Posts Tagged

security

The Fun World of Firefox Browser Addons

Elizabeth Technology October 20, 2022

With the recent announcement that Chrome is gutting ad blockers, it’s never been a better time to switch to Edge (which we recommend because it is especially easy to use) or Firefox. Edge is better for business – but if you want a smoother, less ad-riddled home browsing extension, why not check out Firefox?

Ad Blockers

Because Google sells quite a few of the slots you see online, it’s become disincentivized to let you avoid them on their browser – so Chrome will no longer block ads because that would be blocking Google from making that sweet, sweet ad money off of your views. And ads are everywhere. You scroll past them in between posts on TikTok and Tumblr. They appear on the sidebars and banners of news websites. They autoplay when you open Youtube, and speckle the progress bar with yellow. They’re obnoxious. And simultaneously insidious – you may watch a clip of a seemingly normal Instagram video only to realize after they begin pitching the product hard that it’s not a recommendation, it’s an ad, and you simply missed the little sponsor logo in the corner. Ads track you. Ad companies watch you view their ads and then determine from your behavior whether or not you’re interested. They watch the content you watch, and determine your age, gender, nationality, political affiliation, hobbies, and more from your online behavior. Even if you don’t mind ads, this tracking is often enough to justify an ad blocker in and of itself.

That said, ads can be pretty annoying. Especially if it’s disguising itself as regular content. Edge, a popular alternative to Chrome, still has an ad blocker, but does it have a sponsored post blocker? Because Firefox has both! Firefox can filter out sponsored posts from your websites alongside the normal ads you see everywhere. If you’re sick of sponsored content making up an unfair percentage of your feeds, Firefox has you covered.

Password Managers

Edge, Chrome, and Firefox all have versions of their own ad blockers as well as third party versions that can be downloaded to the browser – Firefox, however, will allow you to synchronize this across devices without a fee. While we like and recommend LastPass, it’s only free if you’re using it on one device, and you have to pay to sync it on multiple devices, which can be a bummer.

This is a mixed bag of a tool. On one hand, having all this stuff stored safely inside your Google account sounds great and convenient, and usually it is – except in the case of hacking. If someone socially engineers their way into your Google account, suddenly all of your other passwords are stolen too. Nightmare! A Firefox account, which does not have its own email service, is less likely to get hacked if only because it’s less immediately valuable. By dividing your email service from your browser password service, you’re not putting all of your eggs in one basket.

As far as security, a really good fake webpage that trips your browser or password manager to auto-fill the password would get almost any password service, built in or not! Turn off auto-fill if you can.

Other Goodies

Firefox has tons of other useful addons as well! Tired of getting distracted on Reddit, but can’t seem to stop typing in the URL almost unconsciously? Download Impulse Control and wrest your eyes back on task. Trying to keep cookies under control? Download the extension that shortens the path to deleting your browser history right to your window. Ads still squeezing in, or threatening to break your page if you don’t turn off your ad blocker? A browser extension called DeCentralEyes promises to serve more local content that won’t slow down your page or give a ton of info to bigger third-party ad sites. You can remove ‘recommended’ content on YouTube to see only the people you’re subscribed to on your front page, and skip out on YouTube sponsorships with a separate extension from that one. Overall, you can completely tailor your experience on Firefox, and you’ll have quite a bit of privacy from the business running the browser itself while doing it.

If Chrome isn’t going to offer you privacy or add-free browsing or a customizable experience, consider Firefox!

(Those extensions: https://addons.mozilla.org/en-US/firefox/addon/youtube-recommended-videos/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=hotness

https://addons.mozilla.org/en-US/firefox/addon/sponsorblock/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=hotness

https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=rating

https://addons.mozilla.org/en-US/firefox/addon/clear-browsing-data/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=hotness

https://addons.mozilla.org/en-US/firefox/addon/impulse-blocker/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=featured)

Please don’t scan random QR codes

Elizabeth Technology October 4, 2022

The Past and Present of Random Links

Before the age of built in antivirus and user-friendly web design, it was entirely possible to wander onto a webpage that would just start downloading something malicious out of nowhere. Popups that did this were a serious problem, and many browsers responded by working in a sort of zero-trust philosophy. Firefox, for example, will tell you when a site has tried to open a pop-up, and asks you if you still want to open it. This does occasionally catch honest secondary windows (like payment portals and the like) but the great thing about that is that because it asked, you can say ‘yes, I wanted that to open’ and you’re not stuck with some horrid flashing popup dominating your screen every other time.

Aside from popups, some websites were able to either trick users into downloading things by mimicking a real website, or simply start downloading things themselves as soon as they were clicked. Separate antivirus programs were needed to combat phishing downloads alongside other website trash, as browsers can’t always differentiate between intentional and unintentional downloads. In this era of the internet, misclicking or accidentally misspelling a website URL could be catastrophic for the computer. Big hosting companies protect their hosted websites now by preventing others from registering domains that are almost the target URL, but not quite (a form of domain squatting) but this wasn’t always the case.

Furthermore, hyperlinks can be used to trick people into clicking things they’d otherwise have avoided. Remember Rick Rolling? Every trick that anyone has ever used to Rick Roll you can also be used to get you to click on, and download, something you don’t want on your computer. Disguised hyperlinks. Obfuscated URLs that re-route a couple of times to get you to lower your guard. Clickable buttons, in place of links. Social engineering. The list goes on!

The False Sense of Security

The modern web as most people browse it is a safer place than it used to be. Google’s SEO is partly to blame – users who report unpleasant website experiences or demonstrate that the website isn’t good by leaving within so many seconds of it loading will lead to that website appearing lower in the search results, until eventually Google stops letting it pop up near the top at all. Hosting services are also partly to blame – they have a monetary interest in keeping their websites whitelisted, and malicious websites screw that up for them. Plus, it’s sort of scummy. Would you want to do business with a company that passively allowed one of its clients to wreck another potential client’s car? Probably not!

Antivirus and default browser settings take care of much of the rest. But these things don’t mean the nastier parts of the web have stopped existing, they just mean it’s harder to get there without doing so intentionally. Users don’t fear clicking on links that lead to sources or Ko.Fi services because it’s been so long since that was a problem. Forum users click through links with no fear. While not a perfect breeding ground for scam links to come back (most people still know and remember the warning signs) it is a perfect breeding ground for something new built on old foundations – QR code scams.

QR Codes

A QR code is a sort of bar code that’s recorded in two dimensions (vertical and horizontal) instead of one. Almost every modern phone (and many of the outdated ones) come with a QR-reading feature built in. QR codes and code readers have a high tolerance for missing or damaged information, making it a fantastic resource for quick and easy link-loading – where a barcode is unreadable if a bar is missing, a QR code can often still be read if squares are missing or obscured. Advertisements, verification texts, digital menus, libraries, virtual queues, etc. all benefit from how simple it is to whip out a phone and point the camera at a black and white square for a few seconds. It’s even easier than typing in a link, and you can direct users to specific pages with gangly URLs without worrying how that URL is going to look on printed material – the user isn’t going to see the URL anymore, they’re going to see the QR code!

This lead to things like QR code stickers that would lead to individual GIFs or art project websites out in public, a form of easy-to-remove graffiti that still showed off some art in today’s hyper-online world. QR codes gave restaurants and their diners an easy way to see a digital menu without having to type in a URL. It also made Rick Rolling easy again.

You’re probably already seeing the issue here: when users can’t see the URL, they have no way of knowing where they’re going to end up when they scan it. A hyperlink’s true destination is visible to a user when they press and hold on mobile, or hover their mouse pointer over it on desktop – the same is not universally true for QR codes (some phones and programs show the link before asking you to continue, but many do not). The scam potential for these codes is off the charts because many do not understand them as ‘links’ but as ‘scannable objects’.

Discord Scam

For example, the recent slew of Discord scams! Essentially, what happens is a scammer compromises an account, either by password brute-forcing or by social engineering, and sends messages to everyone on that person’s friend list saying things like “ummm idk if this is really you or not but it was your name and it says you sent a girl gross stuff like wtf? Check the #shame tag and you’ll see it. I’m blocking you just in case, I can’t be friends with a predator”. They then send a link inviting you to join the Discord server mentioned in the message, and block you so you can’t continue to chat with them. As this is a compromised account and may be pretending to be someone you actually speak to on the regular, this can be very alarming. The first instinct is to join the server so you can defend yourself against whatever allegations have allegedly been made in that server! It presents you with a QR code to join the server that this compromised account has sent to you so you can clear your name and get your friend to unblock you, but when you scan it, it tricks your phone into giving over the login credentials for your Discord, compromising your account and continuing the scam.

This is the sort of scam that happened all the time before people grew wary of random DM’ed links! Here we are again, re-learning not to trust people that talk like bots and the things those bot-people/compromised accounts send us.

Sources: https://mamoru.tumblr.com/post/688687077511086080/new-discord-hacking-scam 

Nomad Bridge Hack – Decentralized Currency Is Not Always Safer Than Plain Money

Elizabeth Technology September 29, 2022

The Base Of Cryptocurrency

Cryptocurrencies generally work off a blockchain which records its movements. This has both pros and cons, but the biggest pro and con is that there’s no centralized agency that monitors the coins. They monitor themselves instead! Given the base coin technology was made correctly, you can kind of just set it and forget it, and transactions using secure, well-made cryptocurrencies will work out as they should so long as both parties are being honest and not trying to scam each other. That’s not always the case, but in a perfect world, the flaws belong to the people and not to the tech. You can’t hack a Bitcoin, for example, it has to be deliberately sent. Almost all Bitcoin scams involving theft are social engineering attacks for this reason – if a scammer can get into a Bitcoin wallet, either by brute forcing the password or tricking the owner into giving it to them, they can still steal the coin by sending it elsewhere, and it can’t be called back.

However, this really applies best to Bitcoin and older cryptocurrencies that have had a minute to mature and improve the tech. New tech using blockchain are riddled with flaws. Take NFTs, for example – on some of the platforms hosting them, a security flaw allowed ‘smart contracts’ to be planted in someone’s wallet, which would then move the real NFTs out of the wallet once the owner clicked them. NFT chains can’t show if something was paid for, they only show if it was moved, and so those NFTs would be sold along as though they’d never been stolen because nobody would be able to tell. It’s sort of ridiculous.

The coins are impenetrable – everything else is not.

The Nomad Bridge Hack

Bridges, in cryptocurrency speak, are like currency exchanges. They allow people with one type to spend it like another by depositing the crypto they have to be used as collateral for the one they want. Blockchain technology is difficult to break when it’s one continuous piece, but when it’s not, it’s just like any other kind of banking technology. Meaning it also needs layers and layers of security so a failure on one layer doesn’t mean total system failure.

The problem is that typical banks have had a ton of time to work out security, but crypto is new, and it always wants to build itself something special, just for crypto, because that makes it more special than all the other modes people have used for payment. As a result, they’re rediscovering issues that banks have already worked out, like the exploit that drained Nomad of all of its money. Or the different exploit that drained Wormhole. Or the other different exploit that drained the Ronin bridge.

In Nomad’s case, a bad update allowed any tokens with the default value for transactions to go through as though they were valid. Once one person figured it out, others began copy-pasting his transaction info and substituting the destination address for their own. This allowed them to transfer currency to their own wallet without having to put up any collateral, like they normally would. A handful of people tried to altruistically take money so it’d be safe in a wallet and they could give it back later, but the vast majority was snatched before the platform could react.

Currently, Nomad is attempting to trace the coins and get them back, but this is the major disadvantage of cryptocurrency – they can’t just reverse the transaction, and the coins don’t record whether a movement was legal or not. There’s also no central body to make the thieves give the coins back, because the currency was made specifically so it wouldn’t need that. It’s unclear if Nomad is actually going to be able to get those coins back. Right now, 9 million dollars’ worth of the stolen coins have been returned (probably due to the 10% bounty that Nomad set trying to encourage people to give the money back) but the rest is still up in the air.

Sources: https://blockworks.co/nomad-token-bridge-raided-for-190m-in-frenzied-free-for-all/

Can a PDF Attachment Really Compromise my Network?

Elizabeth Technology September 27, 2022

Yes!

Basic Email and Anti-Phishing Safety

It’s a message that bears repeating – you shouldn’t click on links or attachments in emails you weren’t expecting, didn’t sign up for, or otherwise don’t entirely trust. For example, say you get an email from Target, but there are several typos in the header. That’s a really easy tell that the email is likely a fake! A real business the size of Target has several sets of eyes on their marketing materials.

A harder tell is checking the email sender each time. Say you open an email from ‘Tagret’, and it’s not loading right. If you don’t normally have that issue, it might be a fake trying to get you to click a ‘view in browser’ link that actually leads to a download page set up for a virus. You might have missed the fraudulent sender if you didn’t double check!

But what about attachments? You should approach attachments with a zero-trust philosophy. Verify the sender, verify the email itself isn’t riddled with typos and easy-to-fix mistakes, and verify that the attachment itself is titled appropriately for what it says it is. While you could easily accidentally open a phishing email, realize it’s a phishing email, and then close it before you click any links or type anything in (you should still report that incident to your IT Department), clicking on an attachment that’s malicious is harder to recover from! PDF attachments, which are normally pretty inert, are a possible highway into your network or computer. Keep these following things in mind when you open attachments.

It Might Not Be A PDF

Not all that glitters is gold! That attachment from someone you don’t remember hiring might be something like an executable file (a .exe file) that’s just named Invoice307.pdf. When you name a file, only certain characters are excluded from possible names, including characters like the percent sign (%) and question marks (?) because they’d interfere with the way the file is stored. Periods are not, and that makes it easy to fake a name! It won’t get everyone (invoice.pdf.exe looks pretty strange, right?) but it might get the kind of person who doesn’t spend that much time on computers, or doesn’t get this kind of scam regularly. If that sounds like you, it only takes a second to double-check the extension name before you download it, and that second can prevent a lot of pain! Most desktops will also show you a file’s full name if you hover your mouse cursor over said file – to hover, you just move your mouse cursor over the file without clicking it, and wait a second or two for your email program to show the full name. This is nice if the name is too long for the thumbnail and you’re not sure if you trust the sender or not.

A similar tactic is hyperlinking some text to open a website which will begin downloading malware instantly. The scammer puts in some ordinary-looking links, like a Shop Now! or Click Here! Button, and then uses the hyperlink feature available in most email applications to hide a viral link inside. If it successfully tricks you into clicking it, you’re in for a bad time. The hover trick from before works here too, and it should show you where the address actually goes in the bottom left corner. Remember – don’t click if you’re using the hover trick! At least until you’re sure it’s safe.

However, there are ways to mess up your computer without overtly malicious software. Consider the ‘.zip bomb’, for example! A .zip bomb is a huge amount of junk files packed into a .zip file, which compresses it. When you, the receiver, download and open the .zip, it slows or even crashes your computer with the huge amount of information it’s trying to decompress. Since the files themselves don’t have to be malicious to achieve this (they can be, but they don’t have to be), many consumer antiviruses will just ask you if you trust the source – and if they’ve done a really good job social engineering by making the sender sound plausible and writing without typos, you might click yes without thinking twice. To recap – if it doesn’t end in .pdf, and someone you don’t know sent it to you, it might cause problems for your computer.

Even If It Is, It Might Have Something Nasty

If you’ve ever struggled to get Word to allow you to open a document and edit it, that’s because some malware can be hidden inside otherwise innocuous-looking documents. It’s rare, but it happens – it’s usually something called a macro virus, or a virus that uses ‘macros’ to download itself. A macro in Microsoft properties is a command that groups several keystrokes into one, and they have many legitimate uses, but can be used maliciously to lead you somewhere you don’t necessarily want to go, or download/unzip another file contained within the file you’re working with. A much simpler version is just using macros combined with the hyperlink trick from before to get you to bring the document out of safe mode by disguising said hyperlink as something innocuous, but other, more complicated ways to get your PC to download something nasty can be hidden too.

Once again, double-checking the file extension might help you determine whether or not you really want to click something. Microsoft Office products save differently if they contain macros or ‘active content’ – for example, instead of a .docx file, a Word document with macros in it will save as a .docm file. If you download one, most recent versions of Office products will ask you to verify you trust the place you downloaded from, adding further security.

Don’t Forward Emails You’re Suspicious of to Anyone but Your IT

If you send this mail to your manager, and your manager is in a rush and doesn’t read what you wrote about the message and clicks the attachment… you’ve just moved the problem! Don’t forward something suspicious to another member of your organization – if the scammer had their info, they’d likely be a target too! Instead, if you get an email you’re not sure about, forwarding it to your IT department is a safe bet. If it’s nothing? Then you sent your IT guys an email with a legit attachment, and you know for sure it’s safe to open. If it’s malicious? IT should be able to handle it in a quarantined computer. They may even be able to tell if it’s malicious without opening it! This could potentially save you and your organization from ransomware or other malware that can completely halt your business.

Sources: https://support.microsoft.com/en-au/office/protect-yourself-from-macro-viruses-a3f3576a-bfef-4d25-84dc-70d18bde5903

Don’t Make Shared Email Accounts

Elizabeth Technology September 15, 2022

A shared email box has plenty of utility, but it has to be set up right to reach its full potential. A shared mailbox should allow all it’s members to see the content, and can usually be set up so that members can send emails under the mailbox’s address. Essentially, the box is just a box that they have permission to access. Microsoft Outlook allows you to add your users to specific shared mailboxes, but only you, the admin, can decide who gets to see it, who gets to be part, who has the ability to send as the box, where forwards go automatically, if that’s even desired etc. etc. And they don’t have to have a Microsoft license to function!

A shared account, on the other hand, is an easy path to disaster! A shared box shouldn’t be a fully-fledged account that your users can log into using a password and username that you gave them, generally speaking. If your box is set up so that users are in the account instead of in the box only, they have way too many permissions!

For example – a user decides they want full control of the shared email account and simply logs in, changes the password, and doesn’t share it. Now what? You can do a lot of things to the user, up to and including firing them, but that might not be enough to get the email account back, especially if they left on bad terms. Or, an employee mistakenly believes that everyone in the company is meant to have access to a shared account, and gives the login credentials to an unauthorized employee when they ask. Or, an employee writes down the shared credentials somewhere, loses that, and then the company’s support or information mailbox is hacked and totally out of their control. If the account is set up as part of a security group, everything in that group is then put in jeopardy, because accounts can access shared drives. Accounts also take a license to keep functional, so that’s an added expense over a simple shared email box. The issues go on and on!

While some of this can be mitigated with steps such as two-factor authentication, the vast majority of it can only be stopped by making a box that has layers of separation between the account controlling it and the accounts allowed to use it. Microsoft’s system allows users to be added to a shared mailbox without giving them total control over it – that’s the ideal, as user permissions can be revoked without having to go through the song and dance of giving the login info back out to everyone still authorized to use it. As shared mailboxes can’t be signed in to, they’re also much less likely to be ‘hacked’ via a stolen password (although someone could still access it via someone else’s account).

Group Accounts – Social Media

On the other hand, there are social media accounts for the company. Almost no website allows multiple people to run an account with separation from said account the same way that Microsoft does – LinkedIn is a rare exception, and Facebook pages allow people to post to them, but the page can’t post to itself – the company account has to post to it. In cases like that, a shared account is still not ideal, but it becomes easier to manage if only a handful of people have the password, and only one person has the 2FA number. In a pinch, that makes it slightly easier to reclaim the account if the person in control decides to go rogue, but even then, some sites will allow you to change the 2FA number without verifying it to the current 2FA contact first, thus making all of the issues above also issues here. That makes it extraordinarily difficult to truly, properly, bombproof a social media account! Limiting the total number of people who have access to it as well as monitoring when it’s being used is the best solution. Instead of a group shared account, make it a two-person account – or less!

Alternatively, websites like Buffer and Hootsuite can provide some barriers, but for a fee. They may not stop an employee going rogue, but they can at least identify when and which one was responsible if something happens to the company Instagram.

Metadata: What is it?

Elizabeth Technology August 30, 2022

The BTK killer was caught with metadata. Geotagging can unintentionally help poachers find endangered animals, and metadata can reveal hidden layers in images. Metadata. What is it?

What Is It?

Metadata is the data about the data. Generally, it falls into three families: Structural, descriptive, and administrative. Structural metadata is what it sounds like, it’s data that has to do with the structure of the data. When you take a picture, the information about the device (what kind and what camera, time, etc.) is stored in that picture. Video length and picture quality are also forms of structural metadata.

Descriptive metadata is data attached that may or may not have to do with the data inside the document: it’s data purely to make locating things easier. An ISBN is metadata about the book – it’s the book’s identification number, and it’s an identifier that humans have attached for the sake of control and ease of access. The Dewey Decimal system attaches even more data by describing what kind of book the number’s attached to.

Administrative metadata contains information about who created files, when they were moved, and when they were edited. When you type in an up-to-date word processing program, most of the time, the computer will know which user profile did the typing. It’s also the information about copyrights and where the picture came from originally, which is useful for tracking down leaked photos from services like Patreon. Keeping the art and comics exclusive to Patrons is what keeps it viable. This is administrative metadata.

EXIF DATA

EXIF data is data that’s stuck to an image, but it depends on file type – not all kinds of images have EXIF data.  With the right program, you can see into the EXIF data, because the file essentially has layers hidden within it. This is great for the scenario above, where a Patreon content creator may be trying to track down a picture leaker. First, they gradually narrow down who receives a certain tag on their comic, and make those groups progressively smaller. Eventually they get to the specific tag and user who’s been posting their content elsewhere. There are other, more foolproof methods, such as putting something visually different (but minor!) in the comic so it can’t be deleted (EXIF data can be) but it’s certainly a good option. It also helps with criminal investigations and copyright claims for similar reasons.

Geotagging

When you post a photo online, you should also check your phone’s settings to be sure Geotagging is off. Geotagging is another form of metadata, and it’s where the phone attaches a location to the image. Families on vacation taking a picture of a rhino and posting it right away can lead poachers to its location. The same applies to the inside of your house. Don’t post pictures of valuables if people can find out where the picture was taken!

Instagram and Facebook both scrub the EXIF data from pictures before uploading them, but places like Flickr and Shutterfly do not. It’s a double edged sword – you’ll have to keep geotagging off for Flickr, but you won’t have to worry about the copyright info disappearing from the pic. Facebook strips all the location and photography info, but hidden copyright is gone too. Choose wisely – and maybe use a watermark.

Side Note: Don’t %#*& With Cats – and Metadata

It only took one unscrubbed photo from the Cat Strangler featured in Netflix’s documentary “Don’t %#*& With Cats” for his location to be compromised. Internet sleuthing leads to witch hunts more often than it does good convictions (see Sunil Tripathi) but in this case, metadata was one of the few pieces of the puzzle the online folks had that wasn’t circumstantial.

For those of you who haven’t seen the documentary, a Facebook group begins tracking down a serial animal abuser. The Cat Strangler eventually escalated to killing a man, and while seems like the police had been ignoring the Facebook group before, it’s more likely that the evidence was just… not that great. A blanket bought off of eBay that ships overseas isn’t the rock-solid proof the documentary portrays it as, but the metadata was! The Cat Strangler’s repeated comments in the actual group were also compelling evidence. That was incriminating, and it was info the police could use. Ultimately the group did help track the man down, and evidence gathered helped get him convicted, so it didn’t all go to waste.

Deleted Docs and Recovery

The reason data recovery is even possible is because stuff isn’t deleted deleted until it’s been written over with something else. Free space isn’t empty space, it’s just space the computer is allowed to write on. This is why you need to start the data recovery process as soon as possible after a major loss. The data’s not necessarily gone unless the failure was catastrophic, and you may have a chance to recover it. This is metadata in action!

As mentioned above, metadata can also be used to identify the age, previous locations, and editors of a document. If a document is older than the event it’s supposed to be covering, you know for sure something’s wrong.

Document recovery tools and data forensics are two groups that go hand-in-hand. This article is very technical, but it goes over a lot of interesting information: here. It does a better job than I could of describing what the tools do. In basic terms, a metadata-based recovery tool finds where the file used to be stored using the directory. It then copies that entire chunk, including hidden bits, and reconstructs the file based on that. This isn’t a perfect explanation, so if you’re interested, go ahead and read that study.

Side Note: BTK and Metadata

Metadata once famously led to the capture of Dennis Rader, the BTK Killer. He’d used a floppy disk that had previously held a document from the church he worked at. The last person to modify it (which would have been the person to delete the document) was “Dennis”. Between that and DNA evidence found at a scene he confessed to, he was trapped! He’d sent the floppy in after they told him he’d be anonymous still, and the police weren’t technically lying. They expected him to use a fresh disk, in which case they’d have never been able to track it back to the church.

Sources:

https://www.theatlantic.com/technology/archive/2014/01/the-floppy-did-me-in/283132/

https://www.forbes.com/sites/michaelshiels/2016/09/07/deadly-virtual-postcards-lead-poachers-to-rare-endangered-trophy-animals/?sh=56014dcc23ad

https://eudl.eu/pdf/10.4108/eai.13-7-2018.163091

The Kinect’s Path To Market

Elizabeth Technology August 23, 2022

The Xbox Kinect was famous for a couple of things: it could see you without a remote, unlike the Wii, it could take commands without a controller, unlike the PS4, and it nearly caused riots when Xbox demanded it stay on, always.

Xbox. You can’t just do that. But first, lets look at why it was launched in the first place!

Innovation

The Kinect didn’t need a controller to register your movement, something other consoles still struggled with. Even when PS4 wanted to incorporate more active games into their lineup, they went with a remote that looked a lot like the Wii remote. It fit nicely into the hand, but as some users discovered, cheesing the game by only moving your arm was too easy. Besides, if you executed a dance move perfectly except for your wrist, you wouldn’t be rewarded for it. The Kinect set out to fix the problem by cutting out handheld remotes completely, and provide a bigger space for users to interact with the game. The main problems with this were room detection and movement detection – other consoles didn’t bite because the prototype was fiddly at best. The machine didn’t know how to “see” the human figure, and instead it would try to analyze a movement based purely on camera alone.

If the machine doesn’t understand the way a human can and cannot move, it’s much more likely to mis-detect pieces of furniture and light sources as people phasing in and out of existence. This makes gameplay jerky and difficult, and it’d take time to fix. Luckily for the development team, Microsoft doesn’t mind waiting – in fact, they’re happy to have something that can compete with the Wii in their development lab. They knew right from the start it would be difficult and expensive to do all the research necessary to make the Kinect work. In fact, it was shelved once or twice while software caught up! But it would be worth it. Right?

Competition

The Wii was very popular, but Nintendo’s habit of underproducing cut sales. Weeks at a time went by where nobody could find a Wii except from scalpers, who charged two or three times more than the original selling price for a unit. The PlayStation version was a much better seller, but unlike the Wii, the PlayStation was not built around motion games. Its movement-game library was lacking, even though their motion controller was completely fine. The Kinect was going to revolutionize the market with a fresh take on dance games, a commitment to fitness, and a constant stream of new games that would make the Kinect the Christmas gift of the year!

The technology was new – nobody else had taken the initial contractor up on their motion sensing. Xbox had exclusive access to something incredible. They pared down the size and made it more responsive. It could adjust to the room it was in! Nothing like it had ever been seen before, and it was all designed to fit neatly on top of the console or TV. It really was a revolutionary product.

However…

Nintendo was able to produce a whole library of games for the Wii, and Playstation’s modest selection was fine for the price of the PlaySense controller. Xbox only released 5 titles at launch, assuming third party developers might step in. They didn’t. Programming around the Kinect seemed like a nightmare, a time-consuming task that they’d rather not buy into. This was long before VR was a thing, and developers would need a lot of time to even learn this new engine, let alon make something using it. But Xbox could still make that work, right? They’d make their own games on the regular, just like they did for the source consoles, the Xbox 360 and the Xbox One. Especially since they’re thinking about making the Kinect mandatory for the XBone, right? You wouldn’t force people to pay extra for a dance game they didn’t want, right??

New Console

The Kinect was completely optional for the 360, but at announcement, not for the Xbox One (also known as the XBone, a nickname intended to peeve off Microsoft). People who didn’t intend to use the device were angry that they were paying extra for ‘nothing’, and people who did want it were angry that the console might not work without it. Either way, it was a bad idea to try and push the two out together to boost a failing product.

The Playstation’s latest launch did no such thing, and shared many of the features of the Xbox One, including all the new entertainment features like a DVD drive and access to Youtube.

Anecdotally, when this was first announced, I remember many people on forums claiming they’d leave Xbox for PlayStation if nothing was done to correct this injustice. Whether or not they actually were going to or even had the ability to wasn’t important. The statements themselves drove newcomers just entering the console market off into PlayStation’s waiting arms. Playstation was a gaming console, where the XBone came with a lot of strings attached. Or it would have.

Failure Approaches

Companies were already facing backlash for “always on” before this – Xbox shouldn’t have thought it was exempt. The latest Assassin’s Creed was declared unplayable by a sizable portion of their audience, and EA’s “always on” Sims release turned many people off the franchise. In my opinion, they’re right to be angry! Internet connectivity is not guaranteed everywhere, so limiting access to a game because of location is very, very annoying. Instead of getting to continue a story they like, they’re now limited to watching other people play through it, people with better internet than them, on forums and Youtube.

Always on is supposed to allow for updates on the regular, but a side effect is that the game won’t boot until it’s fully updated if you had the console off for a length of time. It’s very annoying to sit down, expecting to be able to play a video game, only to have to wait an additional 40 minutes while it catches up. Because, you know – computers are supposed to be turned off every once and a while. You’re going to restart your Xbox to keep the red ring of death away.

The Kinect would be off to a rough start. But surely for the people who did have access to good internet, this would be a smash hit, right? Always on means games are always bug-free (in theory) and besides, the Kinect was revolutionary!

However, the Kinect could respond to voice commands. It needed to be listening to pick up on those commands. This meant that the Kinect would always be listening, and the camera was always on, too. In a world before the Amazon Alexa and Google’s Cortana, this seemed incredibly invasive! If your console’s in your bedroom, is Microsoft listening to you, even then? Yikes.

What Happened?

The Xbox One, or the XBone, was forced to drop the mandatory internet connection and included Kinect before release – people just weren’t ready to have Xbox’s version of the Amazon Alexa yet. Additionally, PlayStation had gamed them by announcing the exact opposite of what Xbox announced: Where Xbox said “internet required”, Sony said none needed. Where Xbox said “Always Listening!”, Sony said unnecessary. And when Xbox said “Digital only, no sharing!” Sony said of course you can share games. Sony knew what Xbox was doing to itself and simply let it happen. Xbox was forced to retreat and retract ‘features’ to keep up with the newest PlayStation.

That ‘sharing games’ thing was a big point of concern. People saw a future with no retro games and no more local co-op. And Xbox framed this as a good thing! It’s connected to your library so you’ll have it anywhere you go. Yeah, that’s cool! But Xbox would have effectively shut down their part of the game-reselling industry to make it happen and killed a lot of joy in the process.

Long story short, Xbox’s decisions killed some of the hype for the newest console – the Kinect got caught by the fallout.

Legacy

The supply of Kinect game titles is very small. Trying to shove it into a package with a console that was already on thin ice with consumers was always destined to fail. It wasn’t a bonus; it was a liability! On top of all the other liabilities that they wanted the XBone to have! If workers took their work home, was the company going to have to make a policy of no Kinects? Is Microsoft watching your children and you just out and about in your house? It sounds paranoid, until “Always On” was used to sell ads elsewhere. Not from Kinect, but other companies.

It had far more negatives than positives at the time, and that on top of everything else the XBone was doing wrong led to Kinect’s demise. It just wasn’t fun enough to replace the controller games that everyone – including game makers! – were used to. It wasn’t fun enough to ward of criticism of “Always On” tech. It just. Wasn’t. Fun. Enough.

Besides, the Oculus Rift and other Virtual Reality headsets almost always use controllers. Between the helmet sensing motion and the handles sensing your movement, it was easier to program for, so as soon as they were available they soaked up any demand there might have been. No skeletal tracking, with the added benefit of VR immersion. The Kinect can’t put you in Skyrim like a headset can, even if it lets you interact with the game like you were. It’s a baby step, instead of a gigantic leap. The Kinect was simply too big a step for the time.

Sources:

https://www.svg.com/101430/everything-microsoft-wrong-xbox-one/

https://www.businessinsider.com/xbox-one-kinect-privacy-issues-2013-5

https://www.digitaltrends.com/gaming/kinect-for-xbox-one-discontinued/

https://www.polygon.com/2020/1/14/21064608/microsoft-kinect-history-rise-and-fall

https://www.pcworld.com/article/2042445/microsoft-reverses-policies-on-xbox-one-rentals-online-check-ins-and-region-restrictions.html

More Antivirus is Not Always Better!

Elizabeth Technology August 9, 2022

Built-In Antivirus

Microsoft Windows has come with it’s own antivirus for quite some time. Windows 10 and 11, for example, came with Windows Defender built in and on automatically unless another antivirus was installed, at which point it would automatically switch off. Windows Defender by itself is plenty of defense for the kind of run-of-the-mill threats you’d run across browsing unsecured websites or trying to download games from websites other than big, trusted ones like Steam (given you’re listening to it when it suggests you double-check the source and double-check that you meant to download a .exe file) but some people would rather have this protection from a paid-for antivirus like Kaspersky or McAfee. The fact that those programs cost money doesn’t necessarily mean they’re better, but it can be a peace of mind thing – complaining about something that cost money means that some penalty can be extracted if the user isn’t satisfied, even a penalty as small as a partial refund.

This Computer’s Not Big Enough for the Two of Us

Windows Antivirus is unique for automatically stepping down when another program steps up. Many others don’t!

Antiviruses do not get better the more that you have. They interact in ways that step on each other’s toes and lead to false alarms. As an example: say a computer has both Norton antivirus and McAfee antivirus installed. McAfee will try to scan the computer for new threats upon startup, but will be interrupted by Norton, who interprets the file-checking as potentially hazardous behavior. Norton isn’t wrong, because ransomware will often sweep through files in some way or another, but it doesn’t recognize McAfee, and almost no other program has a reason to do that anti-viral scanning. Thus, Norton then tries to report McAfee to you! Some antiviruses have safety rails that literally will not let you whitelist (whitelisting refers to telling a program that a file or action is okay, or ‘whitelisted’) certain executable programs, so you get stuck in this horrid, unbreakable loop of antivirus fingerpointing every time you boot up your computer.

These interactions actually make your computer less safe – if both antiviruses have deadlocked themselves out of scanning because the other one says it’s a virus, your computer is not being scanned. That’s bad! Scanning is not completely foolproof, and a regular residential antivirus won’t necessarily be able to catch or handle something industrial grade, but it catches plenty of small things like trojans before they become serious problems that can cripple your computer.

Your computer is much better off with just one brand of antivirus on it at a time. Instead of more, buy better. And if you’re unsatisfied with one brand’s performance, completely uninstall it before you install the program you replace it with. Not only does that prevent them from interacting in a negative way, it also prevents the previous program from hassling you to renew it with pop-ups (McAfee is infamous for this). Either way, it’s going to save you some annoyances!

And in Other Realms

The antivirus problem is a pretty unique one because most programs don’t interact with every file on your computer in the way that they do. Two art programs are not going to start fighting over which one you should use, for instance. However, some other cases can be pretty similar. Like VPNs! Having more VPNs is going to slow down your computer without much additional benefit. The way a VPN works is that it takes your request, encrypts it, sends it to a server, unencrypts it, completes the request, encrypts it again, and then sends it back to you. This keeps your ISP from seeing this request, but it doesn’t necessarily anonymize the data – after all, the VPN’s server has to unencrypt the data to actually complete the request, so the VPN knows what the data is, and it knows where the request is coming from in the first place. The VPN has the same visibility the ISP initially had. Adding more VPNs to your computer will not solve this problem, it will just move it down the chain, and add extra time to each request you make in the meantime as it bounces around VPN servers.

If you only need to protect your data from the coffee shop’s open Wifi or want to watch Netflix Canada, the kind of VPNs you see advertised on Youtube will be able to do the job – the data won’t be strictly, unsubpoenably anonymous, but it will be encrypted and rerouted well enough to make those two things happen. If you’re trying to search for things that nobody can know about, you’d be better off downloading TOR (which stands for The Onion Router), a popular VPN with an excellent reputation for encryption and security. Using TOR to do illegal things is illegal, of course, but the act of downloading it and using it by itself is not.

It is Sort Of Weird to be Watching Interrogation Footage Recreationally

Elizabeth Technology August 4, 2022

But Why?

It is very human to see something horrific and ask ‘why?’. Even moreso if the scale is small, and petty, if the stakes come down to ruining a handful of people’s lives for reasons that later seem transient. However, there isn’t always a good reason why… that doesn’t stop the asking.

Jim Can’t Swim and Similar Channels

I appreciate the work that goes into interrogation analysis videos, so long as those videos are made by people who know what they’re talking about. Jim Can’t Swim (often abbreviated to JCS) is a channel on Youtube that reviews and analyzes footage of interrogations released to the public. JCS is one of the biggest and most well-known channels following this premise; JCS’s narrator speaks with authority, is able to identify common tactics used by either the police or the suspect during the interrogation, and is generally respectful of the subject matter. While sometimes the subject matter is humorous because the suspect or the interrogating officer does something that’s weird or pathetic, JCS doesn’t turn serious crimes into jokes.

It also doesn’t devolve into ‘copaganda’, a term used to describe media that paints the police in an overly positive light. Copaganda may suggest that the police never make a mistake, or anyone who asks for a lawyer before speaking to the police is guilty, or that it’s okay for the police to break some of the rules as long as they ‘know’ the suspect is guilty – it’s a nasty trend that leads to well-meaning, otherwise innocent people giving up rights they are legally entitled to for the sake of not ‘looking’ guilty.  JCS often clarifies that the police are allowed to lie to you to get more info out of you during an interrogation because it so often works in the detective’s favor during taped interrogations.

Other channels mimicking his format began cropping up, and then the format began to turn into a problem.

Visibility Bias

There are two issues with the popularity of these channels. The first one is that, with the benefit of knowing how the case turns out, of course you can spot the tells of the suspect. It’s like watching a poker match when you already know who wins! For instance: many channels, JCS included, will point out body language or certain tics as indicators of lies. However, you can’t use those in court – many people tic when nervous, and it would never hold up because everyone tics a little differently. The focus on body language is for the interrogators, who are looking for certain clusters of behaviors as indicators that the person they’re interrogating might not be telling the whole truth. It’s an interrogation tactic to extract a confession, not a hard science that always yields results. While JCS and a handful of the other big channels that started after him will clarify this as they describe why the suspect is likely doing what they’re doing, many others do not – they simply point to a behavior and say “this is where they started lying” because they know how the case ends. The tendency to use big, flashy cases where the murder was gruesome and the suspect left behind tons of evidence worsens the effect, because every video ends in a conviction, giving the viewer a false sense of efficacy when it comes to certain techniques.

You don’t see the videos where the tactics lead to investigators pressuring someone for an hour because they struggled to make eye contact with the interrogator, because that’s not interesting or cool and the channels realize that. However, if every video you see where the suspect couldn’t make eye contact ended in a conviction, you’d be inclined to believe everyone who can’t make eye contact is guilty, and it’s not just something nervous people do – sort of an ‘every square is a rectangle, not all rectangles are squares’ deal. Channels have to be very careful what they’re pointing out as recognizable nervous or lying tics because it’s not a science, they know how the case ends and so may be seeing tells where there aren’t any, and there’s no frame of reference for ‘innocent’ behavior elsewhere on the channel.  

Speaking of which, the second issue is that it often ends up accidentally turning into copaganda anyway – at least, the copycat channels do. When you stop focusing on how inexact many of the tactics are because they always seem to work in the videos and the channel narrator always points certain things out when they happen, it can be easy to fall into the trap of [X] is guilty because when the cops interrogated [Y], this same thing happened. Almost every video on JCS with a few exceptions were cases where the murder suspect either took a plea deal or went to trial, meaning the prosecutors already had a ton of evidence against the suspect. In the one or two cases on his channel where the suspect had been pulled in and later cleared, he points out how not-guilty the suspect acts during the interrogation. The rest? The huge percentage of interrogations that don’t provide any meaningful answers because the police had more or less said ‘this guy was in the area and we’re out of ideas’ to drag that guy in? Those interrogations aren’t the ones that end up on the channel. Why would they? They’re boring. The convicted suspect’s interrogation was probably more interesting anyway, right? The five people investigators went through to get to the prime suspect are never seen, and so the police look hypercompetent on these channels, always nailing the right person and always managing to extract something incriminating related to the case within an hour or three. These channels end up stripping quite a bit of valuable context from the case. It’s actually built into the formatting of this style of channel, because all people want to see is the case and the interview. Nothing else.

Inexpertise

And then there’s the issue of the analysis itself. Many of these folks could be amateur experts (we don’t know what credentials the vast majority of them have), meaning they’ve done extensive research online for specific cases, and specific interrogation techniques… but don’t know much beyond that. While the internet is huge and useful, you can’t research yourself into a self-made Master’s degree. Usually, that’s fine. You don’t need to have a degree in botany to be giving advice on tomatoes, you just need some research from people who do that you can cite when someone asks you how you know something will or won’t work. The field of psychology is not quite this simple, and when mixed with matters of law, sometimes even people in the system confuse themselves into messing up a case! For an outsider to be able to just leap in and begin analyzing footage of two human beings interacting within a specific legal circumstance, and having that analysis be trusted because of an air of expertise despite few credentials and sometimes sparse citations, may as well be a television show.

The problem then is that there’s no official, end-all-be-all way to describe why a new channel’s videos aren’t as good at describing the interrogation as an older channel like JCS is. A huge chunk of these interrogation-analysis videos don’t have any official training, just ‘experience’. Experience is useful, yes, but when anyone can just start making videos on such serious subject matters, you’re going to end up with a lot of pop-psychology and bias making it’s way into the analysis. JCS, with scripters, can avoid some of it, but can a teen with no editor or scriptwriter avoid accidentally suggesting something completely incorrect because it just happens to pan out in this case?

Just like everything else online, you should avoid taking the word of an interrogation channel without a grain of salt. They’re there for your entertainment first – anything else comes second!

2FA Do’s and Don’ts

Elizabeth Technology July 26, 2022

We’ve said it before, we’ll say it again – 2FA is one of the biggest steps you can take to keep your account secure. 2FAs serve as heavy reinforcement for bad passwords, and protect you from brute-force, password stuffing attacks that might otherwise work. However, 2FA has a host of it’s own rules, so here are some dos and don’ts!

For Security Questions

Don’t: Make the Answer to 2FA Questions Something Too Obvious (Or Give Those Answers Out)

Social Engineering played a part in a major EA hack a few years or so ago. If you can imagine a coworker wanting to get into your stuff, and you don’t want them to, pick something that’s not common knowledge about you. “Favorite Musician” is a really easy question when you’ve got BTS memorabilia scattered around your desk!

Knowing this, you should also try and avoid mind-gaming yourself! A joke answer, or an answer that is technically correct but not the first one you would have picked if you’d never seen the question before, will make your answer more obscure, but it might also lock you out if you don’t remember what you wrote. Same goes for things that can change over time. On that note,

Don’t: Make the Answer Something Too Obscure for you to Remember

If you had to go back and look it up so you’d know what the answer was, chances are you’ll have to do that again when you’re asked to verify! Mother’s maiden name, your third grade teacher, what year model your first car was – if it’s too tough to remember after a few seconds, it’s probably not a good answer, even if nobody else would know it either.

Additionally, picking questions with multiple “trick” answers can also trip you up! For example – do you consider your first pet your family’s dog, or the pet you adopted as a teen, the first pet that was really ‘your’ pet? When considering what address you grew up at, is it the one you and your family moved away from when you were six, or the address you actually remember at seven? If you can think of multiple answers, it might not be a good question.

Do: Check Your Formatting

Some sites don’t care about case, others treat 2FA as a second password where everything must be precisely as you typed it the first time. Either way, it’s good to know some things about your habits: do you always capitalize the name of your pet, or if it’s something like ‘spot’, did you not do that this time? Do you include the dot when typing out your 3rd grade teacher’s name? Do you care about apostrophes? All of these are things that can trip you up when asked to verify with a typed answer to a question.

For Texts and Emails

Don’t: Click ‘Remember Me’ Unless it’s Your Device

Don’t click ‘Remember Me’ on your school or library’s computer – ‘Remember Me’ usually means either the computer will keep you logged in, or it will forgo the 2FA because you trust that device, via cookies. Most public computers soft-reset every time they’re logged out to prevent things like keyloggers and other nasty spyware from being left behind, but they can only do that if you remember to log out. If you don’t log out, and the computer isn’t set to restart after a period of inactivity (or someone gets to it before it does) it can mean your accounts are under threat, even if you closed out the browser window and logged off of your account. Similarly, this assumes the public computer is configured correctly to do that in the first place.

Do: Set it to Something You Can Access on Your Phone or On The Go

It might be a good idea to download Outlook if your backup email is Outlook. Most folks have their phone on them all the time, and if you end up at the bank or in front of a doctor without access to your account because 2FA sends to your computer, you’re going to be tempted to remove 2FA for next time. Don’t! Instead, make sure you can access whatever number or email it’s going to send that message to.

You should also try to update 2FA as you migrate across accounts – if you have something set to send to your old, abandoned email address or phone number, you may lose access to that account.

Do: Enable it Where You Can

2FA prevents the vast majority of password-stuffing attacks. If you need help, password managers like LastPass are an excellent choice – although you’ll have to add your security answers in the notes section, if you’re signed up with security questions instead of texts or emails.