Security - what is it and how should we look at it?

Recently, this Tweet went viral:


Now, of course @GoodPoliticGuy is one of my favourite follows, but I really did stop and think about this tweet for a while, because of its relationship to what I (plan to) study. And that topic is security - more specifically, what is "security" and how should we look at it?

What is "security"?

Quite literally, security is defined as freedom from risk or danger, something that secures or makes safe, or precautions taken to guard against crime, attack, sabotage, espionage, etc. Most often, people associate security with visible, tangible things: fences, CCTV cameras, guards, passwords, military, weapons, etc.

Now I don't think that looking at security through the lens of the military or security cameras is wrong, just a bit misguided.

Take the idea that security is "freedom from risk or danger" - that's kind of how we look at the term "financial security", where one is free from the risk or danger of bad financial moments. This is in the same realm of how I look at things, but with a much broader perspective.

How We Should Look at Security

I'm biased with my own opinion (of course), but I think we need to look at security in a more all-encompassing manner, where "security" is more inclusive of mental stability and security. And this is precisely what I wanted to get at with the embedded Tweet above: security can be many things, but it's the feeling of being secure in your life, with the ability to have issues be easily resolved because of the infrastructure and social safety nets present.

This is where broadband access, high-speed rail, climate-prepared infrastructure, mental health supports, universal basic incomes, etc. all help. I'm not one to say that we should get rid of the various military of the world, but I think we are trapped in this endless cycle of attempting to find a problem that they can solve. Having a "solution" in search of a "problem" can lead us down some dangerous paths (and never-ending increases to military budgets). Instead, we need to better recognize the multifaceted nature of security, without going on all on "everything needs to be secured". (None of this is to say that there is no problems in the world, just that there's plenty of history where we created problems to jive with the solutions we thought we had. Bad idea.)

Increasing supports for things like mental health and investing in climate-adapted infrastructure to mitigate potential impacts will increase "security" in that people will feel more secure in knowing they have the support of the state in whatever they decide to do, however they'd like to do it.

Increasing funding for traditional "security" doesn't resolve underlying issues that are directly related to the need for those traditional security measures - it's like trying to address the health of a population by increasing the amount of doctors, nurses, support staff, and hospital beds, without considering the underlying social determinants of health (which could also be used as a proxy for security).

I hope I've made you think a bit - this theme is one of the central themes that guides my work and studies.

 

Until next time,

Trey.


an array of CCTV cameras, 5 rows 7 columns of cameras, with the 6th column the cameras being white and the rest being black.

Surveillance in the end times

I used to be the person that was excited, overjoyed even, at the idea of a technology company announcing a new device at a fancy event. I envisioned somehow getting a job at one of those companies, working to connect new people to others.

Now, I'm just incredibly concerned.

What the - absolute - fuck are we doing to our society?

We're normalizing a future where neighbors turn to algorithm-driven apps to spread disinformation and spew racist tirades instead of getting to know the people next door.

We're creating an ever-growing sense of fear of others with technology such as Citizen, which is using cash rewards to convince people to hunt down others accused of crimes - with few little checks and balances. Seriously. The company is basically just trying to privatize police services - probably because of our capitalist society needing ever-increasing industries to sink their teeth into and people's lives to ruin (or make better, if you're a billionaire). Other areas are already trying it with fire services.

Government(?) Surveillance

For a moment, let's also talk about government surveillance. Has anyone been able to see definitive proof and evidence that more surveillance means a safer society? A more fair society? A more equitable society? A better society? Or just safer in the eyes of people that seek to maintain the status quo?

I'm particularly frustrated that the news that someone in the Saskatchewan Government signed themselves up for Clearview AI - a ethically-horrendous piece of technology that allows users to point their device's camera at a person, and then scraps the entirety of the internet to figure out who that person is with remarkable success - didn't get much attention. I have a lot of personal feelings on this topic, but this NY Times article does a lot of explaining.

The Saskatchewan Government's response?

Clearview AI has never been purchased as a software solution by the Ministry of Justice and Attorney General or the Ministry of Corrections, Policing and Public Safety. After review, we have identified standalone instances where ministry staff did use a trial version of this software. The Crown has not used Clearview AI to support a prosecution. Given the concerns around the use of this technology, ministry staff have been instructed not to use Clearview AI’s software at this time. We also understand that Clearview AI’s software is not currently available for use in Canada.” —Margherita Vittorelli, spokesperson"
- Police In At Least 24 Countries Have Used Clearview AI. Find Out Which Ones Here. (Ryan Mac, Caroline Haskins, Antonio Pequeño IV)

Let's get this straight - a random individual - or many individuals - signed up for a privacy-busting application, which has been wholeheartedly revoked by the Canadian Privacy Commissioner, and used it for... who knows what? They could have used it, at a bar, to identify the name and information of an individual they wanted to ask out. That's... yeah, I don't have enough words for that.

Envisioning a Future of Corporate Surveillance

We're welcoming powerful corporations in to our homes without any second thought.

We use their platforms to get in touch with other people, without the understanding that the people at the company (and in some cases, contractors) have full access to our messages.

We've created corporate surveillance networks, such as that of Amazon's Ring Neighbors, which is using it's internet-connected doorbells famous of the same brand (Ring) to create a neighborhood-wide network of cameras, that provide police with almost instantaneous access to review ring feeds. Amazon has partnered with hundreds of police departments across the United States to create this network and allow for easy submission of legal documentation to gain access to videos. Wait no, that last article was from a few years ago. It's now up to over 2000 police and fire departments that have partnerships or close relationships with Amazon. Insert the usual, "who do the police protect?" thoughts of your own here - I'll probably have to write out my thoughts on that later.

Speaking of Amazon, just today (September 28, 2021) they announced their newest home devices, adding to their lineup of smart speakers and displays, camera-enabled doorbells and security systems. For the record, I'm okay with smart speakers (even if they have their own issues), but you should be aware that you can - or anyone with access to your Google/Amazon account - see the entire history of what you've said to your smart speakers.

Back to what Amazon announced, which includes a FLYING CAMERA to check on "suspicious activity" and a ROBOT that follows people around the house to get to know patterns, watch what you're doing, and again, check on "suspicious activity".

I'm sorry, I'm just getting major Minority Report vibes from this shit. Like can we just pause and think about the societal consequences from this never-ending surveillance? Side note, Jon Fasman's We See It All is a fantastically terrifying read on this topic.

The Future

Let's just pause and think in the hypothetical here. Let's say, that Amazon continues it's push into home technology and surveillance. Sometime in the future (hypothetical), Amazon is partnering with home-builders to offer fully outfitted technology-driven houses; Internet-enabled door locks, Ring doorbells & cameras, in-house surveillance drones and robots. Plus, guess what - Alexa is in more vehicles; your personal vehicle (if you have one, for whatever reason), and your work vehicle. All linked to your Amazon account! Great. Now let's say, Amazon, in it's desire to please shareholders, is the lender for young people to get a taste of home ownership in this area (because, where else are we going to be able to buy homes?).

You're paying your mortgage to Amazon. Amazon has the keys to your house. Amazon watches your house (and you). You supply your house with things almost exclusively from Amazon (I mean, why wouldn't you - surely it will be easy with the Amazon tablet on your wall). Oh, and don't forget, your heating and cooling is controlled with an Amazon thermostat! Great.

Your life is Amazon. Everything you do, for the most part, will be through Amazon. You might be thinking to yourself, "Well, come on, not everything!" Need I remind you, Amazon's AWS runs about a third of the internet. Yes. Yes. *evil Jeff Bezos voice* YESSSS.

So that's it, all is good!

Well, what happens if Amazon notices, that in your connected bank accounts (or Amazon bank accounts, who knows), that you're going to be short on funds for this month's mortgage? Ah, don't worry. Amazon will just turn down your heating in the house automatically (and forcibly) to save you the $10 extra you need to make your mortgage payment.

Lose your (Amazon?) job? Can't afford the house payment for the month? No worries, Amazon will watch over your stuff. Oh, and while they are at it, they lock you out of your house. You have some possessions in there, but don't worry - Amazon knows what you have (with their in-house cameras!) and will ship those off to a Distribution Center to make sure they can hit their quarterly business goals.

Or maybe, with their in-vehicle systems, Amazon starts to charge you each time you make a driving error? Gives that data right to your insurance company (if it's not Amazon).

In Conclusion...

...if I see an Amazon Robot in your house, I'm going to gently (forcibly) nudge (kick) it towards (down) the stairs.


Please, think about your online security (with 8 ways you can improve it)

There are a few simple things you can do to improve your online security. By no means to I pretend to be an expert, but this is stuff I like to think about.

#1: Please change your password.

I know there's at least one person reading this that probably uses the same password for all of their online accounts. Just c'mon. Think about it: if someone figures out your Netflix password (maybe you even share it with someone!), they might have access to your bank account. You might trust your friends or family enough to watch movies, but do you trust them enough to have access to your money?

Please, just change your passwords. Dedicate an hour of your life to this, secure your accounts a little bit.

Some tips: All your passwords should be different (yes, seriously). If you don't have a nomenclature (naming system), use a password manager (see next section). Don't use your name, or anything that can be easily guessed. If I'm manually creating a password, I like to think about stuff around me, adding some characters - like Speak3rs+Watermel0n. But honestly, just use a password manager. I use LastPass, but there are plenty out there - 1Password, NordPass, Apple iCloud Keychain.

#2: No like seriously, update your passwords.

It really, really doesn't take much. Please, please do it.

#3: Use a Password Manager

Seriously, just do it. I lived 21 years of my life without one, and now I don't think I could live without. Everything is randomized, secure (more on this later), and it's easy to use across devices. A password manager will generate a random password for you, keep track of it, and allow you to automatically input it across devices.

There are free options for password management, and there are paid options. I think I pay about $50/annually for LastPass Premium, and there are also family plans available (if you need to share passwords with family on the regular).

#4: If you can use Two-Factor Authentication (2FA), USE IT.

Two-Factor Authentication sounds complicated. It really isn't. Many of you have probably used it before without knowing. Essentially, it's two levels of security, or two different passwords. There's a few levels of it:

  1. Security Question + Answers 2FA (least secure): (Not) Surprisingly, the big five banks (RBC, TD, Scotia, CIBC, BMO) all use this still - I think. Essentially, upon registering, you choose a few questions, and input your answers to them. When you log in to your account, if the system doesn't recognize you, it will ask for your answer to your security questions. The reason I mark these as least secure is because for a lot of people, a quick browse of your social media accounts or online posts and one could find the answer. Which city did you grow up in or were you born in? Location pinpointed on Instagram post. What was the name of your first pet? Photo of your dog. See what I mean?
  2. SMS/Text Message/Email Based 2FA (mildly secure): Ever log into an account and then be asked to input a code from your text messages (or email)? That's this. It's decent. There can be issues sometimes - what if your email gets hacked? What if your text messages are being hijacked (this can happen). What if you're in a different country, trying to get into a different account, but aren't paying roaming fees on your typical cell phone number? This type of 2FA is good - and easy to use. Use it if you can.
  3. App-based, time-sensitive 2FA (good security): Some companies *only* allow this type of 2FA. Arguably a good decision. Essentially, instead of receiving a text with a code, you'll open up an application like Microsoft Authenticator, Google Authenticator, etc. These apps are relatively easy to set up, especially for my generation that lives on their devices. These systems are better than SMS/Email: less susceptible to intrusions/hacks/hijacks, based on open-source code, and time sensitive. These codes reset every 30 seconds (depending on settings). However, you'll want to ensure you have your backup codes saved somewhere (like a password manager!) in case you lose access to your app (like a lost phone).
  4. Hardware-based, time-sensitive 2FA (great security, but advanced): Arguably nobody reading this needs this level of protection, but if you're feeling like you want to secure some important accounts (like your password manager), hardware keys can be an option. But like seriously, they take a while to learn how to use. Unless you want to dedicate time to security, I wouldn't recommend this option. Essentially, for any application/company that you can use an app-based 2FA for, you can use a hardware key. Instead of simply opening an app, you must insert or tap a USB drive to your computer or phone/tablet (respectively), and either use an associated app to access a time-sensitive code - like app-based 2FA - or to directly access your account. For example, Facebook and Twitter support what is called the FIDO U2F protocol (I'm not that technical, but the info is there if you want), that essentially work as such: Log in to your account using your username & password. Upon verification of your credentials, the service will ask you to insert/tap your hardware key (literally a USB device). Upon successful usage of your key, you will be allowed access to the account. An example of hardware keys with FIDO support are Yubi keys. The biggest cons of this option are 1) the cost, and 2) you need to ensure you have multiple keys - in case you lose one - and keep them safe.

You can check out the 2FA Directory to see which online services support two (or multi) factor authentication.

#5: Keep your shit private. (Seriously.)

Look, I guess we all love the instant gratification of likes on our posts - that's great. In terms of this section, I don't have a problem with people having their accounts public - that's fine - just a bit less privacy for you. I keep mine public sometimes! That being said, keep your stuff private - that could mean keeping your accounts on private, or just simply not putting your entire life out for people to know.

As some will know - it's not always the best idea to keep your location data going into your posts. Keep your location private, and it's less easy for someone to stalk you. Seriously. While we're at it, there is absolutely no reason to have your location public on Snapchat. Seriously. If you must share your location with someone, there's other ways of doing so. If you have an iPhone, share your location with a friend by using Find My. It's more secure, and private, relative to other apps. If you're on Android... IDK.

#6: Keep your shit even more private, use a Virtual Private Network (VPN).

This might seem complicated - but I promise, it's easy. Essentially a VPN creates a secure, private "tunnel" for your information to flow through on it's way to connect to the internet writ large. A VPN conceals your Internet Protocol (IP) address, and hides your data (somewhat) from prying eyes - like your internet service provider. Some ISPs will sell lists of which sites you visit - don't like that? A VPN is your friend. It's doubly good if you often connect to public Wi-Fi networks. Basically, a VPN keeps your shit private from prying eyes, allows you to appear in different places (sometimes can be used to view content from different locales!), and in some cases, can make your internet faster (often a millisecond or two slower, though).

There are plenty of VPN options out there - free and paid. If you just want a quick, free, no hassle option, CloudFlare (one of the internet's most successful security companies, led by a Saskatchewanian) offers a very simple, free option called Warp, offered on the 1.1.1.1 DNS framework. You can check out 1.1.1.1 for more information and to download the app(s). I use WARP all the time, on every device.

If you're looking for more premium options, such as the ability to appear in different locations, you'll likely need to pay for a VPN (especially to get decent speeds). Below are some of my favourites (I have used FastestVPN and Mozilla before - Mozilla is the organization behind the Firefox Browser, and Pocket, one of my favourite tools):

There are many other options, all of them are very similar.

#7: Use your browser's anti-tracking features to your advantage (might break some websites).

Google Chrome is mediocre (as far as I recall) for this, Firefox is good, and Safari is decent (Apple products are decent for this too, especially after the recent anti-ad-tracking updates).

In Firefox on a computer, you can go to Options -> Privacy & Security to choose various options. I usually keep my Firefox browser set on Strict Enhanced Tracking Protection. However, when I need to attend classes, I have to shift to moderate in order to be able to load my WebEx meetings - it does break things!

On your phone, no matter what the app asks, just say "Ask App Not to Track" -> while not necessarily good for security, it's good for privacy, and makes companies like Facebook scared. That's good.

Oh, and use an Ad Blocker. Disable it for the indie media sites that you really want to support, but otherwise, keep one on. I use uBlock Origin.

#8: Practice good habits (the most important)

This sounds wrong, but honestly - this is the most important one. All of the above are great, but if you share all your passwords with multiple people (or in public, or write them on a piece of paper), or click links in messages or emails without thinking, the other points are moot.

  • Do not share passwords. Especially important passwords - your phone, your bank pin & account password, etc. Netflix? Meh.
  • Seriously, just don't click links in messages and emails if you don't have to. If a store is offering a deal in your email, go to the store website and enter in the coupon code yourself. Get an email from a lawyer or a prince? Ignore. A text message about a tax refund? DELETE IT.
  • For links that absolutely must be clicked, such as Amazon account verification links, you'll begin to recognize the numbers they come from. I believe Amazon, at least in Canada, uses a 7**** series (at least for some). These will typically stay the same for (good) companies - some will change, but you'll recognize the message based on the context and your actions.
  • For everything else, just use your judgement. Banks for example, will never (or at least, shouldn't) send an account login link via email - you must go to their website yourself. Outside of the internet, if you receive a call from someone - verify the call by hanging up and calling back the company/organization yourself on their public line (not just re-dialing the call that came to you)!

TRUST, BUT VERIFY.

BONUS: Check if your passwords have been released on to the interwebs.

Use have i been pwned? and check if your passwords need to be changed. Many password managers will do this for you (hint, hint)!