How to Protect Your Google Gmail from Russia’s Putin and WikiLeaks

Word is out from multiple intelligence sources and security researchers that Hillary Clinton campaign chairman John Podesta’s Gmail account was hacked by (you guessed it!) Russian hackers under the direction of the Russian government (aka Vladimir Putin), for public distribution of Podesta’s email messages via Putin’s propaganda publishing arm: Julian Assange’s WikiLeaks. All of this in furtherance of Putin’s “Get Ignorant Puppet Trump Elected U.S. President!” project.

Apparently Podesta fell victim to a typical “spear phishing” attack, typing his Google Gmail credentials into a convincing (but fake) Google login page.

People fall for this kind of thing every day.

But don’t blame Google, because Google already provides the means to make such attacks enormously more difficult — 2-Step (“2-Factor”) Verification.

The problem is that despite Google’s constantly entreating users to avail themselves of this, most people don’t want to bother until after they’ve been hacked!

To be clear, I don’t know for an absolute fact that Podesta wasn’t using Google 2-Step Verification. But the sequence of events being reported would appear to make it extremely unlikely, because while 2-factor systems don’t make such attacks absolutely impossible to succeed, they do indeed make successful phishing attacks less likely by orders of magnitude.

And it’s not as if Google doesn’t provide plenty of choices when setting up this kind of protection.

It can be done by text messages, by automatic calls to voice phone numbers, and by authenticator apps that don’t need network access. It can even by done via high security USB-based crypto keys and printed emergency backup codes!

It’s too late for Podesta. But it’s not too late for you to protect yourself from Putin, Assange, and the more prosaic crooks who wander the Net.

If you use Gmail or other Google services, go turn on 2-Step Verification. If you use some other email system that offers 2-factor protections, go and enable them — now!

I published a write-up earlier this year explaining how to do this with Google. It’s at: Do I really need to bother with Google’s 2-Step Verification system?

Now you know — the answer is YES. It’s not a bother, it’s Google helping you to protect yourself against evil.

And that’s the truth.

Be seeing you.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Yahoo’s Email Spying Nightmare


Just when you’re thinking that the situation couldn’t get worse for once venerable Yahoo — the company has been sold at fire sale prices, they’ve announced historically enormous user account security breaches, and so on — comes word that Yahoo may have permitted mass scanning of users’ email contents by unnamed federal intelligence agencies. 

Unattributed, unsourced stories — particularly dramatic ones like this — must be viewed with extreme skepticism. Very often these days some nobody throws out a baseless rumor, it’s mirrored around the Web in minutes, and sometimes is even picked up by mainstream news sources without any sort of realistic fact checking. If every individual or firm subjected to this sort of abuse responded formally to every such unfounded attack, they often wouldn’t have time to do much else.

This Yahoo story is notably different however.

First, it actually originated with a reputable wire service — Reuters — and a reporter — Joseph Menn — who also is highly respected.

And Yahoo actually responded to these accusations by calling the story “misleading” in a very carefully worded, rather strange press release that leaves even more questions unanswered, including with the statement that: “the mail scanning described in the article does not exist on our systems.”

Hmm. Not precisely described? Not on their current systems at this time? 

What about closely described? What about on their systems in the past? What about data provided to some other entity for scanning?

Who (other than Yahoo) knows what they meant?

What they clearly didn’t do was issue a straightforward denial that such mass content scanning ever took place.

Google, Microsoft, and other firms quickly issued statements saying that they they had not received similar requests for scanning. Google said specifically that if they ever received such a request their response would be “No way.” (Indeed, knowing Googlers as I do, there’s no way in hell that they’d assent to such a request.)

This is a very big deal. Because if the accusations regarding Yahoo are true, this would be the first mass scanning incident of this kind, at least that we’ve ever learned about.

And it’s very important to keep in mind how this would differ from other surveillance situations here in the USA.

It’s one thing when a court gives permission to an agency to demand the records and other materials associated with specific users. While this kind of authority can be and has been abused, there are times when it can be justified.

The situation gets more problematic when we move into the realm of mass (as opposed to targeted to specific persons) collection of metadata — like phone numbers or message headers. Courts have ruled in different ways regarding the privacy protections due these classes of data, leading to the controversies over the NSA’s mass phone number collection efforts, for example.

But there’s no such confusion over the actual contents of communications, like what’s actually said in phone calls or written in the body of email messages.  

Communications contents are at the highest level of privacy protections, and mass, untargeted scanning of email messages’ contents would represent an egregious and (again, as far as we know) unprecedented violation of the individual privacy rights of innocent persons.

Frankly, I’m sincerely hoping that Reuters got this story wrong somehow, that the actual facts are not as dire as their report suggests.

But this is definitely not the time for Yahoo to be playing word games in their press releases, using language that leaves gaping holes obvious to all observers.

It’s possible that Yahoo is still under some sort of government order that prevents them from explaining precisely what went on — yet Yahoo’s current “non-denial” denial does not well serve Yahoo, its users, or the community at large.

We need to know the truth about what did or did not happen to users’ emails at Yahoo.

And we need to know now.

– – –


= = =

[New York Times]:

“Yahoo was ordered last year to search incoming emails for the digital “signature” of a communications method used by a state-sponsored, foreign terrorist organization, according to a government official familiar with the matter.

The Justice Department obtained the order from a judge of the Foreign Intelligence Surveillance Court.

To comply, Yahoo used a modified version of its existing systems that were scanning all incoming email traffic for spam, malware and images of child pornography. The system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature.

Yahoo was forbidden from disclosing the order and the collection is no longer taking place, the official said Wednesday.”

 = = =

If this additional information is correct, it represents an enormously dangerous slippery slope. The inclusion of arbitrary signatures” at the behest of the government into malware/spam/cporn (“PhotoDNA”) scanning systems is a dramatic departure from firms cooperating with each other, into the realm of secret government mandates.

– – –

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

The Importance of “Google Assistant” and “Google Home”

There was a lot of fascinating stuff in the Google presentation this morning, but for me the section of most immediate interest — and that may perhaps be the most important going forward for many persons — related to Google Assistant and in particular the Google Home device for accessing Google Assistant.

True, Amazon has had a similar looking pedestal device around for awhile, but the access device is only the gateway — it’s the cloud/AI/connectivity resources behind it that really matter. And on those scores, Google’s far ahead of everyone else, and is likely to continue evolving much faster as well.

This class of “full room” connectivity isn’t just important for the slick “Star Trek Computer” factor, but for the critical accessibility aids that it could provide for a vast number of people — visually impaired, mobility impaired, on and on.

And this is only the very beginning of this path. Incredibly important.

One last thing for now. A number of people have asked me if the Home device is sending everything they say in a room up to Google. I don’t have specific information regarding this device, but I’d very strongly assume [UPDATE: Confirmed to me by Google] that the same operational model is being used as for other Google speech recognition products, where the attention phrase “OK Google” is recognized locally on the device, and only then is audio sent up to the cloud for full analysis (and you have control over what happens to that voice data once it reaches Google as well).

Great work!

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Google Launches a New Consolidated Blog [GOOD], with a New Unreadable Font [AWFUL]

Google has launched a new consolidated central blog called The Keyword to make it easier to track Google products, research, and other activities. It will reportedly ultimately replace many other Google blogs.

Because Google has long had a multiplicity of blogs to follow, this could well be a very positive move, depending on the details.

This assumes, however, that you can actually read their new blog.

As you can see in the comparison below, Google has once again failed users with aging or otherwise less than perfect vision.

With fonts sized approximately the same, on the left I have a shot from a very recent traditional Google blog posting, and on the right the new “Who needs contrast?” version from their new blog.

The difference in contrast is obvious, with the new version on the right positively painful for vast numbers of users to view.

This is unfortunately not the first time Google that has gone this route with various of their products, effectively devaluing significant segments of their user population.

If you talk to Google about this — and I have — they will assure you that their new designs meet visual accessibility standards and pass the associated test suites. The problem of course is that those standards are widely viewed (no pun intended) as inadequate, counterproductive, and worse.

Typical human vision begins to degrade in our early 20s. A rapidly growing segment of the Google user community is being directly disadvantaged by this trend toward low contrast fonts that are impossible for these persons to comfortably read, or in some cases even read at all.

Google can do far better.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!


When Hell Freezes Over: AT&T preparing to pull “GigaPower” fiber down my street

I figured that hell would freeze over before I saw gigabit fiber here, but sometimes there’s a surprise.

The photo below shows AT&T preparing to pull gigabit fiber to the home (“GigaPower”) down my street.

This will be a trunk line since actual drops and demarcation points for where I am in my corner of L.A. are behind the houses, so feed lines will be run behind the houses as subscribers request installs.

It’s a bit difficult to see due to the lighting, but the left arrow points at a yellow “pull cord” that AT&T brought by in front of my house yesterday and is continuing to run today down the street.

The right arrow points to a pulley assembly hanging from the Time Warner Cable (now aka Charter/Spectrum) trunk cable above, with the pull cord threaded through it. The GigaPower fiber run will be fed from a large truck spool that will be parked nearby and then pulled down the street over the pulleys via the pull cord. The spool feeding the pull cord itself is visible near the AT&T trucks at the lower right.

AT&T’s pricing for their GigaPower offering varies widely depending on whether or not they have fiber competition (e.g., from Google Fiber — which isn’t here currently). AT&T also usually charges considerably more for GigaPower if you don’t want them snooping on your web browsing activities. 

That all said, it’s likely to be a damned sight faster than the comparatively crawling (especially upstream) speeds from TWC currently! 

I’d still much rather have Google Fiber, though.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!