read your email, something they could not do without it.
• A very sneaky trick that some websites pull is making third party cookies look like first party cookies. Everyone allows first party cookies so this lets you be tracked. The website trackingthetrackers.com tests for this and reports on it. Great service.
• The Princeton IoT Inspector software only runs on macOS High Sierra and Mojave (not Catalina as of Feb 2020). It lets you spy on the IoT devices that normally spy on you.
• At dehashed.com you can search for your physical address, email address, userid and/or phone number to see if they have been leaked in a data breach.
• Why You Need to Make a 'When I Die' File - Before It's Too Late (August 2019). The article is about much more than computers, but serves as a reminder to plan, somehow, for the right people to obtain all your passwords when you are no longer around.
• Can you tell if a website is legit?

  IS FTCCOMPLAINTASSISTANT.GOV LEGIT?

  I read an article that said victims of Identity Theft should go to ftccomplaintassistant.gov and I wondered if that site was legitimate. That is, is it really from the Federal Trade Commission, a division of the US Government? We have already seen that just having "FTC" in the name means nothing. The FTC has their own website at ftc.gov, so why the need for another domain name? Instead of a new domain, they could (read should) have used complaintassistant.ftc.gov or ftc.gov/complaintassistant. Both leave no doubt that they are from the FTC.
  
  On thing pointing to its being a scam is that the home page of ftc.gov has a link to identitytheft.gov for reporting identity theft. There is no link on the FTC home page to ftccomplaintassistant.gov. And, identitytheft.gov has its own assistant (identitytheft.gov/Assistant) which does not link to ftccomplaintassistant.gov.

  Looking at the ftccomplaintassistant.gov site, the first thing to notice is that it does not have the extra identity assurance. If it is legit, that would be pretty ironic, eh? In techie terms the site is Domain Validated (DV) rather than having Extended Validation (EV).

  All domains have to be registered and whoever pays for the registration can chose to make their identity public, or not. Looking up this information is called a Whois search and every company that registers domains offers a Whois search. However, this turned out to be a dead end. I could find no Whois information for any .gov websites.

  A couple things point to the site being legit. There is a page on ftc.gov with consumer information about Identity Theft and it has a link to "File a Consumer Complaint" that goes to ftccomplaintassistant.gov. And, while the home page of identitytheft.gov has no links to ftccomplaintassistant.gov, an examination of the underlying html (i.e. page source) showed that pulls in a script from chat.ftccomplaintassistant.gov.

  So, is it legit? I would have to call the FTC on the phone and ask them.

  On a related note, ftccomplaintassistant.com is definitely bad news. That was an easy call.

JUICE JACKING

USB cables normally carry both data and electricity. Data can be a problem, as it is an avenue through which a device can be attacked. The attack is called Juice Jacking (maybe Juice-Jacking) and the potential danger was first raised back in 2011. There are multiple defenses (see below) but the most commonly suggested defense is a USB cable that only does power. These cables go by multiple names: Power-Only cables, Charge-Only cables, USB Data Blockers or a USB condom.

1. This excellent article USB Data Blocker Teardown (Aug 2020) explains three different types of USB data blockers.
2. For an intro see How to Protect Yourself From Public USB Charging Ports by Chris Hoffman for How To Geek. August 2018.
3. Protect your data with a USB condom by Adrian Kingsley-Hughes for ZDNet. April 11, 2023. With two different popular types of USB ports, you may need multiple USB condoms: There are: USB-A-to-USB-A, USB-A-to-USB-C, and USB-C-to-USB-C.
4. Adafruit makes the PortaPow USB condom
5. SyncStop also sells USB cables/adapters that only do power.

There are a number of other defenses too:

1. Obvious: Rather using a public USB cable, plug into an electric outlet with your own cable and adapter
2. Obvious: Use your own portable charger/battery
3. Get a charge in your car, if possible
4. If you are desperate, Brian Krebs suggests that a phone is much safer if its powered off. This from his April 14, 2023 article: Why is 'Juice Jacking' Suddenly Back in the News?

The Krebs article was one a number of articles in April 2023 that asked just how likely such an attack is. It was probably the best. Another was: Actually, Charging Your Phone in a Public USB Port Is Fine by Heather Tal Murphy for Slate. April 13, 2023. Despite the click bait headline, the article does recommend using a USB condom. It is mostly a takedown of how the tech press works. It says there are no known instances of a phone being hacked due to plugging into a public USB port. Still, this assumes that installing malware on a phone is the only danger and ignores the issue of files that might be visible over the data connection - files that can be copied and thus leave no trace on the phone. The article also says that new Android and iPhones ask whether you want to share data or charge only when they plug into a USB port that is set up to capture data. Of course, a victim can answer the question wrong. And, the articles does not not define "new" so its not clear when this feature was added.