John Carter spoke on Social Networking to a combined group of PMUG and the local PC Club yesterday. He’s posted the pdf under Benefits < Tips and Tricks. Go here to the PMUG website. You’ll find an extensive report that would take 133 pages to print out! (John didn’t just do this off the top of his head!)
His report identifies the top social networking sites and discusses Protocol, Problems, Password, Privacy, Photos, and Possibilities.
Want Internet Privacy?
Do you want privacy and security when you send something via the Internet? John Carter sends this link to a tutorial on PGP (Pretty Good Privacy). It’s 14 pages, printed out. He states, “The only thing that is absolutely secure is whatever you encrypt yourself that requires a key at the other end to decrypt.”
Half-Baked Cloud: Read This
"Before you sign up for the new Google Drive," Prez Art Gorski gets our attention, "have a look at this review." Three paragraphs down you'll find a privacy warning spelled out.
Privacy & Security? HTTPS & VPN
Earlier we heard from Jim Hamm, (posted on 3-28 as "Need to Use an Unsecured Wifi Hotspot") and now he helps us with clarification. Jim wrote to the developers of Cloak, which is VPN (Virtual Private Network), "If 'HTTPS' is all one needs to be secure, why have a VPN function at all?"
HTTPS is Hypertext Transfer Protocol over Secure Socket Layer. It encrypts and decrypts the page requests.
The reply Jim received explains more about HTTPS and VPN. The following is quoted from Dave Peck, founder of www.GetCloak.com
1. HTTPS helps your browser verify the identify of the server it's talking to. For example, HTTPS can help the browser decide whether it's really talking to your bank. (This is why, if you ever see a warning about certificates when connecting to a site, you should stop immediately.)
2. Once the identity of the server is verified, HTTPS sets up an end-to-end encrypted connection between you and the server. So to continue the example, HTTPS lets you have a secure communications channel directly with your bank that nobody can listen in on.
So HTTPS, and the protocol it is built on (TLS), is awesome. And... if everyone used HTTPS/TLS then yes, there would be no reason as an individual to use a VPN like Cloak. There would still be plenty of reasons for small and medium businesses to use VPNs. ----
Unfortunately, we don't live in this world, at least not yet. Not everyone uses HTTPS or SSL/TLS (in fact, most web sites don't) and, further, even sites that do use HTTPS often use it badly, or inconsistently. Things seem to fall into four buckets:
1. Sites that don't use HTTPS at all. This is, sadly, the majority of sites. When you're on a network you don't trust (like at a coffee shop, airport, hotel, or at a conference) anybody can see what you're doing.
2. Sites that use HTTPS badly. Usually this means they don't use HTTPS everywhere. Prime examples of this would be Facebook and Amazon.com. By default, when you log in to Facebook and Amazon, you log in with HTTPS. It might seem that this protects your username and password, but this isn't quite the case. After you log in, Facebook and Amazon kick you back to HTTP pages. But wait! How do they know who you are on those HTTPS pages? They know who you are because they've cookied you with an non-secure cookie. For the duration of your session with those sites, that cookie is as good as your username and password. Anybody can log in as you and do whatever they want as you. This is what the hacker tool Firesheep was built to exploit, and unfortunately it is all too common -- Firesheep works on nearly 100 different web sites.
3. Native apps! These days, lots of stuff is done outside of the browser. Does the Twitter App for Mac use HTTPS or TLS? Who knows! We see a lot of problems here these days, and a lot of opportunities for Cloak to make things better.
4. Sites that use HTTPS well. Your bank, and PayPal, probably fall into this category. For these sites, Cloak doesn't make a difference.
I would like nothing more than to wake up one day and discover that Cloak is not necessary. But given that only one of four buckets is actually truly secure, I think we're easily five years off from that day. That said, one can never truly predict in the world of technology. -----
I should explain, in case it isn't clear, that Cloak isn't an end-to-end solution for security. When you use HTTPS, you get end-to-end encryption: just you and (say) your bank. When you use Cloak, you get encryption from your laptop or iDevice to our servers. From there, things are decrypted. But we host our own servers on networks with great peering agreements and extremely strict security policies. Our networks are trustworthy, whereas presumably the networks "out there" in the wild, like at coffee shops etc, are not. It's only if you truly cannot trust the Internet at all that HTTPS and TLS are your only options. ---
Bottom line for all of this: I believe that we still live in a world where Cloak can provide real value; I hope that technologies like HTTPS and SSL will ultimately become so prevalent that tools like Cloak won't be needed anymore. I think we're many years off from that day."
Thanks to Jim for getting this information for PMUG.
Is Your TV Watching YOU?
"New HDTVs now have both the hardware and software capability to monitor both sound and video!" announces John Carter. He elaborates, "Do you want to your new TV to have Skype capability? If so, then would it be possible for the TV itself to get hacked and someone could be spying on you?Read the news here." Take a look, then pass it on.
Here's More on Security & Privacy
Ward Stanke passed along more info when he spoke at yesterday's PMUG meeting than his printed handout showed. Be sure to check out Mozilla Firefox because it gives you good choices for security and privacy. Look at 1Password for a utility to create and store unique passwords. See it at https://agilebits.com/onepassword/mac .
Look here about opting out of ads that are tailored to your Web preferences and usage patterns: http://networkadvertising.org Their policy is that all NAI member companies set a minimim lifespan of 5 years for their opt out cookies.
Take a look at this interesting possibility: http://pobox.com/ You can use a custom email address that you'll own for life.
Scroll down for Ward's handout reproduced in this newsblog.
6 Steps to Google Privacy
Today's the day, first of March, when Google's privacy policy changes. Here's one look at steps someone can take to help get privacy on line. Watch for more info from the national media, and let us know how you view and cope with this situation.
A View of Privacy and Policy
An outline of some recent changes that affect our privacy on line can be found at InfoManager. Google tracks and logs info you may not have known about. This article gives further links to inform and warn us.
Security & Privacy: Yours and Theirs
"Digital Spies," the feature article in the January Popular Mechanics exposes high-tech espionage: hacked, tracked, attacked. It also advises how to protect your personal data in an article, "Removing Yourself from the Internet."
You Can Block All Ad Spying
Here's some interesting info from Prez Art Gorski. He writes about Ghostery, "This Safari plug-in (double-click on it after download to install) will allow you to block all ad spying services. To configure that option, go to a website like Macworld where Ghostery will show you the list of services spying on you, then right click on that to go to the Ghostery settings. In there, you can block all of them."
Note the tiny "ghostly" icon in the heading when I bring up this PMUG Newsblog for the following screen shot.
More on Safari Security
Jim Hamm finds an article about the new Security and Privacy columns in Safari.
A Look at Google+ . . . Updated
Here's a Computerworld look at the many features of the new Google+ which declares it will replace email, Facebook, Twitter, Skype, blogging, RSS, Gmail and email newsletters. The writer says that spammers can't copy, retain and sell your email address. He says the term "social networking" is not an adequate term for Google+. Jim Hamm sent us this info. Just now (7-12) this PCWorld article tells about security risk issues involving an app that allows Firefox and Chrome users to view Facebook data within Google+.
Considering Dropbox
Whether or not you've made friends with Dropbox it's a good idea to familiarize yourself with it. Here's some very important information, just released by Dropbox on 7-1-11, notifying me by email on 7-2-11 at 7:49 pm. By this time there were so many complaints and comments posted there it would take 114 pages to print it. The blog explains TOS, (Terms of Service), privacy policy and security. By continuing to use Dropbox you automatically agree to the new TOS which takes effect 7-15-11.
Learn About Facebook
If you or your kids are users of Facebook Jim Hamm found this link to a 4 page tutorial that he says might be helpful.
Discussing Dropbox
If you use Dropbox or just want to know more about it, here is an informative article from the Windows Secrets Newsletter forwarded to us from Jim Hamm. It concerns the privacy of data you keep stored on their server. Jim says, "I don't store anything of a sensitive or private nature in Dropbox — which I use frequently and find very helpful — so I'm not concerned about the privacy issue. The article goes on to explain some alternatives to Dropbox as well." Art Gorski responds with an offer to do a demo.
Privacy Features in Today's Update
Earlier today we found out that Apple plans to add a new privacy feature to Safari that keeps online advertising networks and other tracking tools from monitoring user activity. We posted this and we thanked David Passell for this info.
Later this afternoon after reading what MacObserver said up came notification for Security update 2011-002 for Leopard and Snow Leopard, iPhone, and Safari. Read all about it, and keep up with these great improvements.
Info on Security Issues
The latest issue (February) issue of Popular Mechanics addresses "the war on privacy." Page 56 tells briefly about Super Cookies. Trying to track down specifics I looked at this PCWorld article, then an article from Adobe about these LSOs, Local Shared Objects, which are also known as flash cookies. Here's Adobe's seven page document outlining their policies on their legal rights and practices. Elaine's take on this, "The invasion of gadgets which spy on us is not a thought to be easily dismissed; we might well take time to consider how we are affected."
Google Privacy Policy is Changing
As of October 3, 2010 Google's new privacy policies go into effect. This affects such features as Blogger, Alerts, Gmail, Picasa Web Albums -- a total of 27 Google products are involved. Here's the FAQ page. The Data Liberation page gives more info. For blog posts on the issue of privacy read here.
Facebook: Privacy, Security Concerns
Here's the straight scoop from today's posting on PCWorld, "When a piece of software is automatically installed on your computer without your knowledge, it's called malware. But what do you call it when Facebook apps are added to your profile without your knowledge? We discovered Wednesday that this is actually happening, and stopping it isn't as easy as checking a box in your privacy settings." Read the whole article and decide if your kids and grandkids need to know this, too.