We say farewell to Dan, but don’t despair, we’ve still got a ton of great topics to cover as we say goodbye. We compare the handling of recent data breaches at imgur & DJI, share some in-depth guides on beefing up your security posture & see Dan off with some of your finest feedback and the world’s tastiest roundup.

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Patreon

Show Notes:

Imgur’s blog post Re: notice of data breach

Contrast Imgur’s breach handling wth that of DJI

  • developers had left the private keys for both the “wildcard” certificate for all the company’s Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub

  • Findings of developer: Why I walked away from
    $30,000 of DJI bounty money – PDF

  • But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA).

  • “At one point… DJI even offered to hire me directly to consult with them on their security,” Finisterre wrote.

  • Ultimately, Finisterre received an e-mail containing an agreement contract that he said “did not offer researchers any sort of protection. For me personally, the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech.” It seemed clear to Finisterre that “the entire ‘Bug Bounty’ program was rushed based on this alone,” he wrote.

how can I prevent myself from getting hacked?

  • not everyone agrees with Motherboard so see also Basic security precautions for non-profits and journalists in the United States, mid-2017. but to be fair, Bruce say’s it’s pretty good

  • see also other Motherboard guides

  • Do you want to stop criminals from getting into your Gmail or Facebook account? Are you worried about the cops spying on you? We have all the answers on how to protect yourself.

  • The Electronic Frontier Foundation guide to Assessing Your Risks

  • … if you come away with one lesson from this guide is: update, update, update, or patch, patch, patch.

  • Use a password manager

  • Two factor authentication: You should, if the website allows it, use another 2FA option that isn’t SMS-based, such as an authentication app on your smartphone (for example, Google Authenticator, DUO Mobile, or Authy), or a physical token. If that option is available to you, it’s great idea to use it.

  • use an ad blocker (e.g. uBlock Origin). Why? A great deal of malware comes through ads.

  • Get an iPhone and don’t jailbreak it

  • Use Signal instead of WhatsApp

  • Even if you keep your privacy settings on lockdown, social media companies are subject to subpoenas, court orders, and data requests for your information. And often times, they’ll fork over the information without ever notifying the user that it’s happening. For the purposes of social media, assume that everything you post is public. This doesn’t mean you should stop using social media, it just means you have to be mindful of how you use it.

Feedback

Round Up:

Question? Comments? Contact us here!