Don’t turn on two-factor authentication

Before you require a second factor to login to your accounts, you should understand the risks, have a recovery plan for when you lose your second factor(s), and know the tricks attackers may use to defeat two-factor authentication.

~ Stuart Schechter

I repeat: Do not enable two-factor authentication until you understand how it works and what you are doing. You know who is usually locked out of your car, house, etc. right? You are!

This is a great article surveying a myriad of things you should consider before enabling two-factor security. Yes, it is more secure, but that means it is also more likely that you’ll lock yourself out, permanently.


Are you currently really good at keeping track of passwords and security questions?
Do you use a unique password for every service and web site?
…are the answers to your security questions completely random things you made up and stored in your security system, or did you really use your easily-learned mother’s maiden name?
…and is your “security system” not post-it’s on your monitor, but rather a real, secure, system?

And how about…

Do you have a system in place to give your beneficiaries access to your stuff—and ways to permanently lock-and-destroy things you don’t want passed along?

…if not, then turning on two-factor is not a good idea. You’re about to make things even more complicated when you are currently not doing the basic things well. Instead of blindly enabling two-factor authentication, you should move off of the bell curve and stop being an easy traget.

Step one: Learn how to use a password manager like 1Password or LastPass, and start using unique passwords.


News addiction

After a couple weeks without news, I got past the hump and wasn’t craving it so much anymore. At this point I began reflecting on the habit from a distance, and I made the following observations …


I substituted a syndication reader‡ and never looked back. I now read only the sources I want, when I want. Nothing beats my morning caffeine accompanied by a scroll through my feed reader. NOTHING I read is a “standard” news source. :)

‡ I suggest collecting your feeds into and then using Reeder (IOS, Mac).


The bullshit web

The vast majority of these resources are not directly related to the information on the page, and I’m including advertising. Many of the scripts that were loaded are purely for surveillance purposes: self-hosted analytics, of which there are several examples; various third-party analytics firms like Salesforce, Chartbeat, and Optimizely; and social network sharing widgets. They churn through CPU cycles and cause my six-year-old computer to cry out in pain and fury. I’m not asking much of it; I have opened a text-based document on the web.

This is a long, in-depth read. You will be an immensely more well-informed user of the Interwebs after you read it— about six times.

Meanwhile, have you heard of the magical analysis tool that is ? You have now! Start dropping your favorite web sites into its analysis magic, sit back and weep at what we’re using the Internet for.

These screenshots are just the tip of the iceberg. GTMetrix shows an insane amount of detail.

This. Shit. Has. To. Stop.


We need to remake the Internet

I don’t believe our species can survive unless we fix this. We cannot have a society, in which, if two people wish to communicate, the only way that can happen is if it’s financed by a third person who wishes to manipulate them.

~ Jaron Lanier

Hear! Hear!

Take control of your use of the Internet — that is to say: Do not let it control you. Choose what apps, sites, etc you use. WHENEVER YOU CAN, PAY FOR SERVICES AND APPS. If something is free, then realize that YOU are product being sold to whomever is paying for the service.


Election hacking

Security is never something we actually want. Security is something we need in order to avoid what we don’t want. It’s also more abstract, concerned with hypothetical future possibilities. Of course it’s lower on the priorities list than fundraising and press coverage. They’re more tangible, and they’re more immediate.

~ Bruce Schneier

I think the only thing “protecting” us from someone successfully hacking an election, is the sheer number of polling places. You’ve voted, right? Sure, it’s a busy spot with maybe a dozen machines and hundreds of poeple… but there are thousands and thousands of polling places, and the voting machines are not networked. Yet.

Don’t misunderstand: This is security through obscrurity, is not actually security at all, and is a recipe for disaster.

Data ethics

This is like lashing a rope around the cracking foundation of a building. What we need is for an ethics of data to be engineered right into the information skyscrapers being built today. We need data ethics by design. Any good building must comply with a complex array of codes, standards and detailed studies of patterns of use by its eventual inhabitants. But technical systems are today being built with a minimal concern for compliance and a total disregard for the downstream consequences of decades of identifiable data being collected on the babies being born into the most complicated information ecology that has ever existed.

~ Colin Koopman

Presented without commentary.

So obscure it confused _ME_

I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.

~ Bruce Schneier

I had to read the entire thing twice.

I’m on a “security” tirade here for a few days, so here’s my strategy for security: Get off the peak of the bell curve.

If someone wants your stuff, they will take it. Actors can always, if sufficiently motivated, apply more resources than you have available for defense. Therefore, one should not bother defending (worry, spending crazy amounts of resources,) against a “motivated” attacker. Instead, deploy defense in depth and then make incremental improvements everywhere.


Don’t give away details about yourself

I hope readers don’t interpret this story as KrebsOnSecurity endorsing secret questions as a valid form of authentication. In fact, I have railed against this practice for years, precisely because the answers often are so easily found using online services and social media profiles. But if you must patronize a company or service that forces you to select secret questions, I think it’s a really good idea not to answer them truthfully. Just make sure you have a method for remembering your phony answer, in case you forget the lie somewhere down the road.

~ Brian Krebs

“Two Factor” authentication (2FA) is best. “Two Factor” means two DIFFERENT methods of interacting with you — so a web site login, which requires also sending you a code via a message to your phone is “Two Factor”.

…and 2FA via your phone is a TERRIBLE idea, because you can easily lose it or have it stolen. There are better methods of 2FA, but I won’t bore you here.

So asking you “security questions” does not in fact increase security. But you’re stuck with it because you have no power of the entities you have to interact with. So what to do?

Treat those questions just like passwords — MAKE THEM UP!

However you are storing your passwords — that’s an entire other discussion — just ALSO record the questions they asked, and the REAL-SOUNDING BUT TOTALLY FAKE ANSWERS.

I repeat…


You might be AMAZED to discover my mother happens to have 42 different maiden names.

You might be AMAZED to discover how many different cars I learned to drive stick on.

…or the 42 different names for my first dog.

…you see where this is going?

Normally, I try to keep these ramblings succinct, but here’s a fun story…

Many moon ago, Tracy and I had a Blockbuster account. We were in the store, in the check out line, and the cashier says to me, “Oh, can I have your phone number?” We had been customers so long, it was before Blockbuster figured out people just keep the DVDs, and so they wanted to be able to start calling people. Someone expanded their customer database fields, added a new data field to the checkout screen and then trained or prompted the poor cashiers to gather this data. (This is called “compliance” in the industry — getting the people at the point of sale terminals to comply with the database marketing strategies of the home office.)

Anyway. Here’s this nice high school girl just doing her summer job, and of course, I can simply say “No.” But then they’re probably going to ding her “compliance” score with corporate. (In some cases, your pay, bonus and even employment are tied to compliance scores.)

So without missing a beat, I help both her (compliance) and I (privacy) and I give her my phone number with two digits flipped. I just immediately smiled and said 6 – 1 – 0 – 8 – 6 – 7 – 5 – 0 – 3 – 9 (shoulda been 5309 — you know I’m making numbers up right :)

…and Tracy says, “wait, that’s not our number,” thinking she’s being helpful.

“Exactly,” I say with a smile.

The cashier realizes I had just plainly lied to her. (Technically, I was trying to lie to her corporate overlords.)

…and I said, “oh sorry, 6 – 1 – 0 – 8 – 6 – 7 – 0 – 5 – 3 – 9”. (Same crap, just with two other numbers flipped. I always loved those ‘remember this string of numbers games’.)

“Is that really your number?”

“oh! Sorry, 6108675123… wait, no, 610876432178 … hmmm, you don’t seem to like these digits I’m saying… how about 6105551212?”

Now she’s like, “You’re weird.” (Unrelated ad hominem attack, but alas, true. But probably explains why girls IN high school never asked for my number.)

“…and Blockbuster still doesn’t have my phone number.”

At which point, she [I presume] took the compliance ding and didn’t enter any numbers.

To this day, (we have the same phone number,) Blockbuster — and whomever eventually bought their customer data because that’s the only thing they had in the end worth money — does not have my home phone number.

So there’s a little glimpse into Craig’s head.

Maybe you just realized why 2FA with your phone is really REALLY bad? You’re also giving away your phone number.

Wait, you read this far? Great, here’s how you REALLY do 2FA properly:

A fight for survival! An RSS revival!

While millions of people may be happy getting their news from Facebook or an aggregator like Apple News (which I also use, occasionally, for more mainstream headlines), the resiliency of RSS makes me happy. There was a time when I thought all my news could come from social feeds and timelines; today, I’m more comfortable knowing that I – not a questionable and morally corrupt algorithm – fully control hundreds of sources I read each day.

~ Federico Viticci

Hear! Hear!

Ok, but how do you use this? The SUPER easy way is to go to . There you can tell it what sites you want to follow, and FeedBin will “consume” the RSS feeds. It dove-tails them together into a linear stream of short snippettes and excerpts. You skim along only seeing things from sites you wanted to follow. Some site annoys you? …just remove that feed.

See something you like? …click through and you’re taking to the original item on the actual site. THIS is why all sites provide RSS feeds — if a site doesn’t, it’s not a real web site. Huge sites (like BBC) provide various feeds you can choose from… just international news for example.

…and yes, this blog has an RSS feed. In fact, all WordPress sites have an RSS feed AUTOMATICALLY. So that’s like a third of the internet right there.

Take a few hours to figure this out — you can thank me later.

¿ What happens if FeedBin goes away ? Same thing as when the RSS aggregator before it went away, a replacement appeared. Also, you can install a dedicated program on your own computer than can follow and present the feeds — us real geeks, we use an RSS aggregator combined with dedicated reader apps, but now I’m just showing off.


The filter bubble

Well, personalization is sort of privacy turned inside out: it’s not the problem of controlling what the world knows about you, it’s the problem of what you get to see of the world.

~ Eli Pariser

There are thousands — that’s not a typo — of companies which trade (buy, sell) data about users. We’ve reached a point where it is no longer possible to hide. You might also be interested in reading this: