Posts from personal security

Your Data Is My Data

This piece in Recode explains that Cambridge Analytica built an app that 270,000 people used to amass profiles on 50 million people.

That’s not very surprising because we are talking about networks here.

This is a network graph that my colleague Jacqueline made of my twitter network a few years ago:

In our online life, we are connected to a huge number of people.

If I get access to your email inbox, I am going to see emails with thousands of people.

Which is what makes this privacy/data sovereignty stuff so important.

When your data is taken without your knowledge/permission, it is not just your data that is taken.

It is the data of thousands of other people, often the people closest to you.

That sucks.

This is one of the many reasons I am hopeful about an Internet 3.0, a decentralized system with data security and integrity at its core.

Yubikeys

I saw my friend Chris tweet this question yesterday and had to respond:

Nick helped me get Yubikeys set up on all of the services I use that support them in the past few weeks. If I had a new year’s resolution, which I don’t, it would have been to start to use Yubikeys.

So what are Yubikeys?

They are a brand of “security keys” that are supported in the two factor authentication offerings at Google and many other Internet services.

They look like this:

You can buy Yubikeys here.

The idea is you keep one with you and one in a safe place in your office or home or a bank safe deposit box.

If you lose your phone, you have a Yubikey to get you back into the service.

But I don’t only use Yubikeys as “backup codes”, which I also keep stored safely.

I have started using my Yubikeys instead of a Google Authenticator code. It can be easier if you have the Yubikey handy.

But whatever you do, don’t use SMS for two-factor codes.

I was hacked this summer and the attacker tried (unsuccessfully thankfully) to port my phone number.

My partner Albert recently experienced a similar attack. He wrote about it here.

So here is the best practice as I see it:

  1. Always use two-factor authentication if it is offered. And it is almost always offered on popular services.
  2. Don’t use text messaging to deliver two-factor codes. It is not safe. You can have your number ported way too easily.
  3. Use Google Authenticator to deliver two-factor codes onto your phone.
  4. Use a Yubikey as a backup in case your phone is lost, stolen, or dropped in a swimming pool or toilet.
  5. Print out the backup codes to the two-factor services and put them in a safe place.

Personal data security is a big deal. Trust me on this. Don’t let yourself get hacked to understand why.

And Yubikeys are a nice addition to the personal security mix. I like them a lot.