You May Have 5 Minutes To Patch Your Systems
We’ve all been working on something on our device when we get a pop-up that a new patch or update is available, and we probably dismiss it as we want to stay...
Blog
Consulting Privacy Or Ciso Options
If you’re a profitable company, hiring a full-time CISO and Privacy Officer might not be out of your budget, and if so, this article is not meant for you. Th...
Charging Users Who Dont Accept Cookies
A couple of years ago we wrote about how you should Re-evaluate your cookie and consent management platform, and it’s been interesting to watch how some webs...
B.C. NDP quietly dismantling privacy protections for British Columbians
On November 25, 2021, amendments to B.C.’s Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“FOIPPA”) came into force through Bil...
Is this password manager any good?
I’ve been asked this question countless times over the last couple decades, perhaps because I used to be responsible for cracking weak passwords for a compan...
Privacy, Security, and Technology Market Research
In order to be effective as possible, we must always be aware of what the biggest problems organizations are having. In our case, regarding your privacy, sec...
Secure Communication Tools
I often get asked which secure communication tools I recommend. I’m writing this as a condensed master of list of previous articles I’ve written.
Canadian Privacy iAMA 5 years later
5 years ago, I pulled together some of Canada’s top privacy experts, and we did a Reddit “As us anything” (AuA) about the Canadian privacy landscape.
Requesting your personal data from a company
There are now several privacy laws (Canada – PIPEDA/PIPA, EU – GDPR, California – CCPA) that allow individuals to request their personal information.
Identity Theft in Canada
I’m no longer associated with Canada’s ID Theft Support Centre, which ran out of funding years ago, but I still regularly get asked for help by victims. List...
Two-factor Authentication (2fa)
In this audio clip I talk about the three factors of authentication, and some solutions you can use regarding 2fa to protect your accounts.
Evaluating Your Cookie And Consent Management Platform
If you have a website that uses cookies, you’re likely aware of the European Cookie Law. What started as an EU Directive, by May 2011 it was adopted by all E...
Changes to SimpleTax
If you’re using SimplexTax and follow this blog because you prioritize on your privacy, you likely want to take the following steps immediately:
Opt-out of credit card companies selling your data for marketing purposes.
Please read the entire article before clicking on any of the links, and I’ll explan why.
Digital Fingerprints
As you likely know, especially if you’ve followed this blog over the years, most websites are collecting as much data about you as they can, and are using it...
Domain Registration
I was looking for a list of privacy centric domain name registration systems, and as of writing this, I can only find one: Njalla. It was created by Peter Su...
A new standard for government based data collection
There’s some hot news about StatsCan collecting 15 years worth of Canadian’s personal financial data in the news. There are few interesting points related to...
Privacy tracking protection from your browser
I’ve written about privacy trackers for over 7 years on this blog, and have been speaking about them for over a decade. This is an updated article, as techno...
Secure Messaging: Years later, there are still only two
I was asked again this morning about using a specific app to send secure messages in a corporate environment. My answer was simple, and it hasn’t changed in ...
Time to consider which jurisdiction your data is stored in
If you work in privacy, chances are you’ve thought at least somewhat about where your data is stored — and this is the year where we all need to be thinking ...
Are you ready for GDPR?
Starting May 25th, if your company is a data processor or controller of anyone in the European Union, you’re obligated to comply with the EU’s strict new Gen...
“Not able to disclose for privacy reasons” is usually not true
Fellow Canadians, especially journalists, when a person or organization can’t respond to a request citing “privacy reasons”, let that be a huge red flag to y...
Requesting whom Facebook has shared your information with — for Canadians
In Canada, we have a federal law called the Privacy Act, as well as one called PIPEDA, which amongst other things, allows you to access the information priva...
Protecting your privacy on Facebook by disabling Platform
One of the features you’ve likely enabled, is Facebook’s platform. To give you an idea of how powerful this is, this is the warning it gives you when you att...
UN Security Council mandates worldwide air traveller profiling (erdi.org)
“In the name of “preventing, detecting and investigating terrorist offenses and related travelâ€, all United Nations (UN) Member States should develop sys...
How to protect against Meltdown and Spectre
The short, but intense solution for Meltdown and Spectre from CERT is to upgrade your CPU. (update: As you can see by this URL, they have a more detailed sol...
Time to leave Gmail? Here are some privacy centric alternatives.
If you’re ready to stop providing an advertising company with full access to all of your email communication, there are other alternatives out there. This is...
Privacy Centric Browsers
I’m often asked which browser I use. Both Chrome and Firefox have a more privacy centric alternative now, Iridium Browser and Firefox Focus respectively. Of ...
Wifi as we know it can be compromised
[NOTE: Senior Advisor Kris Constable submitted this to HuffingtonPost, but due to the time zone differences and the severity of the issue, we have decided to...
Secure websites
I’m often asked about secure websites. For example, should you trust the connection with your computer and your bank’s website? The article is going to get a...
Asset Cataloging
I recommend you start asset cataloging before you have a vulnerability assessment done on your organization as you need to know what the assets are you’re tr...
Browser plugins for device protection
These are the three browser plugins for device protection I recommend you install. The first one is arguably more important than anti-virus, and takes a whil...
Who can read your chat?
The next time you think you’re having a private online chat with a family member, you might want to think about who can read, watch, or log that conversation...
The top 3 steps to protect your computing device
If you’re wondering what the top 3 steps to protect your computing device, this post is for you. It’s important to note I said device and not computer, as th...
Integrated Case Management
For over four years, the BC Liberals have been working to build a monster database of all of our personal information. Instead of it being limited to one Min...
Next Lunch & Learn Topic: Does PIPA Apply to Me?
If you own or operate a business in British Columbian or have a sole proprietorship and you wonder, “Does PIPA apply to me?,” this talk is for you. This con...
Facebook for Android
Have you ever really paid attention to what information an application is requesting? While I’m singling out Facebook and Android in this article, please thi...
What antivirus software do you recommend?
A local LinkedIn group has a discussion recommending a specific anti-virus software. That made me wonder, what antivirus software do you recommend, and why?
Supreme Court of Canada says a wiretap is needed for text messages
In the Supreme Court of Canada’s case of R v. Telus, a 5-2 decision was made that law enforcement need wiretap authorization to intercept text (SMS) messages...
If you use SSL, cURL up and VERIFYPEERS
Reader level: Techy/Sysadmin
Portable Password Manager
Today’s question comes from a former student, asking what I use for a portable password manager:
Password protect your cellphone
For most things privacy related in Canadian law, it comes down to what a judge feels Canadians think is reasonable. A couple of days ago the Ontario court of...
Happy Data Privacy Day 2013!
According to Wikipedia, the purpose of Data Privacy Day is to raise awareness and promote data privacy education. It is currently ‘celebrated’ in the United ...
spoof your MAC address
When you connect your computer to any network, there are typically two options for how it gives you an IP address – a static IP or a dynamic IP (DHCP). The c...
Recording video or taking pictures in public
What likely started out as a school prank has turned into a popular video series called Surveillance Camera Man
Change your default search engine
Most of us use a search engine such as Google or Yahoo daily without taking much time to consider the inherent privacy implications. If you have some time, ...
What’s on your network? Introduction to packet sniffing with wireshark
Have you ever wondered what’s happening in the background on your network? This article will show you how to determine for yourself. In order to begin, you’r...
Keys to the city, New York City
There’s been a lot of buzz this month about the retired New Jersey locksmith selling several master keys to the city of New York to a newspaper reporter via ...
What communication systems can you trust?
After reading my Everything you say is likely compromised post, my friend Ross Henton asked,
Everything you say is likely compromised
Ever since the early days of 2600, people have been learning what it takes to compromise voice conversations.
Canadian Patriot Act back as bill C-12
If you’ve followed this blog for some time, I first wrote about the introduction of the bill in May 2010, and then a follow up redux in August 2010 (a summar...
Are surveillance systems using biometric scanning really privacy-friendly?
I read a post today on the IAPP‘s Daily Dashboard talking about a “privacy-friendly” “positive side of facial recognition”. It suggests that Ontario’s Inform...
Anti-Virus for Macosx
Because of Apple’s advertising, Mac users often (wrongly) believe that they don’t need anti-virus software. The problem that these users have is that when th...
Retroshare
I had a lot of positive feedback from the recent post on Diaspora with client-side encryption. For those of you who are somewhat technically inclined, and li...
Are you vulnerable to the DNSChanger?
Wired is reporting that several hundred thousand people may be affected on Monday when the FBI turns off the domains used in the DNSChanger malware. Over 1/...
GNU Privacy Guard
Ever since PGP removed their open source client, GnuPG has been the standard in open source PKI. If you want to encrypt your emails and/or files on your comp...
Diaspora with client side encryption
I’ve written about Diaspora before, a social network (Facebook replacement?) that is decentralized, and cares (more) about privacy. If you’re interested to l...
Warning Facebook you control your data
There’s currently a Facebook status going around that states the following:
Free cloud storage
The cloud is a current buzzword in technology, referring to remote storage space on the internet. The big challenge with using free cloud storage, as a priva...
The browser tracker test
I’ve spoken about trackers before and recommended four steps/solutions for protecting your browsing privacy:
Opening your social network profile
There have been a lot of stories about what happens when you reveal your social network profile, especially your geo-location information. Probably made famo...
Cover your webcam
If someone hacks into your laptop/computer, and it has a webcam, they can control turn it on whenever they’d like. This video, based on a true story, should ...
Anti-virus, are you doing it right?
Most of my clients are running anti-virus on their home and work computers, but are they using it right? There are 3 key steps to running anti-Virus software...
ixquick, an alternative, privacy forward, search option
I mentioned a few months ago for those wanting to leave Google search to give DuckDuckGo a try. There’s another alternative as well, called ixquick. Give it ...
What are our regulators doing to protect Canadian internet sovereignty?
This is the basis of the follow up letter from Digital Policy Canada drafted to the CIRA sponsored Canadian Internet Forum this week. The fundamental questio...
Community-Based Reverse Engineering Class
If you’re in the Victoria, British Columbia region, we’re going to start a community-based reverse engineering class, and you’re invited. Reverse Engineering...
Canada’s massive public traffic surveillance system
Do you think such a thing could be implemented without any public consultation or corporate media attention? It exists. About 6 months ago at an Ideas Victor...
Canadian newspapers and financial institutions compromise you instead of protect you
On Vancouver Island, you might pick up the Times Colonist newspaper to see what’s happening. There are little to no privacy risks if you buy it from a stand....
No scripts!
One of the most common ways your computer gets compromised, is by malicious scripts opened by your web browser. This means you go to a website that might loo...
The Stop Online Piracy Act
If you’ve not heard of #SOPA yet, you likely will today. As of right now, it’s only something that techies and internet crusaders seem to be aware of. Like m...
Identity theft at UVic
Over the week-end, the University of Victoria’s new administrative building was broken into. A payroll server with the personally identifiable information (P...
Where is your computer connecting to?
What is your computer doing on the internet without your knowledge?
How strong is your password?
While working in information security for the largest company in Canada, I realized there was no one internally, actively attacking the password database to ...
Using a non-tracker analytics service
You’ve probably heard of Google analytics, which takes logs of your website visitors, and all of their activities, and provides you some very pretty, and use...
Bill-3: Amendments to B.C. FIPPA to remove more of citizen’s privacy
If you’re a citizen of British Columbia and concerned about the government’s handling of your personal information, you probably want to read Bill-3 (full te...
Google now offering secure search
It’s not often we’ve given Google credit for privacy or security steps, but this week is one of them. Following the steps by Facebook and Twitter we announce...
Shared hosting back door
Thanks to my friend Kevin McArthur for helping unveil this badboy, as it seems to be infecting quite a few machines. It appears that it was local machine att...
What info does Facebook have on me?
After the F8 conference, there is even more concern than before about what personal information Facebook has on an individual. I was sent Facebook’s personal...
Facebook post F8
Right after the Facebook F8 keynote, a 15 year old noted he didn’t understand this new model Facebook was about to roll out. What might not be obvious, is th...
Ich Sun is back, claiming the #MostSophisticatedHackOfAllTime
You may have read my comodogate article back in March where I reported that the comodogate hacker, going by the name Ich Sun told me “…there is a lot of vu...
Wanna put your friends, or enemies, under surveillance?
In an overwhelming scary move, the Vancouver Police Department and the Integrated Riot Squad have just launched a Vancouver riot tell-on-your-friends website...
Upgrade your browser before you check your gmail
There is a wildcard *google.com SSL certificate in the wild, which means malicious people can sit between you and anything at Google (including gmail) and pr...
Had your Twitter or Facebook hacked?
If your friends ever tell you that they’ve received spam from your account, but you didn’t send it, likely your account was compromised. The following steps ...
Postmedia formatting hack
If you read any of the PostMedia (formerely CanWest) newspapers online, you know that their technical abilities are lacking, to say the least. One of the big...
LinkedIn to approve the closing of your account?
After writing an article yesterday on how LinkedIn opts your name and photo into social advertising by default, it was brought to my attention today that if ...
LinkedIn opts your name and photo into social advertising by default
Rather unprofessional, and probably against Canadian privacy legislation.
Facebook just got all of your telephone contacts
If you’ve installed a Facebook application on your smart phone/mobile phone, they’ve taken the liberty of syncronizing your personal telephone number list in...
I smell a RAT
Yesterday, Vanity Fair published an exclusive on operation Shady RAT (remote access tool), which was a high-level hacking campaign that lasted over 5 years, ...
Don’t trust that number!
I’m sure you’ve received an email spam from what appears to be a legitimate email address, saying you’re entitled to millions of dollars. You know that — tha...
sslsniff, there’s an app for that!
Moxie Marlinspike just released an updated (10 years later!) version of sslsniff that includes the iOS BasicConstraints vulnerabilities that were published t...
Canadian judge rules in favour of pseudo-anonymous website commenters/bloggers
An article came out today on canada.com.details how some good precedence for freedom of speech and anonymity online was just made in Ontario:
Duck Duck Go
You’re likelty using Google as your default search engine; and they’re undoubtably good at search. The challenge to me is what are they doing with the inform...
The cloud is still a bad idea… keep your user’s personal information off US soil at all costs.
There’s an article in the register today highlighting that American organizations are all bound by the US Patriot act, which essentially allows the US govern...
Internet security just dropped a notch
I just read a tweet from Meredith L Patterson stating that Len Sassaman has committed suicide. I don’t know why, but at first I thought it only a silly inter...
Stop online spying in Canada
You may remember a year ago I broke the story on the introduction of the minority government’s Canadian version of the patriot act (see articles one and two)...
Shaw’s decided to hijack their customer’s DNS
When you go to a website that doesn’t exist, instead of your search engine of choice offering you other solutions, Shaw has decided to do this themselves, an...
British Columbia’s new health care card another waste of resources?
It was [announced a few minutes ago](https://www.timescolonist.com/residents+secure+CareCards+must+renew+every+five+years/4812099/story.html) that British Co...
Who’s pentesting your organization?
Penetration testing, also known as pentesting, is a way of evaluating the security of your organization from the perspective of a malicious black hat hacker....
Using a secure connection where possible
I received a lot of feedback after my post yesterday about creating a permanent SSL (https://) connection to Facebook. It’s most important to use SSL anywher...
Tech Tip: Secure connection to Facebook
This tip is to create a permanent secure connection to Facebook. You can tell you’re using SSL if the URL starts with https:// instead of http://. When you’r...
Detect and block website trackers with Ghostery
For anyone that attended the Privacy and Security talk tonight at Social Media Club – Victoria, I mentioned a browser plugin that allows you to see who is tr...
Privacy and Security talk at Social Media Club – Victoria
If you’re in Victoria on April 18, 2011, I will be speaking with my good friend Chris Parsons at Social Media Club – Victoria. My talk’s current title is “T...
It’s a brave new world for epsilon.com customers
News broke yesterday of epsilon.com being breached almost a week earlier. While none of us had really heard about them before that, they’ve been reported to ...
What the SSL?
One of the most serious attacks on internet infrastructure occoured a few days ago, and as the Canadian media don’t seem to want to report on it, I will, as ...
CanSecWest, a decade later and still growing
I just realized that my first time going to CanSecWest was while working as a security expert at Nortel, by far the largest company in the country at the tim...
Update on usage based billing (UBB)
This image is getting a lot of attention. Today Michael Geist has released an article on Unpacking The Policy Issues Behind Bandwidth Caps & Usage Based ...
Canadian petition against usage based billing
As of writing this, I am one of over 180,000 Canadians that have signed the stop the meter campaign against usage based billing. There are several challenges...
30M accounts compromised at plentyoffish.com
All kinds of breaking drama around the compromising of plentyoffish.com (POF), which includes the usernames and passwords for around 30 million people! Chris...
The Naked Traveller – is all this necessary?
I will be speaking at the 12th Annual Privacy and Security Conference with the theme “Security and Privacy – Is there an app for that?”
Why would Facebook turn your actions into an ad?
Because they can. On Monday, Facebook released a [ video](https://www.facebook.com/video/video.php?v=10100328087082670) that shows how their new *sponsored s...
Where does Google’s censorship end?
It’s been well reported on Google’s kowtowing to the Chinese government in regards to censorship. This was based on the requests of a foreign government. How...
Facebook doesn’t seem to know the difference between privacy and security?
I was excited to read today’s post on Facebook’s blog. It starts off with
A must have hosts file
My friend Dan Pollock has been compiling the must have hosts file for some time. According to Wikipedia, the hosts file is a computer file used in an operati...
Why would Facebook application developers sell your home address?
Because now they can. Last Friday, after work, Facebook announced they will be providing your home address and telephone number to software developers.
Your printer is giving you up!
Did you know that most printer manufacturers have secretly ensured there are watermarks on everything you print? These are tiny tracking dots barely visible ...
Ready to test your BCP?
Most large organization make sure to do Business Continuity Planning (BCP), also known as Disaster Recovery Planning (DRP), because they understand the impor...
Ethical Hacking class
If you are in the Suwon/Seoul area of Korea tomorrow, I will be teaching an Ethical Hacking class at no cost. Contact me at @PrivaSecTech on twitter for di...
Too much trust in Common Criteria and FIPS 140-2?
Last week I attended PacSec in Tokyo, Japan. This is one of the three SecWest conferences every year, the largest being CanSecWest in Vancouver. One of t...
3 Steps to Guard Against the Wolf in Firesheep Clothing – Vancouver Sun
I was quoted in this Vancouver Sun article today which highlights several ways you can protect yourself from sidejacking attacks.
Program Firesheep allows easy hacking of Facebook, Twitter over unsecured WiFi – Winnipeg FreePress
Today I was quoted in the Winniped FreePress about Firesheep:
Borrow your neighbours identity
If you have a wireless card in your laptop or netbook, you should see if it can be put into monitor mode/promiscuous mode. If so, this means you can “sniff p...
Your credit report
There are two credit bureaus in Canada, Equifax and Transunion (there was a 3rd, American company, but it appears to be defunct). Contrary to the prices list...
What does Google’s Street View know about you?
There is a lot of attention on Google right now due to the fact that Google had cars driving around the world, collecting photographic data so that it could ...
Technology Tip: Shopping
This is a technology hint for those wanting to know if they’re getting a good deal. You can use this hint no matter what you’re buying. You could be looking ...
Canadian Patriot Act redux
The article posted in May on the Canadian Patriot Act being introduced to the House of Commons didn’t seem to go much further than “preaching to the choir”. ...
Was I notified either verbally or in writing, of the reason each piece of my information is being collected?
Recently, I was in a local brewery buying a keg, and they asked for a copy of my driver’s licence to write down the number on the deposit form. And then a fe...
Apple’s updated privacy policy
“To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the ...
Apple iphone vs Nokia E71
Traditional cellular phones are now known as feature phones, deprecated by the advanced “smart phone”, which allows one to install feature rich, operating sy...
Tynt.com. We want to hijack the paste in your next cut & paste
If you cut and paste from websites fairly often, especially on media websites, you may have noticed when you did so that some extra text was added. This is m...
Canadian Patriot Act introduced
Today a couple of changes to Canada’s privacy landscape were introduced under the infamous banner of “safety and security”. This will create significant chan...
Social networking, what’s next?
In 2008, I was in Ottawa, talking with one of our clients, CIPPIC. Specifically the executive director at the time, about Facebook. There was discussion that...
Free Email
“My email provider shut down my account, gave me a support ticket number, but I have no way to look it up” “Have you paid for your account?” “No, it’s a free...
Web server logs
If you’re looking at a web site in your web browser (Firefox, Internet Explorer etc), it is being served by a web server. According to Netcraft over 50% of w...
Email Encryption
On our contact us page we mention OpenPGP standard encryption (RFC 4880). What is this? Most people think email only goes to the intended recipient, but inst...