Posts in Social media

password_joke1

There’s a lot of advice out there about passwords – how to generate them, store them, manage them. It’s certainly important to get a grip on your passwords – especially after Heartbleed, possibly the greatest vulnerability in Internet history. But for many of us (myself included), the idea of managing ALL those passwords is overwhelming. I have accounts that I can’t even remember. We recently did a little survey in social media (thanks to those of you who participated!) and 58% of you have over 20 password-protected online accounts, or simply too many to keep track of. Getting all those passwords in order – setting a unique, strong password for each individual account – might seem a little like starting a new healthy diet and exercise regimen – you know you should do it, but you just don’t. So we asked Sean Sullivan, our Security Advisor here at F-Secure, for some advice. Sean boiled it down into this simple tip (no, it's not the one above in the photo!):   Identify the critical accounts to protect, and then make sure the passwords for those accounts are unique and strong.   Sean’s advice takes into account the fact that many of us have accounts for services where little personal information is stored. “If you created an account for some website and there’s hardly anything more in there than your username and password, then that’s probably not a critical account,” he says. “But your Amazon account with your credit card info, your bank account, your primary email accounts, the Facebook account with your life story, these are examples of the critical ones. If you don’t have time or inclination to tackle everything, at least take care of those.” Another example of a critical account is an email account that is used as the point of contact for password resets on other accounts. For these “master key” accounts, it’s also a good idea to activate two-factor authentication if available. By unique, Sean means that your password shouldn't be used for any other accounts. By strong, he means use a combination of letters, numbers and special characters and the longer the better. Oh, and about that survey. Here are some more of the results: 43% of you reported using the same password for more than one important account. 40% of you use a password manager to keep track of your passwords. 57% of you changed passwords after hearing about Heartbleed (and 11% hadn't heard of Heartbleed). If you want an easy way to create unique, strong passwords and protect them too, check out F-Secure Key. It’s free to use on any one computer or mobile device.   Image courtesy of Lulu Hoeller, flickr.com

May 20, 2014
6786151_50da8206b7_o-2

Time for a reminder about password security. We have talked a lot about how to choose good passwords. But they are worth nothing if they don’t stay secret. This is about a quite simple scheme that tricks many users into revealing their e-mail passwords. “John Doe found 4 new friends by searching his email contacts. Give it a try”. That’s what pops up in my Facebook now and then. You just have to submit your email and the password to your account. Facebook can then connect to your mail account, parse the contact list and match it against its own user database. Sounds simple and it sure works. The drawback is of course that you at the same time grant Facebook full access to your mail, no matter what system it is hosted on. Facebook can not only read your contacts but also your mail messages and calendar items. Facebook could even manipulate the content in your account, delete items or send mail on behalf of you. I’m not claiming that they misuse account details in this way, but it’s best to not even give them the chance to do so. Facebook’s reputation for privacy isn’t exactly stellar and for me it’s a no-brainer that they can’t be trusted with secret info like one’s mail password. Frankly speaking, I haven't even bothered to check what kind of privacy promise they make about this feature. Their promise is pretty irrelevant anyway, this is just simply a bad idea. So don’t use this feature if Facebook offers it to you. If you have used it, your mail password is compromised and need to be changed ASAP. And this is by the way true for any other system that might offer a similar feature. Linkedin is one example. To wrap up. Passwords are secret. They should only be entered into the system they belong to, into an app or program that is designed to use the system or into a password manager program you trust. They should not be kept on stickers or in files that aren’t properly protected. They should not be entered into other systems that promise to do something on your behalf (the Facebook feature falls into this category), unless you are 100% sure about the reliability of that system. Safe surfing, Micke

May 19, 2014
IS2014

I’m proud of working for a company like F-Secure, with a 25-year long history of protecting people’s digital life. But I was especially proud on one day in early 2014. That’s the day when I got green light to write and publish a paper documenting what data our Internet Security 2014 product collects from the customers’ computers. I’m proud of this because this is something I think all software companies should do in the future, and we are probably the first anti-malware company to do it. Privacy is becoming one of the really big issues in our lives for many reasons. We live more and more of our lives through our electronic gadgets. We communicate electronically and we store our valuable data in the cloud. We do have a real life outside social media, but most of that life is somehow documented and commented electronically too. So anyone who can peek into your personal devices and cloud accounts have a really comprehensive picture of you. And this is exactly what the big data companies and many government agencies want to do. People are pretty much unaware of this data’s value, and even unaware of how comprehensive it is. Many software and service providers on the Internet play on this ignorance and grab the data like it was free to be taken. Hell, that’s not right! People own the data on their devices and in their cloud accounts. This ownership should be respected and nobody should steal that data without permission. Or with a permission buried deep in some EULA that hasn’t been read by a single human being, except lawyers. We think different at F-Secure. We don’t see the user data itself as a business potential. For us the business potential lies in the users’ desire to protect this data, and we are sure this potential will grow exponentially in the future. So we stick to a very traditional business concept. We want real money for our product. This is the only feasible business model for people who want to manage their digital privacy. We don’t give products away “for free”, just to secretly take payment in a currency the user don’t fully understand, private data. But how does the paper about data transfer fit into this? It has to do with a concept of fundamental importance, trust. Customers have no way to verify what software on their devices really do and how cloud providers really handle their data. All you can do is evaluate the reputation of the provider and read the privacy policy documents. And they tend to be rather useless as they are in legal language and describe what the provider reserve the right to do with your data, not what it actually does. We think transparency is a cornerstone when building trust. That’s why we wanted to be more open about how our Internet Security customer’s data is handled. We wanted to give customers a clear list of what data we transfer, why we have to transfer that data and what we do with it. The document had to be fairly short, clear and easy to read. No legal language. We have run into the demand for something like this several times, and after a discussion on Twitter in early 2014 we decided it’s time to act. Hat tip to @cynicalsecurity for that. So now we are transparent about how we handle Internet Security customers’ data. Great, but can customers trust this data declaration? They do still not have any means to really verify that the document is correct. That is an excellent question and it boils down to trust, once again. You just have to trust us on that. This is actually a huge fundamental problem in our new digital world. I think the whole software industry must be more transparent and by default declare what data is transferred and how it is handled. This is an inevitable development in a world where people becomes aware of their digital assets’ value. But the question is really what mechanisms there will be to monitor and verify these declarations? A new system of independent tests, audits and certifications? Time will tell. The document can be found here.   Micke

Apr 30, 2014
freedom

Since classified documents illuminating America’s mass surveillance began being released last year, we at F-Secure began feeling different, uneasy—even a little angry. For well over a decade, we’ve vowed to identify any government trojans. However, the general disregard for the privacy of individuals all over the world shown by the NSA and other government intelligence agencies shocked us. Suddenly, it seemed that we couldn’t just offer the award-winning security and backup solutions in the same way we have for 25 years. We had to take a stand. F-Secure was born in Finland and born both of a spirit of connection and independence. Finland is part of the EU but outside NATO. It’s a global hotspot for tech innovation, but so committed to privacy that employers aren’t even allowed to Google job applicants. It’s part of the online revolution that has reshaped the way we communicate, but the economy was forced to dramatically re-adapt as cell phones became smartphones. We’ve spent the last six months rethinking our mission, our products and what we stand for. Now we’re ready to announce that we’re no longer simply about “Protecting the Irreplaceable”, though our legacy will always burn deep in our DNA. Now, we have to be about something deeper. Our new tagline is: Switch on Freedom And it isn’t just about a promise to you, our customers, it’s about a stand against an invasive mindset that doesn’t value the privacy of your personal data, no matter how many times people suggest that surveillance is only a problem "if you have something to hide." (Who doesn't? Did you leave your house wearing pants today? Furthermore, it's no one's business but your own what you are doing online.) Our new look says that we fight for digital freedom. That’s what our Labs has been doing for decades by protecting you from online criminals. Now that we have even bigger enemies, our products can’t just protect your PC—they have to protect the way you connect and share, too. Your hard drive, your VPN, your content is only as secure and private as the partner you choose to protect you. Our promise to you is that we will never compromise your privacy and we will never open our technology to any government for any reason other than a direct, lawful criminal investigation. Your privacy is non-negotiable and that’s the core value we operate upon as we build our tools to set you free as you engage in the life you wish to lead. Now – as the world is waking up to the real threat of governments with unchecked power to capture data on everything we do and keep it forever – is the time for us to stand up. “The world is changing,” our Mikko Hypponen recently told the TED Radio hour. “We shouldn't just blindly accept the change. Just because something is technologically possible, it might not be right. And we really have to think about these things now when we can still change them.” We are doing what we can both in advocating for governments to respect privacy and in building solutions that protect your freedom, regardless of what politicians and corporations want. We hope you’ll join us. Cheers, Sandra

Mar 21, 2014
xp

If you're still a Windows XP user, you're probably singing a sad song knowing that after 12 long years Microsoft will end its support for the world's second most popular operating system on April 8, 2014. Microsoft warns you that if you continue to use its OS first introduced before the iPhone even existed "your computer will still work but it might become more vulnerable to security risks and viruses." And if that isn't enough to encourage you to upgrade or get a computer, maybe the fact that "you can expect to encounter greater numbers of apps and devices that do not work with Windows XP" will. But given the millions of PCs running the OS and the scarce amount of time and resources many people have, some people will certainly be XP users well after its "expiration date." If you're going to be one of these daredevils, our Security Advisor Sean Sullivan has some suggestions. "Folks that continue to use XP at home can do so with some reasonable amount of safety, but they absolutely need to review their Internet and computing habits as April draws near," he told us. And he broke down 7 ways to avoid the trouble from the criminals who will surely be targeting these unsupported systems. 1)      Install an alternative browser -- not Internet Explorer. 2)      Review the third-party software you've installed and uninstall anything that isn’t needed. 3)      For the third-party software that you keep – consider disabling or uninstalling the browser plugins. Or at least set the browser to “always ask” what to do about things such as PDF files. (Personally, I always download PDFs to my desktop and open them from there. I don’t want the PDF viewer plugin installed, and I don’t like being in the habit of opening certain file types in my browser’s window.) 4)      Have an up-to-date security product with antivirus and firewall installed. 5)      Keep your XP computer connected to a NAT router, which will act as a hardware firewall. (Practically speaking, this means you shouldn’t be roaming around outside of your home with an XP computer. Don’t plug into a university network for connectivity – keep your computer at home on a trusted network.) As you can see, living in the past may not make life easy. But if it's your only option, you should at least try to stay as safe as possible. Cheers, Sandra [Image via Patrick Hoesly via Flickr.com]

Feb 14, 2014
glasshole

Google Glass is a hot topic. This innovative concept is again in the headlines after a glass user was thrown out of a restaurant in Seattle. They didn’t want “glassholes” as customers. He didn’t like to be thrown out and made a public issue of it. This is not the only establishment that dislikes the wearable camera. And some customers are chiming in, they prefer to dine in an environment where they can’t be filmed secretly. But does this ban make any difference? Are we better off without Google Glass users around us? No, not really. Here’s why. Google Glass is not unique when it comes to privacy. Yes, it’s an innovative concept, but there are many wearable cameras that are designed to be hidden. If someone really wants to film secretly, one of these would be the optimal choice. Not something that you have in the middle of your face and anybody can see. Not to mention that you can film quite discreetly with a mobile phone too. Have they thought about that? Do they search customers for mobiles and hidden cameras? No, they don’t. And perhaps they don’t care as there would be no PR value in banning old technology. Banning Google Glass can be just a populistic marketing trick. Definitively a well working one in the cases described above, regardless of if this was the restaurant owner’s primary intention or not. Yes, I have written a lot about privacy and what role cameras play. CCTV surveillance can be a serious threat against our privacy if it is done in the wrong way or for the wrong reasons. But it looks like the Google Glass critics are mixing up two things and applying those arguments to private persons’ shooting. State sponsored surveillance can build up a comprehensive picture of our lives and we have no way to know how it is (mis)used. Shooting and filming private persons can at worst pick some moments and publish them out of context in an embarrassing way. That’s a problem too, but magnitudes smaller than the large CCTV systems. The debate about if Google Glass is good or evil is missing the point. We should really be talking about photography and publishing, not about a particular gadget. The law varies from country to country, but some basic principles are commonly present. You can take pictures quite freely, at least in public places. You can also publish your work freely as long as it doesn’t hurt others. These principles are good, and applies regardless of if you are using Google Glass or any other kind of camera. We do not have a problem as long as people know these rules, and their rights when confronted with someone who doesn’t. And now we have come to the core that we really should be discussing. How to endorse common sense and lawful behavior when using a camera? People are no doubt shooting and publishing a lot without any clue about the rules. That’s the true problem, not the new gadget. Safe surfing, Micke Footnote: The author is not a Google Glass owner and has actually never even tried them. He is, among other things, a hobby photographer with a deep interest in privacy issues.

Dec 4, 2013
ID-100120904

“But I have nothing to hide” is an argument that we hear often nowadays. We become more and more aware of the ways both corporates and governments keep an eye on us, and the Snowden leaks have escalated our awareness to a new level. It’s already justified to say that we live in a surveillance society. But some people deny that this is a problem. The said argument is one of the most common excuses, and no doubt a convenient way to just ignore the issue. But it is really a flawed argument. Here’s why. You don’t know what you have You can’t remember all your documents and electronic conversations. So how can you claim that there’s nothing bad in them? Almost everybody will go “Oops, no I don’t want to show that one” when digging through old archives. Also keep in mind that corporates and agencies may have old information about you that you haven’t got yourself. Your copy might have been lost or deleted, but that doesn’t clear the agencies’ records. You don’t know what could be bad for you Our daily life is regulated by legislation that is so complex that no one can master it all. Not even lawyers can be experts on all the areas of our daily life. So how can you be sure that you never break the law? No, you can’t. I bet most of us break some obscure paragraph almost daily. You don’t know how your own situation will change You act according to the moral norms that your role requires. But roles change over time and you may be forced to adopt to a totally new moral framework. In that situation your past might be in conflict, and you are a lot better off if there’s no comprehensive record of how you have acted previously. You don’t know how society will change Look back at the fifties, sixties and seventies. The world was so different then, and our values were different too. The change has not stopped, quite the opposite. Our society’s values regarding ethics, moral, politics, activism, religion, sexuality, the environment, entertainment, etc. etc. change faster than ever before. You can be pretty sure that you live according to today’s norms. But you can never know what tomorrow's norm will be. Wait 30 years and the complete profile of your life might look quite bad. It’s not only your data, it’s your friends’ data too Take a look at your stored data; documents, photos and communications. A how big part of that doesn’t affect anybody else but you? No, that’s probably a quite small part. So giving up privacy is not your own business, it affects all your friends too. Have you asked if they still want to share stuff with you if you adopt a "nothing to hide" -attitude? Your digital environment can make you suspect The authorities’ signal intelligence works largely by creating a huge model about how people interact. Who communicates and meets with each other? There is a true risk that a full profile of your daily life can create a suspicious pattern with the environment. Imagine that one of your friends know someone who is being watched for terrorism, and another member of the same organization happens to visit the pub at the same time you’re there. Both carry smartphones that feed location data into the surveillance network, and suddenly you're on a list of people who potentially could have met with the terrorist. You may face real trouble, for example when traveling, if a couple of coincidents like this pile up. And you have no clue what it is about. Privacy is important to you even if you don't value your own privacy Can a democratic society work without privacy? Can an election be fair if one of the parties controls the signal intelligence and has a comprehensive picture of what other parties are doing? Can we fight corruption and criminality among the authorities if whistleblowers can’t work anonymously? Can the press fulfill its task as watchdog if sources can’t be protected? No, no and no. You may be ready to surrender your personal privacy, but by doing so you contribute to a destructive development that threat the fundament of our democratic society. Don’t be part of that! Safe surfing, Micke Image by pakorn @ freedigitalphotos.net

Nov 27, 2013