Blog

If you'd like to see a specific privacy or security related article here, reach out!

  • B.C. NDP quietly dismantling privacy protections for British Columbians

    On November 25, 2021, amendments to B.C.’s Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“FOIPPA”) came into force through Bill 22-2021. The three notable changes I’ll document here are are the data-residency provisions, adding fees to freedom of information (FOI) requests, and monetary penalties for privacy breaches.


  • Is this password manager any good?

    I’ve been asked this question countless times over the last couple decades, perhaps because I used to be responsible for cracking weak passwords for a company managing 6 figures worth of people (passwords), so I’m writing this here to have a reference for anyone who asks me moving forward, even though I answered on this blog 7 years ago and my recommendation is the same with one new solution to recommend if you’re a techy, but more importantly I’m going to start by explaining what to ask when any new password management solution comes out.


  • Follow-up to the Market Research Assessment


  • Privacy, Security, and Technology Market Research

    In order to be effective as possible, we must always be aware of what the biggest problems organizations are having. In our case, regarding your privacy, security, or technology needs.


  • Technology Market Research Assessment


  • Digital Security Market Research Assessment


  • Privacy Law Compliance Market Research Assessment


  • Secure Communication Tools

    I often get asked which secure communication tools I recommend. I’m writing this as a condensed master of list of previous articles I’ve written.


  • Canadian Privacy iAMA 5 years later

    5 years ago, I pulled together some of Canada’s top privacy experts, and we did a Reddit “As us anything” (AuA) about the Canadian privacy landscape.


  • Requesting your personal data from a company

    There are now several privacy laws (Canada – PIPEDA/PIPA, EU – GDPR, California – CCPA) that allow individuals to request their personal information.


  • Identity Theft in Canada

    I’m no longer associated with Canada’s ID Theft Support Centre, which ran out of funding years ago, but I still regularly get asked for help by victims. Listen in to hear my recommended steps, and then follow the links below:


  • Two-factor Authentication (2fa)

    In this audio clip I talk about the three factors of authentication, and some solutions you can use regarding 2fa to protect your accounts.


  • Time to (re-)evaluate your cookie and consent management platform

    If you have a website that uses cookies, you’re likely aware of the European Cookie Law. What started as an EU Directive, by May 2011 it was adopted by all EU countries, and mandated that EU citizens who visit your website have the right to refuse cookies.


  • Changes to SimpleTax

    If you’re using SimplexTax and follow this blog because you prioritize on your privacy, you likely want to take the following steps immediately:


  • Getting next year’s privacy & security strategy in this fiscal budget

    When is the last time your organization had a security audit or a privacy law compliance check up? We have a spot for one more security audit this year, and we’re booking now for hourly and retainer packages for 2020.


  • Canadian ISPs blocking websites

    If you’re using a major Canadian ISP, you can likely no longer access goldtv.ca. or goldtv.biz. This is due to a federal court case from two weeks ago, case T-1169-19 filed by the ISPs themselves.


  • Opt-out of credit card companies selling your data for marketing purposes.

    Please read the entire article before clicking on any of the links, and I’ll explan why.


  • Digital Fingerprints

    As you likely know, especially if you’ve followed this blog over the years, most websites are collecting as much data about you as they can, and are using it to their advantage — and sometimes to yours, sometimes not.


  • Domain Registration

    I was looking for a list of privacy centric domain name registration systems, and as of writing this, I can only find one: Njalla. It was created by Peter Sunde of ThePirateBay.org fame.


  • A new standard for government based data collection

    There’s some hot news about StatsCan collecting 15 years worth of Canadian’s personal financial data in the news. There are few interesting points related to this. Personally, it’s the first time a national journalist has used the mantra I coined, which is that privacy is consent. More relevant, there are three noteworthy things to consider.


  • Privacy tracking protection from your browser

    I’ve written about privacy trackers for over 7 years on this blog, and have been speaking about them for over a decade. This is an updated article, as technology has advanced in this area.


  • Secure Messaging: Years later, there are still only two

    I was asked again this morning about using a specific app to send secure messages in a corporate environment. My answer was simple, and it hasn’t changed in years, there are only two apps to trust from my criteria.


  • Time to consider which jurisdiction your data is stored in

    If you work in privacy, chances are you’ve thought at least somewhat about where your data is stored — and this is the year where we all need to be thinking about that, all of the time. To cement this into the minds of every person reading this, I will discuss the recent passing of the US CLOUD Act. This bill did not receive a proper vote, it was added to a $1.3 trillion catch all omnibus spending bill allegedly needed to keep the US government open.


  • Are you ready for GDPR?

    Starting May 25th, if your company is a data processor or controller of anyone in the European Union, you’re obligated to comply with the EU’s strict new General Data Protection Regulation, or GDPR [Annotated version]. Considered one of the strictest privacy laws in the world, failure to comply comes with punishments up to “Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher”! With a month to go, is your organization in compliance? If you’re not sure, reach out to us at sales@privasectech.com and let us help you get there.


  • “Not able to disclose for privacy reasons” is usually not true

    Fellow Canadians, especially journalists, when a person or organization can’t respond to a request citing “privacy reasons”, let that be a huge red flag to your ears. Demand to know which privacy law they are referring, and to which specific section of that privacy law. Quote it in the article, to show you’ve done your due diligence. In my experience, most organizations making that claim are either misinformed, or outright lying, and we should stop accepting this behaviour immediately.


  • Protecting your privacy on Facebook by disabling Platform

    One of the features you’ve likely enabled, is Facebook’s platform. To give you an idea of how powerful this is, this is the warning it gives you when you attempt to disable it:


  • Requesting whom Facebook has shared your information with — for Canadians

    In Canada, we have a federal law called the Privacy Act, as well as one called PIPEDA, which amongst other things, allows you to access the information private sector organizations (companies) have on you. In order for you to make this request, every organisation must provide Canadians the contact information for their company’s privacy officer, no matter how small or large the company is.
    For Facebook, they have a page they call Data Policy Questions, which includes a link for requesting your personal data. They describe on that page how to download your Facebook data, which might be enough for your needs, but as I’m writing this partially in response to the issue around Facebook’s relationship with Cambridge Analytica, that information is not included in the default personal information archive. Thus, at this stage you will want to click on the link to make a data access request.
    This is where it gets tricky, as Facebook doesn’t want you to easily have access to whom they’ve disclosed your personal information to. On the Personal Data Requests page, you have to click “This doesn’t answer my question” and you will see three options, with the last one being “Other”. You need to click the other option to see the manual request form. I notice they don’t have a text box to request specific data, but this is where you can see the actual email address to make the request, finally: datarequests@support.facebook.com


  • UN Security Council mandates worldwide air traveller profiling (erdi.org)

    “In the name of “preventing, detecting and investigating terrorist offenses and related travel”, all United Nations (UN) Member States should develop systems for processing and analysing Passenger Name Record (PNR), Advance Passenger Information (API) and “fingerprints, photographs, facial recognition, and other relevant identifying biometric data”, according to a UN Security Council resolution (no. 2396) on threats to international peace and security caused by terrorist acts agreed on 21 December 2017.”


  • How to protect against Meltdown and Spectre

    The short, but intense solution for Meltdown and Spectre from CERT is to upgrade your CPU. (update: As you can see by this URL, they have a more detailed solution now)


  • Time to leave Gmail? Here are some privacy centric alternatives.

    If you’re ready to stop providing an advertising company with full access to all of your email communication, there are other alternatives out there. This is especially important for any non-American, as the American intelligence apparatus is specifically built to spy on your communications, and providers there have a history of giving up access to user’s private emails. If you don’t worry about your emails being used against you today, or some day in the future, this post is not for you. If you’re not happy with your emails being sold, researched, or given away, and are looking for alternatives, there are many. The two big privacy centric email providers are Protonmail and Tutanota. You can create a free account on either of these websites right now, and then forward your Gmail to this new account until your friends, family, and colleagues have updated their bookmarks. Simple. This not only applies to Gmail of course, but anyone reading this that uses Hotmail, Outlook, Yahoo, GMX, Hushmail, and the related others; it’s time to choose to support more privacy centric alternatives.


  • Privacy Centric Browsers

    I’m often asked which browser I use. Both Chrome and Firefox have a more privacy centric alternative now, Iridium Browser and Firefox Focus respectively. Of course if you want real privacy and are OK with the slowness that comes from really good privacy, Torbrowser is preferred.


  • Wifi as we know it can be compromised

    [NOTE: Senior Advisor Kris Constable submitted this to HuffingtonPost, but due to the time zone differences and the severity of the issue, we have decided to post the article here in the interim]


  • Onboarding

    Thanks for trusting us to help with your privacy, security, and technology needs. Use the following options to begin the engagement as agreed. Once payment goes through I will reach out to you within one business day to find a time and method that works for you and your team.


  • Canadian Privacy iAMA

    EDIT: Click here for the Live Reddit iAMA link. For details, read below.


  • Secure websites

    I’m often asked about secure websites. For example, should you trust the connection with your computer and your bank’s website? The article is going to get a little technical, but hopefully will give you the tools to know which websites are secure, and which aren’t, from now on.


  • Asset Cataloging

    I recommend you start asset cataloging before you have a vulnerability assessment done on your organization as you need to know what the assets are you’re trying to protect. The cataloging process is similar to the vulnerability assessment process in that you want to identify, quantify and prioritize all of your assets.


  • Browser plugins for device protection

    These are the three browser plugins for device protection I recommend you install. The first one is arguably more important than anti-virus, and takes a while to get used too as you have to enable scripts on pages you trust.


  • Who can read your chat?

    The next time you think you’re having a private online chat with a family member, you might want to think about who can read, watch, or log that conversation. The most popular solution in North America is skype, so let’s take a look at it’s privacy policy. From section 8:


  • What information can my organization collect from a person under BC PIPA?

    If you’ve ever wondered, “What information can my organization collect from a person according to British Columbia’s Personal Information and Protection Act privacy law?” don’t miss the second event in the Lunch and Learn series, May 22. I’ll be hosting a free online video conferencing event to talk about PIPA’s consent section, and we’ll finish with a Q&A.


  • The top 3 steps to protect your computing device

    If you’re wondering what the top 3 steps to protect your computing device, this post is for you. It’s important to note I said device and not computer, as the same should apply to any device with a browser, including a smart phone like an iphone or android.


  • Integrated Case Management

    For over four years, the BC Liberals have been working to build a monster database of all of our personal information. Instead of it being limited to one Ministry, minimizing the exposure in the case of compromise, someone privately made the decision to put all of the data every ministry has, into one place.


  • Next Lunch & Learn Topic: Does PIPA Apply to Me?

    If you own or operate a business in British Columbian or have a sole proprietorship and you wonder, “Does PIPA apply to me?,” this talk is for you. This conference will define who is bound by BC PIPA and who is exempt. We’ll discuss what it means to be PIPA compliant and the steps you need to take if you don’t currently comply. At the end of the call, we’ll have an open Q&A session, with the opportunity for additional one-on-one discussion if desired.


  • Facebook for Android

    Have you ever really paid attention to what information an application is requesting? While I’m singling out Facebook and Android in this article, please think about any applications you’ve added to your smart phone, as the same applies.


  • What antivirus software do you recommend?

    A local LinkedIn group has a discussion recommending a specific anti-virus software. That made me wonder, what antivirus software do you recommend, and why?


  • Supreme Court of Canada says a wiretap is needed for text messages

    In the Supreme Court of Canada’s case of R v. Telus, a 5-2 decision was made that law enforcement need wiretap authorization to intercept text (SMS) messages. No longer will a search warrant suffice. You can read the Canadian Civil Liberties factum [pdf], as they intervened in the case.


  • If you use SSL, cURL up and VERIFYPEERS

    Reader level: Techy/Sysadmin


  • Portable Password Manager

    Today’s question comes from a former student, asking what I use for a portable password manager:


  • Password protect your cellphone

    For most things privacy related in Canadian law, it comes down to what a judge feels Canadians think is reasonable. A couple of days ago the Ontario court of appeal ruled that police do not need a warrant to search your cellphone if it’s not password protected.


  • Happy Data Privacy Day 2013!

    According to Wikipedia, the purpose of Data Privacy Day is to raise awareness and promote data privacy education. It is currently ‘celebrated’ in the United States, Canada, and 27 European countries. For Data Privacy Day 2013, I have only two requests. They should take less than one hour to install, configure and set yourself up so you can use in them in the future at your convenience. They are perhaps the two biggest steps you can take for protecting yourself from digital surveillance as well as theft. Let’s get started!


  • spoof your MAC address

    When you connect your computer to any network, there are typically two options for how it gives you an IP address – a static IP or a dynamic IP (DHCP). The computer remembers who you are by your MAC address, which is an address unique to your hardware. This address typically lasts as long as the hardware does; an example of an address is 00:20:12:34:56:78. By learning how to spoof your MAC address, you’re effectively hiding one of the most frequent ways you’re tracked!


  • Recording video or taking pictures in public

    What likely started out as a school prank has turned into a popular video series called Surveillance Camera Man


  • Change your default search engine

    Most of us use a search engine such as Google or Yahoo daily without taking much time to consider the inherent privacy implications. If you have some time, I recommend you review the privacy policy of startpage and DuckDuckGo as they’re easy to understand and informative about the risks of using search engines, and then for contrast check out Google’s privacy policy. If you’re like me and make your online privacy a priority, the information found in these privacy policies will lead you to want to cease using Google and choose between startpage from ixquick, and DuckDuckGo for your online search needs. Neither of them collect or share your personal information (this is not the case with Google).


  • What’s on your network? Introduction to packet sniffing with wireshark

    Have you ever wondered what’s happening in the background on your network? This article will show you how to determine for yourself. In order to begin, you’re going to need two things – your IP address, and the program wireshark (if you’re testing this on a remote shell like a VPS, use tcpdump instead of wireshark, which is just a GUI version basically).


  • Keys to the city, New York City

    There’s been a lot of buzz this month about the retired New Jersey locksmith selling several master keys to the city of New York to a newspaper reporter via eBay. It’s been reported in many major news sources, most notably to me in the Huffington Post, with a picture


  • What communication systems can you trust?

    After reading my Everything you say is likely compromised post, my friend Ross Henton asked,


  • Everything you say is likely compromised

    Ever since the early days of 2600, people have been learning what it takes to compromise voice conversations.


  • Canadian Patriot Act back as bill C-12

    If you’ve followed this blog for some time, I first wrote about the introduction of the bill in May 2010, and then a follow up redux in August 2010 (a summary of a few key points). It was officially called Bill C-29 which has just been re-introduced as a new Bill C-12 and is on the order paper for discussion today [PDF]. You can read the legislative summary here. This is the most important of privacy related legislation in Canada, so it’s worth paying attention to.


  • Are surveillance systems using biometric scanning really privacy-friendly?

    I read a post today on the IAPP‘s Daily Dashboard talking about a “privacy-friendly” “positive side of facial recognition”. It suggests that Ontario’s Information and Privacy Commissioner Ann Cavoukian has endorsed this usage of biometric encryption. Having a strong understanding of privacy and only a basic understanding of biometrics, I wondered how these claims were possible. The story points to an article in Business Week which only states two technical points regarding facial recognition in a casino:


  • Anti-Virus for Macosx

    Because of Apple’s advertising, Mac users often (wrongly) believe that they don’t need anti-virus software. The problem that these users have is that when they are hacked, they have no way of ever finding out. The intruder can be watching them while they type (by way of viewing the user’s screen or even watching them through the webcam) and listening on their microphones. Once I explain this to Mac users, the next thing they ask me is if there are free anti-virus programs for Mac. Here is a list of the three I’m aware of; if you know of more, please let me know.


  • Retroshare

    I had a lot of positive feedback from the recent post on Diaspora with client-side encryption. For those of you who are somewhat technically inclined, and like to support a privacy forward future, don’t hesitate to download and support Retroshare. From their website:


  • Are you vulnerable to the DNSChanger?

    Wired is reporting that several hundred thousand people may be affected on Monday when the FBI turns off the domains used in the DNSChanger malware. Over 1/2 million machines were infected at the peak, which instead of pointing you to the website (URL) you wanted to go, it would first quietly redirect you through an affiliate website, netting the culprits ~$14M with their clickjacking scheme! While the FBI has been trying to get people to clean their systems unsuccessfully, they have announced they will turn off all of the DNSChanger servers on Monday, which means if you’re infected, the web will appear completely broken to you immediately when that happens.
    If you know what your internet protocol (IP) address it, you can enter it on the FBI’s website and it will tell you if your computer is vulnerable. If you don’t know your IP, you can go to any of the other sites listed on the FBI webpage, such as the Computer Incident Response Centre in Luxembourg. which will auto-detect your IP for you and let know if further action is required.


  • GNU Privacy Guard

    Ever since PGP removed their open source client, GnuPG has been the standard in open source PKI. If you want to encrypt your emails and/or files on your computer, you’ll need this installed, and a basic understanding of how it works. One of my next posts will be talking about an amazing privacy tool that requires gpg, so give it a try, you’ll never know when it will come in handy.


  • Diaspora with client side encryption

    I’ve written about Diaspora before, a social network (Facebook replacement?) that is decentralized, and cares (more) about privacy. If you’re interested to learn more, there’s a What is Diaspora? site. Also, you can post to twitter or Facebook from within Diaspora.


  • Warning Facebook you control your data

    There’s currently a Facebook status going around that states the following:


  • Free cloud storage

    The cloud is a current buzzword in technology, referring to remote storage space on the internet. The big challenge with using free cloud storage, as a privacy advocate, is you don’t know what the people on the remote end are doing with it — are they reading or reviewing the files you put there? Are they selling them or providing the information about those files to third parties like advertisers? Is anyone legally responsible if it is hacked/compromised? If they’re offering it for “free”, you’re likely providing the product being sold.


  • The browser tracker test

    I’ve spoken about trackers before and recommended four steps/solutions for protecting your browsing privacy:


  • Opening your social network profile

    There have been a lot of stories about what happens when you reveal your social network profile, especially your geo-location information. Probably made famous first with Please Rob Me which would post open Foursquare profile data, showing when you’re not at home. While it’s since been shut down, such information is still being used. The Girls Around Me app is getting media attention this week, which shows women in your area, with links to their online profiles.


  • Cover your webcam

    If someone hacks into your laptop/computer, and it has a webcam, they can control turn it on whenever they’d like. This video, based on a true story, should motivate you to cover your webcam:


  • Anti-virus, are you doing it right?

    Most of my clients are running anti-virus on their home and work computers, but are they using it right? There are 3 key steps to running anti-Virus software correctly.


  • ixquick, an alternative, privacy forward, search option

    I mentioned a few months ago for those wanting to leave Google search to give DuckDuckGo a try. There’s another alternative as well, called ixquick. Give it a try as well, and see which one you like the best. You can follow the DuckDuckGo post to make ixquick your default search engine as well.


  • What are our regulators doing to protect Canadian internet sovereignty?

    This is the basis of the follow up letter from Digital Policy Canada drafted to the CIRA sponsored Canadian Internet Forum this week. The fundamental question we need to ask, what are Canadian regulators doing to protect Canadians, as well as their intellectual property, from foreign state actors who assert legal or technical controls over them? Right now for example, the American government is attempting to position itself as the global internet police, by taking down foreign domain names, even if no laws have been broken in that country.


  • Community-Based Reverse Engineering Class

    If you’re in the Victoria, British Columbia region, we’re going to start a community-based reverse engineering class, and you’re invited. Reverse Engineering is understanding someone else’s software well enough to be able to do what you want with it. You can follow the latest on the REclass page on the Ideas – Victoria wiki.


  • Canada’s massive public traffic surveillance system

    Do you think such a thing could be implemented without any public consultation or corporate media attention? It exists. About 6 months ago at an Ideas Victoria meeting, Kevin S McArthur brought up the fact Victoria Police were using cameras on some of their police cars, called Automatic Licence Plate Recognition, or ALPR. As Chris Parsons and myself were in attendance, no strangers to privacy issues in Canada, we immediately had a list of questions about such a system. Who was running it (later to find out the RCMP)? How wide spread was it? Where was the data sent and/or stored? Who had access to it? What type of information was stored? How was it claimed to be used, how could it be used?


  • Canadian newspapers and financial institutions compromise you instead of protect you

    On Vancouver Island, you might pick up the Times Colonist newspaper to see what’s happening. There are little to no privacy risks if you buy it from a stand. However on the internet, where the company has the opportunity to protect you even more than the physical space, they’ve decided to try a different angle… sharing your reading habits with other companies. If you use ghostery you can see that by viewing timescolonist.com, they are sharing your viewing habits on every page you visit to at least 10 different companies, with little to no disclosure on what those third parties do with your information.


  • No scripts!

    One of the most common ways your computer gets compromised, is by malicious scripts opened by your web browser. This means you go to a website that might look normal, but it’s doing bad stuff in the background that you don’t see, potentially giving the attacker full access to your computer. This is a particularly nasty problem, as when you go to a site, you want everything to work as the website developer intended, but allowing all scripts on untrusted site creates a risk.
    The most popular way to avoid this is to block scripts by default, but take note it moves the responsibility on to you to decide what sites to trust… or not.


  • The Stop Online Piracy Act

    If you’ve not heard of #SOPA yet, you likely will today. As of right now, it’s only something that techies and internet crusaders seem to be aware of. Like many of the scariest laws of the last decade, you should name your legislation something that sounds really good, but in the end does the exact opposite of what the name implies. The US PATRIOT ACT and the Canadian Safe Streets and Communities Act are perfect examples of this. Like the US Patriot Act, it’s easiest to pass draconian legislation through when citizens are distracted and afraid, using their fear against them. My speculation is today’s public outcry will have the bills tabled… until there’s some ’emergency’ where they can be rammed through without proper public debate.


  • Identity theft at UVic

    Over the week-end, the University of Victoria’s new administrative building was broken into. A payroll server with the personally identifiable information (PII) of over 11,000 people was on it, including social insurance numbers (SIN), as well as bank account information. I’ve been told there were no cameras or alarms in the area, and the information was not encrypted. If your organization handles personal information, let this be your final reminder to ensure that all personal information is encrypted both while in transit (transport layer) as well as on the computer (storage layer).


  • Where is your computer connecting to?

    What is your computer doing on the internet without your knowledge?


  • How strong is your password?

    While working in information security for the largest company in Canada, I realized there was no one internally, actively attacking the password database to see what passwords could be cracked. After raising this concern, I became the prime for resolving this.


  • Using a non-tracker analytics service

    You’ve probably heard of Google analytics, which takes logs of your website visitors, and all of their activities, and provides you some very pretty, and useful, reports. What you might not be aware of is that they are also a tracker service. It means that in order to provide you this information, they also take all of that information on your users, and log it for themselves as well. What do they do with that information? Who can they sell it to? You’ll want to review their privacy policy and terms of service for yourself.


  • Bill-3: Amendments to B.C. FIPPA to remove more of citizen’s privacy

    If you’re a citizen of British Columbia and concerned about the government’s handling of your personal information, you probably want to read Bill-3 (full text of the proposed amendments) which has already passed second reading in the BC provincial legislature. These are proposed amendments to the Freedom of Information and and Protection of Privacy Act.


  • Google now offering secure search

    It’s not often we’ve given Google credit for privacy or security steps, but this week is one of them. Following the steps by Facebook and Twitter we announced back in May, five months later, Google has just announced they are now offering SSL searches! Mind you this is a more significant step than that of Facebook or Twitter, as those involved in SEO/optimization will quickly realize that search keyword data is no longer provided to you as the web manager (They’ll provide you the top 1000 through their webmaster tools). And while optimization folks won’t be pleased, on behalf of the privacy and security community, I would like to give credit where credit is due, thanks Google!


  • Shared hosting back door

    Thanks to my friend Kevin McArthur for helping unveil this badboy, as it seems to be infecting quite a few machines. It appears that it was local machine attack, taking advantage of a world writeable directory hidden behind a not viewable home directory.


  • What info does Facebook have on me?

    After the F8 conference, there is even more concern than before about what personal information Facebook has on an individual. I was sent Facebook’s personal data request form which I was told was created specifically for people in the EU. It made me think that the same request could be made under PIPEDA which is a Canadian law that gives individuals the right to expect the personal information an organization holds about them to be accurate, complete and up-to-date, and what better way to ensure this than to have the data to verify against.


  • Facebook post F8

    Right after the Facebook F8 keynote, a 15 year old noted he didn’t understand this new model Facebook was about to roll out. What might not be obvious, is that he is not the customer, he is the product. There are two sources that are motivated to get the information that Facebook has; the American administration, and private sector organizations. Imagine you are Spotify, or Nike, what would you do to get all of the information Facebook has, to do with as you wish? It’s no wonder what appears to be over 100 organizations are being integrated with the new Facebook as open graph apps. This means when you use those apps, not only does Facebook get all of that information, but also the application developer does as well.


  • Ich Sun is back, claiming the #MostSophisticatedHackOfAllTime

    You may have read my comodogate article back in March where I reported that the comodogate hacker, going by the name Ich Sun told me “…there is a lot of vulnerable CAs, I got some other stuff”. Well, in the last 24 hours he claims to have been responsible for the DigiNotar compromise and a few minutes ago provided another update; in these updates he reveals that as a 21 year old Iranian, he has compromised another 4 certificate authorities (CAs) as well as reverse engineered windows update (update your windows here). What do these hacks do? He can impersonate any secure website he wishes, which includes impersonating google and gmail which has already been seen in the wild using these certificates. The certificate authority model that secures the internet as we know it today will change as a result of this, so it has some serious impact.


  • Wanna put your friends, or enemies, under surveillance?

    In an overwhelming scary move, the Vancouver Police Department and the Integrated Riot Squad have just launched a Vancouver riot tell-on-your-friends website. I’m not sure who in their right mind could think this is a good idea, but clearly no one that understands information security, personal privacy or civil liberties. The potential for abuse and false positives are staggering.


  • Upgrade your browser before you check your gmail

    There is a wildcard *google.com SSL certificate in the wild, which means malicious people can sit between you and anything at Google (including gmail) and pretend they are Google, watching everything you do. DigiNotar is the root level certificate authority (CA) who gave out this certificate. It’s not clear if this was intentional or not, but regardless, this is the internet version of a death sentence for this company. Mozilla and Microsoft have both pulled DigiNotar out of their browsers. A user in Iran has reported it being used on him; it’s not clear if the attack was from his ISP or his government, but you could also be a victim. Make you you have an upgraded version of your browser before you visit any of Google’s services. You can read the Darknet article for more details.


  • Had your Twitter or Facebook hacked?

    If your friends ever tell you that they’ve received spam from your account, but you didn’t send it, likely your account was compromised. The following steps are generally good business practice to follow regularly, anyway. So follow them as you read this:


  • Postmedia formatting hack

    If you read any of the PostMedia (formerely CanWest) newspapers online, you know that their technical abilities are lacking, to say the least. One of the bigger issues to me is the formatting. Because they don’t comply with W3 standards (There are 403 errors on VancouverSun.com as of writing this), they don’t format properly in my browser (chrome on ubuntu):


  • LinkedIn to approve the closing of your account?

    After writing an article yesterday on how LinkedIn opts your name and photo into social advertising by default, it was brought to my attention today that if you’ve had enough and want to close your account, that is only possible if you have less than 250 followers!


  • Facebook just got all of your telephone contacts

    If you’ve installed a Facebook application on your smart phone/mobile phone, they’ve taken the liberty of syncronizing your personal telephone number list into Facebook. You can see the list here.


  • LinkedIn opts your name and photo into social advertising by default

    Rather unprofessional, and probably against Canadian privacy legislation.


  • I smell a RAT

    Yesterday, Vanity Fair published an exclusive on operation Shady RAT (remote access tool), which was a high-level hacking campaign that lasted over 5 years, compromising over 70 name brand victims in over 13 countries. For the techies reading this, McAfee has published a 14-page report [pdf] on the hack. Canadian government agencies were targeted multiple times between 2009 and 2010, 4 in total, with the Canadian hosted World Anti-Doping agency having been compromised for 14 months. F-secure has published a few examples of what the targeted emails look like. Operation Shady RAT has been described as the “biggest transer of … intellectual property in history.”, one that could pose a serious economic threat on a global scale. It is suggested it was the work of one specific operation conducted by a single actor/group. “All the signs point to China,” says James A. Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, adding, “Who else spies on Taiwan?”. Alperovitch (McAfee) said he divides all Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.


  • Don’t trust that number!

    I’m sure you’ve received an email spam from what appears to be a legitimate email address, saying you’re entitled to millions of dollars. You know that — that email address was spoofed, which is easy for any techy to do. It was someone pretending to be someone they’re not. The same applies to phone systems, and there’s a good reason for it. There are countless phone companies, and many more companies which own hundreds to thousands of telephone numbers. When you get a phone call from your bank or utility company for example, the number (DID) on the caller ID is the main number of the institution, not the local number of the person making the call. Companies get to choose which person in their company gets which phone number, and they don’t want you calling back the person who called you, they want you to dial back to their main switchboard (PBX) and get routed to the proper place, where they know someone will be available to answer the telephone when you call back, to help you. This is one of the reasons caller ID spoofing is possible, companies need to be able to change this in real time, as employees come and go.


  • Canadian judge rules in favour of pseudo-anonymous website commenters/bloggers

    An article came out today on canada.com.details how some good precedence for freedom of speech and anonymity online was just made in Ontario:


  • sslsniff, there’s an app for that!

    Moxie Marlinspike just released an updated (10 years later!) version of sslsniff that includes the iOS BasicConstraints vulnerabilities that were published today. You can read the announcement here or go straight to the details which includes the download link.


  • Duck Duck Go

    You’re likelty using Google as your default search engine; and they’re undoubtably good at search. The challenge to me is what are they doing with the information they receive, and that is what this article is about. In the last year I’ve started using DuckDuckGo as my search engine of choice. The main reason is their excellent privacy policy. You can read their one line of “DuckDuckGo does not collect or share personal information” which is something that Google, Bing, or no other search engine I’m aware of offers, and I suggest you read through their entire policy which explains why this is important.


  • The cloud is still a bad idea… keep your user’s personal information off US soil at all costs.

    There’s an article in the register today highlighting that American organizations are all bound by the US Patriot act, which essentially allows the US government access to any data it asks for. In this case, it’s Microsoft pro-actively disclosing this to be the truth. This is why if you want to protect the personal information of your users, or citizens, you have to do whatever you can to keep it off US soil and away from access by Americans. Canada is a great place to store this information, as we have the almost opposite legislation called PIPEDA. We also have privacy regulators called privacy commissioners both provincially as well as federally. Mind you, the current Canadian government tried to pass through a Canadian version of the patriot act last year as a minority government, and they now have a majority, so they want to use this chance to implement a more totalitarian regime, we’ll keep you up to date when and if things change!


  • Internet security just dropped a notch

    I just read a tweet from Meredith L Patterson stating that Len Sassaman has committed suicide. I don’t know why, but at first I thought it only a silly internet joke, as he was a happy kinda guy, at least public facing. Unfortunately, a punch line didn’t come and reading more of her stream made me realize it is serious. Len was a pioneer in information security, privacy and anonymity, I know because I was fortunate enough to be there and work with him on a few projects. Mind you, I was only using pseudonyms only at the time, and I’m comfortable with that. Also, I was not near the technical calibre he was, I looked up to him. I remember one phone call we had when he got a job working for NAI, the company that had acquired PGP, the first military grade encryption that was open source and free to the world, so we might all protect ourselves from hostile regimes. He was stuck in traffic in his (convertible?) porsche in traffic. To me, he was an example of the good guys winning, you can do what is right for all of us, and be successful. Geeks have a chance, I thought.


  • Stop online spying in Canada

    You may remember a year ago I broke the story on the introduction of the minority government’s Canadian version of the patriot act (see articles one and two). As promised, the now majority government has promised to push these through as well as others as part of an omnibus bill. My friends at openmedia.ca have started a campaign to stop online spying, not to mention you the consumer paying for it. You can sign the petition here to stop this before it passes.


  • Shaw’s decided to hijack their customer’s DNS

    When you go to a website that doesn’t exist, instead of your search engine of choice offering you other solutions, Shaw has decided to do this themselves, and use it as a revenue generator without your consent.


  • British Columbia’s new health care card another waste of resources?

    It was [announced a few minutes ago](http://www.timescolonist.com/residents+secure+CareCards+must+renew+every+five+years/4812099/story.html) that British Columbia hopes to roll out new Care cards (health cards). The government press release states the new card has anti-forgery features, identity proofing, a security chip and will require a recent photograph, updated every 5 years, to be eligible for publicly paid health care services.

  • Who’s pentesting your organization?

    Penetration testing, also known as pentesting, is a way of evaluating the security of your organization from the perspective of a malicious black hat hacker. Do you have a good guy testing your website(s) and systems regularly and providing you reports on the results? or are you letting the bad guys do so without your knowledge. We offer a complete suite of pentesting solutions, with staggered pricing depending on the size of your organization. Have some peace of mind by letting us show you what the bad guys are seeing when they try to compromise your systems.
    With every pentest we complete, we will provide you with a final report that will contain all potential issues we find, and we will prioritize them for you in order of risk to your organization.


  • Using a secure connection where possible

    I received a lot of feedback after my post yesterday about creating a permanent SSL (https://) connection to Facebook. It’s most important to use SSL anywhere you don’t want people to see what you’re doing/looking at. For example, anything with a form that asks for personal information, or when you login to a site using your password, or where you enter your credit card or banking information. At a minimum, all of these things should be https://. Anything not using https:// (SSL) can be sniffed (it’s plain text so people can watch/read/log what you’re doing).
    If you can’t find it on your favourite website, contact them and ask them to to make SSL always on. Here is an example of how to do this on Twitter, for example:


  • Tech Tip: Secure connection to Facebook

    This tip is to create a permanent secure connection to Facebook. You can tell you’re using SSL if the URL starts with https:// instead of http://. When you’re logged into Facebook, go to


  • Detect and block website trackers with Ghostery

    For anyone that attended the Privacy and Security talk tonight at Social Media Club – Victoria, I mentioned a browser plugin that allows you to see who is tracking you on a given website, as well as the ability to block them. This browser based plugin is called Ghostery. They currently have a plugin for Firefox, Safari, Chrome or Internet Explorer. It’s free, and open source! Download now.


  • Privacy and Security talk at Social Media Club – Victoria

    If you’re in Victoria on April 18, 2011, I will be speaking with my good friend Chris Parsons at Social Media Club – Victoria. My talk’s current title is “Today I will play the bad guy, this is how I will get your personal information on social media”.


  • It’s a brave new world for epsilon.com customers

    News broke yesterday of epsilon.com being breached almost a week earlier. While none of us had really heard about them before that, they’ve been reported to send out over 40billion spam emails a year on behalf of over 2,500 clients of theirs. Threatpost has just published a list of known companies affected. It’s unknown how many companies are affected overall, as epsilon.com has not disclosed this, or the details on the breach other than they claim it is being investigated. Clients have been notified from many organizations, for example this email went out to Best Buy customers yesterday:


  • What the SSL?

    One of the most serious attacks on internet infrastructure occoured a few days ago, and as the Canadian media don’t seem to want to report on it, I will, as it seems only those in the industry in Canada are aware. This will likely change in the internet landscape generally, and has the potential for larger implications!


  • CanSecWest, a decade later and still growing

    I just realized that my first time going to CanSecWest was while working as a security expert at Nortel, by far the largest company in the country at the time. I was living over 5,000km away, and it was quite the experience meeting the technical security industry’s elite. I remember being the only person representing Nortel, and yet I happened to sit by accident right in the middle of the entire technical security team of Nortel’s largest competitor. I remember sitting beside a young K2 who was coding a polymorphic shellcode engine in assembly, meeting the infamous Theo de Raddt of OpenBSD fame, and meeting Mixter, author of the Tribal Flood Network (TFN) which was big news at the time.


  • Update on usage based billing (UBB)

    This image is getting a lot of attention. Today Michael Geist has released an article on Unpacking The Policy Issues Behind Bandwidth Caps & Usage Based Billing.


  • Canadian petition against usage based billing

    As of writing this, I am one of over 180,000 Canadians that have signed the stop the meter campaign against usage based billing. There are several challenges with usage based billing, the main two to me being the immediate killing of all internet service provider (ISP) competition where very little exists already, as well as the stifling of innovation in the digital media space. Not to mention, internet fees will go up for all of us. You can read TekSavvy’s statement on the issue (this forces them to limit customers who were at 200GB/month limits to only 25GB/month limit!), or the open letter against UBB for more information. There’s also an info-graphic examining some of the costs.


  • 30M accounts compromised at plentyoffish.com

    All kinds of breaking drama around the compromising of plentyoffish.com (POF), which includes the usernames and passwords for around 30 million people! Chris Russo, a security researcher contacted POF making them aware of the SQL injection exploit he claims to have discovered on their website. Marcus Frind, the founder of POF is [accusing Chris](http://plentyoffish.wordpress.com/2011/01/31/plentyoffish-hacked/) of extortion as well as harassing his wife.

  • The Naked Traveller – is all this necessary?

    I will be speaking at the 12th Annual Privacy and Security Conference with the theme “Security and Privacy – Is there an app for that?”


  • Where does Google’s censorship end?

    It’s been well reported on Google’s kowtowing to the Chinese government in regards to censorship. This was based on the requests of a foreign government. However that was recently changed.


  • Facebook doesn’t seem to know the difference between privacy and security?

    I was excited to read today’s post on Facebook’s blog. It starts off with


  • Why would Facebook turn your actions into an ad?

    Because they can. On Monday, Facebook released a [ video](http://www.facebook.com/video/video.php?v=10100328087082670) that shows how their new *sponsored stories* program works. Now when you update a page, like, check-in or interact with an application and mention a customer who has paid for this service, it will appear in your newsfeed as per normal, as well as in the right hand advertisement column. Facebook has said that this advertisement you have provided them will only appear to those who you’ve authorized in your privacy settings.

  • A must have hosts file

    My friend Dan Pollock has been compiling the must have hosts file for some time. According to Wikipedia, the hosts file is a computer file used in an operating system to map hostnames to IP addresses. The hosts file is a plain-text file and is traditionally named hosts. What Dan’s host file does it list all of the known hostnames that are undesirable, and redirect them to localhost (back to your computer instead of to their website). This makes your web surfing faster, more private and more secure. Check out Dan’s list. I recommend you replace your host file with Dan’s, there are instructions on how to do this on his website.


  • Why would Facebook application developers sell your home address?

    Because now they can. Last Friday, after work, Facebook announced they will be providing your home address and telephone number to software developers.


  • Your printer is giving you up!

    Did you know that most printer manufacturers have secretly ensured there are watermarks on everything you print? These are tiny tracking dots barely visible by the human eye that allow one determine which printer a given printed piece of paper came from!


  • Ready to test your BCP?

    Most large organization make sure to do Business Continuity Planning (BCP), also known as Disaster Recovery Planning (DRP), because they understand the importance of keeping their information intact and secure no matter what happens. Unfortunately, few individuals ever think about such planning — even though in many ways it’s just as important.
    Stop and think for a moment: What would you do if your condo building caught fire right now and your computers were ruined? Or your home was broken into and your laptop stolen? How would this affect your personal information? What about the letters, files, photos and projects that were on your hard drive?
    If you’ve had a computer hard drive die, you probably have had to deal with a similar reality, and hopefully now have a backup plan in place. But if you haven’t had these things happen to you, you need to plan now.
    Get an external hard drive, back up all of your data and move that external hard drive to another physical location. You can also get access to a remote machine and securely copy all of your data over to it.
    Once this is finished, you now don’t have to worry if your computers are stolen or catch fire in the next few weeks or months. But what happens when they’re stolen in a year from now? Now you need to create a regular process of backing up your data, and making sure it’s not in the same physical location.
    You get bonus points if the data is encrypted on your computers as well as the backups, so in the case of theft, the thieves won’t have access to any of your personal information.
    If this post gets just one person to follow these steps, and it helps them save their information, it was worth it.


  • Ethical Hacking class

    If you are in the Suwon/Seoul area of Korea tomorrow, I will be teaching an Ethical Hacking class at no cost. Contact me at @PrivaSecTech on twitter for directions.


  • Too much trust in Common Criteria and FIPS 140-2?

    Last week I attended PacSec in Tokyo, Japan. This is one of the three SecWest conferences every year, the largest being CanSecWest in Vancouver.
    One of the interesting talks to me was Jussipekka Leiwo’s talk on “An analysis of authentication vulnerabilities in CC and FIPS 140-2 certified USB tokens”. In it he describes a loophole in the process of both certifications regarding USB tokens. In the example he provided, two well known USB keys that were found to be CC and FIPS 140-2 compliant were reviewed and found not to be compliant; but the issue was that they were not the same versions that were approved as well as that which was reviewed. There was also a lot of concern raised about the lack of relationship between the documenter and the developer of products going for CC and FIPS 140-2 compliance.
    While these are of grave concern for anyone relying on this certification for the protection of information, it made me wonder about an even larger problem with version verification. What stops me from designing a knock-off product with the exact same version as your CC and FIPS 140-2 product? How do you verify you’re using the correct one?
    Self verification is built into the higher level security standards, but not at this level. So it makes me wonder, what level of trust should we be placing on Common Criteria and FIPS 140-2 if those intimately involved in the process are highlighting such systematic process flaws?


  • Why is there so much fear about …?

    This is my first Q&A post. If you have a question about anything Privacy, Security or Technology related, contact us on our website or ask as on twitter


  • 3 Steps to Guard Against the Wolf in Firesheep Clothing – Vancouver Sun

    I was quoted in this Vancouver Sun article today which highlights several ways you can protect yourself from sidejacking attacks.


  • Program Firesheep allows easy hacking of Facebook, Twitter over unsecured WiFi – Winnipeg FreePress

    Today I was quoted in the Winniped FreePress about Firesheep:


  • Borrow your neighbours identity

    If you have a wireless card in your laptop or netbook, you should see if it can be put into monitor mode/promiscuous mode. If so, this means you can “sniff packets” (watch all the internet data flying by your antenna). In a coffee shop or internet cafe, or near a condo/apartment building, this can be quite a lot. With software like wireshark you can log all of these packets and see what type of fun information you can find. This will include all of (non-encrypted) web surfing, and emails going by!
    In 2007, Errata Security released Hamster and Ferret software which packet sniffs certain packets of data called session cookies. This process is called HTTP session hijacking which is more commonly called sidejacking. You load the Hamster proxy in your browser, and it will list all of the session cookies it was able to find. This allows you to login to existing web sessions on websites like gmail and Facebook, and hundreds of others as another individual.
    This week Eric Butler released Firesheep which does the same thing, it’s just a lot prettier and a lot easier to use. It has got a lot of media attention. Just remember, sidejacking is nothing new, and with software like wireshark you can sniff all internet traffic, not limiting it to just session cookies!
    While we don’t condone malicious activity, anything that can raise awareness to the benefits of encryption is a good thing. Did you realize that almost every website you go to, and every email you send is also in plain text? Even if you’re not using wireless, but a wired connection, these packets all go across dozens of computers on the internet like a postcard until they get to the intended recipient? Perhaps it’s time we all start encrypting our emails and demanding websites use encryption. It helps us maintain both privacy and security.


  • Your credit report

    There are two credit bureaus in Canada, Equifax and Transunion (there was a 3rd, American company, but it appears to be defunct). Contrary to the prices listed all over their websites, they’re obligated to provide you with one free credit report every 12 months. You should make a request to each organization, as they don’t seem to synchronize their data in our experience, and where things may look great with one, could look terrible with the other. Bonus points with your request if you ask their respective privacy officers who they provide your personal information too, they’re required by Canadian privacy legislation to respond to this request.


  • What does Google’s Street View know about you?

    There is a lot of attention on Google right now due to the fact that Google had cars driving around the world, collecting photographic data so that it could add this information to its Google Maps database. This means they can most likely now publish what the front of your house looks like on a given day, without your consent.


  • Technology Tip: Shopping

    This is a technology hint for those wanting to know if they’re getting a good deal. You can use this hint no matter what you’re buying. You could be looking at a product in a store, from a friend, or on craigslist.ca, it doesn’t matter. Before you make your next purchase of any product, try this hint. In order to use this hint, you will need an account on ebay.


  • Canadian Patriot Act redux

    The article posted in May on the Canadian Patriot Act being introduced to the House of Commons didn’t seem to go much further than “preaching to the choir”. I will try to summarize the changes, which will hopefully show you how Canada’s privacy landscape went from one of the top 2 in the world, to near the bottom, in this single change to legislation.

  • Was I notified either verbally or in writing, of the reason each piece of my information is being collected?

    Recently, I was in a local brewery buying a keg, and they asked for a copy of my driver’s licence to write down the number on the deposit form. And then a few days ago, I was filling out an online form for a social network that required I specify my gender to create an account. It is cases like this that inspired me to write this article.

  • Apple’s updated privacy policy

    “To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device.”


  • Apple iphone vs Nokia E71

    Traditional cellular phones are now known as feature phones, deprecated by the advanced “smart phone”, which allows one to install feature rich, operating system applications. With the advanced computer opportunities, comes great security risks, your cell phone can now be cracked just as a personal computer can, as a result. That being said, most people seem to upgrade to a smart phone once given the opportunity.


  • Tynt.com. We want to hijack the paste in your next cut & paste

    If you cut and paste from websites fairly often, especially on media websites, you may have noticed when you did so that some extra text was added. This is mostly likely javascript thanks to a company called Tynt.com.


  • Canadian Patriot Act introduced

    Today a couple of changes to Canada’s privacy landscape were introduced under the infamous banner of “safety and security”. This will create significant changes to PIPEDA and FISA, Canada’s legislation around private sector privacy and spam respectively. I’ve been asked what this means, so I will try to summarize:

  • Social networking, what’s next?

    In 2008, I was in Ottawa, talking with one of our clients, CIPPIC. Specifically the executive director at the time, about Facebook. There was discussion that Facebook was perhaps not complying with PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act).
    After much research, CIPPIC submitted their findings to the federal privacy commissioner of Canada. One year later, the privacy commissioner’s office responded.
    As a result, some interesting precedence was set by Facebook followed the privacy commissioner’s recommendations!
    Fast forward another year, we have the CEO of Facebook stating “the age of privacy is over” and more recently chat logs released of saying people are dumb for providing him their information, all along the same time while Facebook provides more and more of it’s user’s personal information to the entire internet.
    Well, we’re now ready for the next thing. There are many people threatening to boycott Facebook by ditching their account, but I would suggest the opportunity to stay socially connected is addictive, and until the next solution is ready, we’ll reluctantly hang out on Facebook for now.
    There are other organizations out there right now who have raised 6 figures to build a privacy forward social networking website, but will they be successful? There are millions waiting with bated breath.


  • Free Email

    “My email provider shut down my account, gave me a support ticket number, but I have no way to look it up”
    “Have you paid for your account?”
    “No, it’s a free account”
    “What type of SLA (service level agreement) do you have with them?”


  • Web server logs

    If you’re looking at a web site in your web browser (Firefox, Internet Explorer etc), it is being served by a web server.
    According to Netcraft over 50% of web servers now are using Apache. For logging, most people use the extended log file format. Here is how a standard log looks when someone goes to http://www.privasectech.com:


  • Email Encryption

    On our contact us page we mention OpenPGP standard encryption (RFC 4880). What is this? Most people think email only goes to the intended recipient, but instead it travels across the internet like a postcard. Even if you’re emailing your neighbour, that email postcard will often cross international boundaries. Once that postcard goes out, you have no control of where it goes, or how long it stays out there.
    For those that prefer to send their mail in an envelope, email encryption offers this. There are several solutions available you can use to communicate with us, your business partners, friends and family. They will all likely require GnuPG Open source (free)


Recent posts

Is this password manager any good?

2 minute read

I’ve been asked this question countless times over the last couple decades, perhaps because I used to be responsible for cracking weak passwords for a compan...

Secure Communication Tools

less than 1 minute read

I often get asked which secure communication tools I recommend. I’m writing this as a condensed master of list of previous articles I’ve written.

Canadian Privacy iAMA 5 years later

1 minute read

5 years ago, I pulled together some of Canada’s top privacy experts, and we did a Reddit “As us anything” (AuA) about the Canadian privacy landscape.

Requesting your personal data from a company

1 minute read

There are now several privacy laws (Canada – PIPEDA/PIPA, EU – GDPR, California – CCPA) that allow individuals to request their personal information.

Identity Theft in Canada

less than 1 minute read

I’m no longer associated with Canada’s ID Theft Support Centre, which ran out of funding years ago, but I still regularly get asked for help by victims. List...

Two-factor Authentication (2fa)

less than 1 minute read

In this audio clip I talk about the three factors of authentication, and some solutions you can use regarding 2fa to protect your accounts.

Changes to SimpleTax

1 minute read

If you’re using SimplexTax and follow this blog because you prioritize on your privacy, you likely want to take the following steps immediately:

Canadian ISPs blocking websites

less than 1 minute read

If you’re using a major Canadian ISP, you can likely no longer access goldtv.ca. or goldtv.biz. This is due to a federal court case from two weeks ago, case ...

Digital Fingerprints

less than 1 minute read

As you likely know, especially if you’ve followed this blog over the years, most websites are collecting as much data about you as they can, and are using it...

Domain Registration

less than 1 minute read

I was looking for a list of privacy centric domain name registration systems, and as of writing this, I can only find one: Njalla. It was created by Peter Su...

Privacy tracking protection from your browser

2 minute read

I’ve written about privacy trackers for over 7 years on this blog, and have been speaking about them for over a decade. This is an updated article, as techno...

Are you ready for GDPR?

less than 1 minute read

Starting May 25th, if your company is a data processor or controller of anyone in the European Union, you’re obligated to comply with the EU’s strict new Gen...

How to protect against Meltdown and Spectre

1 minute read

The short, but intense solution for Meltdown and Spectre from CERT is to upgrade your CPU. (update: As you can see by this URL, they have a more detailed sol...

Privacy Centric Browsers

less than 1 minute read

I’m often asked which browser I use. Both Chrome and Firefox have a more privacy centric alternative now, Iridium Browser and Firefox Focus respectively. Of ...

Wifi as we know it can be compromised

2 minute read

[NOTE: Senior Advisor Kris Constable submitted this to HuffingtonPost, but due to the time zone differences and the severity of the issue, we have decided to...

Onboarding

less than 1 minute read

Thanks for trusting us to help with your privacy, security, and technology needs. Use the following options to begin the engagement as agreed. Once payment g...

Canadian Privacy iAMA

1 minute read

EDIT: Click here for the Live Reddit iAMA link. For details, read below.

Secure websites

1 minute read

I’m often asked about secure websites. For example, should you trust the connection with your computer and your bank’s website? The article is going to get a...

Asset Cataloging

1 minute read

I recommend you start asset cataloging before you have a vulnerability assessment done on your organization as you need to know what the assets are you’re tr...

Browser plugins for device protection

less than 1 minute read

These are the three browser plugins for device protection I recommend you install. The first one is arguably more important than anti-virus, and takes a whil...

Who can read your chat?

2 minute read

The next time you think you’re having a private online chat with a family member, you might want to think about who can read, watch, or log that conversation...

Integrated Case Management

2 minute read

For over four years, the BC Liberals have been working to build a monster database of all of our personal information. Instead of it being limited to one Min...

Next Lunch & Learn Topic: Does PIPA Apply to Me?

less than 1 minute read

If you own or operate a business in British Columbian or have a sole proprietorship and you wonder, “Does PIPA apply to me?,” this talk is for you. This con...

Facebook for Android

1 minute read

Have you ever really paid attention to what information an application is requesting? While I’m singling out Facebook and Android in this article, please thi...

What antivirus software do you recommend?

2 minute read

A local LinkedIn group has a discussion recommending a specific anti-virus software. That made me wonder, what antivirus software do you recommend, and why?

Portable Password Manager

less than 1 minute read

Today’s question comes from a former student, asking what I use for a portable password manager:

Password protect your cellphone

1 minute read

For most things privacy related in Canadian law, it comes down to what a judge feels Canadians think is reasonable. A couple of days ago the Ontario court of...

Happy Data Privacy Day 2013!

2 minute read

According to Wikipedia, the purpose of Data Privacy Day is to raise awareness and promote data privacy education. It is currently ‘celebrated’ in the United ...

spoof your MAC address

3 minute read

When you connect your computer to any network, there are typically two options for how it gives you an IP address – a static IP or a dynamic IP (DHCP). The c...

Change your default search engine

1 minute read

Most of us use a search engine such as Google or Yahoo daily without taking much time to consider the inherent privacy implications. If you have some time, ...

Keys to the city, New York City

1 minute read

There’s been a lot of buzz this month about the retired New Jersey locksmith selling several master keys to the city of New York to a newspaper reporter via ...

Canadian Patriot Act back as bill C-12

1 minute read

If you’ve followed this blog for some time, I first wrote about the introduction of the bill in May 2010, and then a follow up redux in August 2010 (a summar...

Anti-Virus for Macosx

less than 1 minute read

Because of Apple’s advertising, Mac users often (wrongly) believe that they don’t need anti-virus software. The problem that these users have is that when th...

Retroshare

less than 1 minute read

I had a lot of positive feedback from the recent post on Diaspora with client-side encryption. For those of you who are somewhat technically inclined, and li...

Are you vulnerable to the DNSChanger?

1 minute read

Wired is reporting that several hundred thousand people may be affected on Monday when the FBI turns off the domains used in the DNSChanger malware. Over 1/...

GNU Privacy Guard

1 minute read

Ever since PGP removed their open source client, GnuPG has been the standard in open source PKI. If you want to encrypt your emails and/or files on your comp...

Diaspora with client side encryption

less than 1 minute read

I’ve written about Diaspora before, a social network (Facebook replacement?) that is decentralized, and cares (more) about privacy. If you’re interested to l...

Free cloud storage

1 minute read

The cloud is a current buzzword in technology, referring to remote storage space on the internet. The big challenge with using free cloud storage, as a priva...

The browser tracker test

1 minute read

I’ve spoken about trackers before and recommended four steps/solutions for protecting your browsing privacy:

Opening your social network profile

less than 1 minute read

There have been a lot of stories about what happens when you reveal your social network profile, especially your geo-location information. Probably made famo...

Cover your webcam

less than 1 minute read

If someone hacks into your laptop/computer, and it has a webcam, they can control turn it on whenever they’d like. This video, based on a true story, should ...

Anti-virus, are you doing it right?

1 minute read

Most of my clients are running anti-virus on their home and work computers, but are they using it right? There are 3 key steps to running anti-Virus software...

Community-Based Reverse Engineering Class

less than 1 minute read

If you’re in the Victoria, British Columbia region, we’re going to start a community-based reverse engineering class, and you’re invited. Reverse Engineering...

No scripts!

1 minute read

One of the most common ways your computer gets compromised, is by malicious scripts opened by your web browser. This means you go to a website that might loo...

The Stop Online Piracy Act

1 minute read

If you’ve not heard of #SOPA yet, you likely will today. As of right now, it’s only something that techies and internet crusaders seem to be aware of. Like m...

Identity theft at UVic

1 minute read

Over the week-end, the University of Victoria’s new administrative building was broken into. A payroll server with the personally identifiable information (P...

How strong is your password?

2 minute read

While working in information security for the largest company in Canada, I realized there was no one internally, actively attacking the password database to ...

Using a non-tracker analytics service

less than 1 minute read

You’ve probably heard of Google analytics, which takes logs of your website visitors, and all of their activities, and provides you some very pretty, and use...

Google now offering secure search

less than 1 minute read

It’s not often we’ve given Google credit for privacy or security steps, but this week is one of them. Following the steps by Facebook and Twitter we announce...

Shared hosting back door

less than 1 minute read

Thanks to my friend Kevin McArthur for helping unveil this badboy, as it seems to be infecting quite a few machines. It appears that it was local machine att...

What info does Facebook have on me?

less than 1 minute read

After the F8 conference, there is even more concern than before about what personal information Facebook has on an individual. I was sent Facebook’s personal...

Facebook post F8

1 minute read

Right after the Facebook F8 keynote, a 15 year old noted he didn’t understand this new model Facebook was about to roll out. What might not be obvious, is th...

Upgrade your browser before you check your gmail

less than 1 minute read

There is a wildcard *google.com SSL certificate in the wild, which means malicious people can sit between you and anything at Google (including gmail) and pr...

Had your Twitter or Facebook hacked?

less than 1 minute read

If your friends ever tell you that they’ve received spam from your account, but you didn’t send it, likely your account was compromised. The following steps ...

Postmedia formatting hack

1 minute read

If you read any of the PostMedia (formerely CanWest) newspapers online, you know that their technical abilities are lacking, to say the least. One of the big...

LinkedIn to approve the closing of your account?

less than 1 minute read

After writing an article yesterday on how LinkedIn opts your name and photo into social advertising by default, it was brought to my attention today that if ...

Facebook just got all of your telephone contacts

less than 1 minute read

If you’ve installed a Facebook application on your smart phone/mobile phone, they’ve taken the liberty of syncronizing your personal telephone number list in...

I smell a RAT

1 minute read

Yesterday, Vanity Fair published an exclusive on operation Shady RAT (remote access tool), which was a high-level hacking campaign that lasted over 5 years, ...

Don’t trust that number!

2 minute read

I’m sure you’ve received an email spam from what appears to be a legitimate email address, saying you’re entitled to millions of dollars. You know that — tha...

sslsniff, there’s an app for that!

less than 1 minute read

Moxie Marlinspike just released an updated (10 years later!) version of sslsniff that includes the iOS BasicConstraints vulnerabilities that were published t...

Duck Duck Go

1 minute read

You’re likelty using Google as your default search engine; and they’re undoubtably good at search. The challenge to me is what are they doing with the inform...

Internet security just dropped a notch

1 minute read

I just read a tweet from Meredith L Patterson stating that Len Sassaman has committed suicide. I don’t know why, but at first I thought it only a silly inter...

Stop online spying in Canada

less than 1 minute read

You may remember a year ago I broke the story on the introduction of the minority government’s Canadian version of the patriot act (see articles one and two)...

Shaw’s decided to hijack their customer’s DNS

less than 1 minute read

When you go to a website that doesn’t exist, instead of your search engine of choice offering you other solutions, Shaw has decided to do this themselves, an...

Who’s pentesting your organization?

less than 1 minute read

Penetration testing, also known as pentesting, is a way of evaluating the security of your organization from the perspective of a malicious black hat hacker....

Using a secure connection where possible

less than 1 minute read

I received a lot of feedback after my post yesterday about creating a permanent SSL (https://) connection to Facebook. It’s most important to use SSL anywher...

Tech Tip: Secure connection to Facebook

less than 1 minute read

This tip is to create a permanent secure connection to Facebook. You can tell you’re using SSL if the URL starts with https:// instead of http://. When you’r...

Detect and block website trackers with Ghostery

less than 1 minute read

For anyone that attended the Privacy and Security talk tonight at Social Media Club – Victoria, I mentioned a browser plugin that allows you to see who is tr...

What the SSL?

4 minute read

One of the most serious attacks on internet infrastructure occoured a few days ago, and as the Canadian media don’t seem to want to report on it, I will, as ...

CanSecWest, a decade later and still growing

2 minute read

I just realized that my first time going to CanSecWest was while working as a security expert at Nortel, by far the largest company in the country at the tim...

Update on usage based billing (UBB)

less than 1 minute read

This image is getting a lot of attention. Today Michael Geist has released an article on Unpacking The Policy Issues Behind Bandwidth Caps & Usage Based ...

Canadian petition against usage based billing

1 minute read

As of writing this, I am one of over 180,000 Canadians that have signed the stop the meter campaign against usage based billing. There are several challenges...

30M accounts compromised at plentyoffish.com

less than 1 minute read

All kinds of breaking drama around the compromising of plentyoffish.com (POF), which includes the usernames and passwords for around 30 million people! Chris...

Where does Google’s censorship end?

1 minute read

It’s been well reported on Google’s kowtowing to the Chinese government in regards to censorship. This was based on the requests of a foreign government. How...

Why would Facebook turn your actions into an ad?

less than 1 minute read

Because they can. On Monday, Facebook released a [ video](http://www.facebook.com/video/video.php?v=10100328087082670) that shows how their new *sponsored st...

A must have hosts file

1 minute read

My friend Dan Pollock has been compiling the must have hosts file for some time. According to Wikipedia, the hosts file is a computer file used in an operati...

Your printer is giving you up!

less than 1 minute read

Did you know that most printer manufacturers have secretly ensured there are watermarks on everything you print? These are tiny tracking dots barely visible ...

Ready to test your BCP?

1 minute read

Most large organization make sure to do Business Continuity Planning (BCP), also known as Disaster Recovery Planning (DRP), because they understand the impor...

Ethical Hacking class

less than 1 minute read

If you are in the Suwon/Seoul area of Korea tomorrow, I will be teaching an Ethical Hacking class at no cost. Contact me at @PrivaSecTech on twitter for di...

Why is there so much fear about …?

1 minute read

This is my first Q&A post. If you have a question about anything Privacy, Security or Technology related, contact us on our website or ask as on twitt...

Borrow your neighbours identity

1 minute read

If you have a wireless card in your laptop or netbook, you should see if it can be put into monitor mode/promiscuous mode. If so, this means you can “sniff p...

Your credit report

1 minute read

There are two credit bureaus in Canada, Equifax and Transunion (there was a 3rd, American company, but it appears to be defunct). Contrary to the prices list...

Technology Tip: Shopping

less than 1 minute read

This is a technology hint for those wanting to know if they’re getting a good deal. You can use this hint no matter what you’re buying. You could be looking ...

Canadian Patriot Act redux

2 minute read

The article posted in May on the Canadian Patriot Act being introduced to the House of Commons didn’t seem to go much further than “preaching to the choir”. ...

Apple’s updated privacy policy

less than 1 minute read

“To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the ...

Apple iphone vs Nokia E71

1 minute read

Traditional cellular phones are now known as feature phones, deprecated by the advanced “smart phone”, which allows one to install feature rich, operating sy...

Canadian Patriot Act introduced

1 minute read

Today a couple of changes to Canada’s privacy landscape were introduced under the infamous banner of “safety and security”. This will create significant chan...

Social networking, what’s next?

1 minute read

In 2008, I was in Ottawa, talking with one of our clients, CIPPIC. Specifically the executive director at the time, about Facebook. There was discussion that...

Free Email

1 minute read

“My email provider shut down my account, gave me a support ticket number, but I have no way to look it up” “Have you paid for your account?” “No, it’s a free...

Web server logs

2 minute read

If you’re looking at a web site in your web browser (Firefox, Internet Explorer etc), it is being served by a web server. According to Netcraft over 50% of w...

Email Encryption

less than 1 minute read

On our contact us page we mention OpenPGP standard encryption (RFC 4880). What is this? Most people think email only goes to the intended recipient, but inst...