It’s morbid, but what the hell. If you have some downtime during the holidays, it’s worth thinking about how your family will access your digital legacy. For the most part, I’ll guess my family don’t really want or need my legacy. But they sure as hell need the logins and passwords for our financial accounts.
I put all of mine in my safe on a USB drive. There was a podcast, long ago that talked about this kind of thing.
This came out awhile ago but thanks to SwiftOnSecurity retweeting, I’m linking to it today.
From Adage:
He noted that Precision might tap its vast subscriber base directly for first-party targeting in the future. “There’s a lot you can do there,” he said, before adding a disclaimer: “We haven’t commercially deployed any product.”
That sounds like something that only benefits one side of the business arrangement: the business.
From The Register:
Spotlight phones home in OS X Yosemite, version 10.10, and it is enabled by default: it can be switched off, but with Apple insisting that it now takes people’s privacy seriously, the software has raised some eyebrows.
Count my eyebrows as being raised too. It should be off by default and opt-in only. The problem with these decisions is that they increase my suspicions of all activities.
Apple’s bash patches for major OS X versions. Direct link for Mavericks.
Synology has a patch too but it should be available through the automatic updates.
Continuing my tin-foil hat dance, I’ve read plenty of opinions about the new iOS 8 keyboards. Most of it has not been educational. There’s a particularly thorough evaluation of third party iOS keyboards at Markn.ca
If a custom keyboard does not require the elevated privilege of “Allow Full Trust” you can use it with a high degree of confidence that your keystroke and other personal data is safe.
At this point, I’d only be willing to use one keyboard that required full access.
I was pretty excited to see the new options for keyboard extensions in iOS 8. My excitement rapidly evaporated when I saw this notification while enabling a new keyboard.
So, I dug into the developer documentation for keyboard extensions to see what could possibly go wrong. I don’t like it.
This is what I found (quoted from the documentation):
All capabilities of a nonnetworked custom keyboard Keyboard can access Location Services and Address Book, with user permission Keyboard and containing app can employ a shared container Keyboard can send keystrokes and other input events for server-side processing Containing app can provide editing interface for keyboard’s custom autocorrect lexicon Via containing app, keyboard can employ iCloud to ensure settings and autocorrect lexicon are up to date on all devices Via containing app, keyboard can participate in Game Center and In-App Purchase If keyboard supports mobile device management (MDM), it can work with managed apps My interpretation of the documentation is that a keyboard extension can enable network access if it is for the purpose of improving the application.
Disconnect.me provides several privacy enhancing plugins for web browsers. The intent is less about ad blocking and more about cutting down on tracking. What I like about it is that it actually speeds up many crap-ware laden sites.1
Here’s an example using the Verge site, which is one of the worst offenders I’ve seen.2
Disconnect.me reports that by blocking known tracking requests that the page loads 40% faster. It was noticeable.
From Christina Warren:
For just $200, and a little bit of luck, I was able to successfully crack my own iCloud password and use EPPB to download my entire iCloud backup from my iPhone. For $400, I could have successfully pulled in my iCloud data without a password and with less than 60 seconds of access to a Mac or Windows computer where I was logged into iCloud.
These kinds of hacks don’t concern me all that much.
From Brian Krebs:
Here’s the kicker: A comparison of the ZIP code data between the unique ZIPs represented on Rescator’s site, and those of the Home Depot stores shows a staggering 99.4 percent overlap.
Brian Krebs is incredibly smart and also fairly reserved with his FUD. I believe him and it probably means another massive release of credit card data. This is only going to get worse until companies suffer such staggering loses that security becomes as important as developing a new logo.
From CSO Online:
Hosting provider Namecheap said Monday hackers compromised some of its users' accounts, likely using a recently disclosed list of 1.2 billion usernames and passwords compiled by Russian hackers.
I suspect this is only the beginning. There’s an entirely new data set to run through.
Note: I’m not sure I’d call this a hack but that’s what the article is calling it. I’d just call it an attack.
