Forbes wrote what I feel is an excellent article explaining a potentially serious breach with LastPass and broke down what happened and how it could impact users in a measured and accurate manner.

On the same day, Popular Mechanic wrote what I feel is a click-bait, fear-mongering, hyperbolic article. It starts off with an attack on mobile computing in general and then digs down into “7 Apps You Should Delete from Your Phone Right Now”. An example they used as a horrible offense of one of these apps was “possibly tracking your location” in the case of an app that — wait for it — shows you the nearest gas station.

The big problem with the Popular Mechanic article is that there’s valuable information hidden within the hyperbole and rhetoric, but it’s throwing the baby out with the bathwater. People that actually take a moment to think about the writing will be turned off by the extreme ranting. Those that don’t are led to being afraid of everything.

Are there certain keywords or red flags to look out for (in poorly-written articles)? How do you sniff out fake news?

I’ve found excellent articles in unlikely places and unfortunately bad articles in places you’d think would do better. So how do you glean the wheat from the chaff?

My first stop is the headline rather than the publication. If a respected source is using a click-bait style “You Won’t Believe What These Apps Are Doing With Your Data!” or “24 Apps That Are Selling Your Data!”, skip it. There are thousands of apps that sell your data; that’s their model. Many of them straight up say so or are very clear about it. Does that make it right? Disclosure is key in my opinion, but we digress.

Other warning signs are going to be the tone of the opening paragraph. Is this an article that’s trying to warn of an event, or are they trying to scare you into a decision?

• “X [subject] Has Y [traits], and Z [event] is a Result of [ABC].” <— this is OK

• “X [subject] May Be Fun, but Did You Know […]?” <— a pretty big tell for me

Break it down for us. In this article, what’s inaccurate about that article?

I mentioned the gas station finding app above, and how it was written is not a really useful article for people. (Potentially teaching users to be aware of what apps track their location and making educated decisions on which ones to use would be a good idea, but that’s not what it covers.) However, they mention that Angry Birds is gathering personal data about its users to use in its ad network. This is pretty normal industry practice and not exactly groundbreaking news, but the fact that the ad network is leaking the data like a sieve and government agencies are trolling that data for “useful” information is absolutely relevant!

Perhaps instead of saying:

“Angry Birds isn’t your friend, even after all of these years,”

And instead they said:

“Angry Birds, the immensely popular game app, has been recording data that goes beyond standard demographic data for selling ads and has been leaking that data to interested 3rd parties according to Edward Snowden.”

Then perhaps their readership would have a better way to assess the level of impact the event has on them.

Additionally, showing users how they can limit the impact to themselves besides simply burning everything to the ground would show a measured response to an incident.

The Forbes article goes into detail about what platforms and use cases are impacted by the reported breach, whereas the Popular Mechanic article leaves out anything that could resemble impact data (because Edward Snowden didn’t provide it either).

When should we really be concerned about digital security in the news?

When multiple sources are publishing strongly worded warnings on the same topic, I recommend paying attention and perhaps investigating what the impact of that topic is if it isn’t already clear. An example of an important event that the end user couldn’t do much about was the Heartbleed SSL/TLS vulnerability. It was massively important and effected the way much of the encryption on the internet is managed, but there was little to nothing an individual end user could do.

Articles that talk about exploits to general software you use with advice on how to update/mitigate them, are another important category, though these tend not to make the mainstream media outlets as often. But they’re arguably more valuable.

The third category we see a lot is, “X Company Experiences Major Data Breach and Lost Y Million Records.” In my opinion, this is the same as a traffic update telling you about a major accident along your daily commute. If you’re a customer of that company, you should update your account information (change your password and/or delete your account, make sure you aren’t using that password anywhere else, and changing it there too if you are), but there are better tools for finding this sort of information than clickbait articles. Simply checking https://haveibeenpwned.com/ periodically (or using a password manager that does it for you!) is a more reliable way to get that information.

What are next steps to consider/do when you see an article that seems alarming, before freaking out?

When your friends send you an article with titles like “7 Apps to Delete IMMEDIATELY!”, treat it the same way you would any other passive-aggressive viral meme: Move on. Generally speaking I advise “Don’t feed the trolls.” But if the article is particularly egregious, perhaps responding to the misinformation could be helpful. Just remember: Don’t link the article, just reference it. Stop the spread! Remember, only YOU can stop bad info from spreading! (cue Smokey the Bear image here)

Conversely when there’s a well-written article that is spreading good and helpful information, mash that Share button to death. Like, comment, spread the word, evangelize!

Permalink

In our pilot episode, Travis joked about National Password Hygiene Day, but this was really a hint that I should get into 1Password and acknowledge my mess. Since my story is probably a common one, here’s what I did and how it’s going.

TL;DR version: AWESOME. My soul feels clean.

The Long Version

The first thing about any important task is to make sure it’s fun. So after getting a couple of iced coffees and flaky baked goods, we sat down to work.

First: Password Warnings

I use 1Password and have had an account there for at least 10 years, because I worked at a company where password managers were required. After I left, I continued to use it but after several updates and migrations, things had become a major mess. Every time I opened it I saw messages like these:

Obviously, 1Password has my back and I got used to ignoring the blocks of color.

Really, these first three (orange) are what I need to tackle first. For these, I opened a web browser and visited the site, logged in, and then set a new password in my account settings. 1Password automatically updates each entry with the new data. Yes, it was a little tedious because most sites ask you to enter your old password before you can set a new one. This means going back into 1Password multiple times. But it could be worse…. I could be doing this without a password manager!

In my defense, most of those reused passwords are on sites that forced me to create an account login at checkout and I just wanted to get out of there fast. For cases like these, it’s a decision on my part on whether to change the password to something stronger or just delete the login.

Second: Two-Factor Authentication (MFA)

For Two-Factor Auth (MFA), this is an option that I frankly don’t use all the time. I tend to stick to MFA on just the really important stuff: My email accounts, banking sites, cloud storage, etc. I like that more sites are starting to offer this, even if I usually think it’s overkill.

Third: Unsecured Websites

1Password also has a section of Watchtower (“Unsecured Websites”) that flags sites that don’t use https. According to Travis, this is usually just a case of your bookmark not adding the “s,” and adding it in will usually fix it because most sites do support it.

But if they don’t, think twice about the kind of data you keep on that website and whether or not you trust them to take care of it. If it’s not super important to you, then don’t worry about it.

How did I do?

After a few days of hitting this Marie Kondo-style, a little each day, things are taking shape. I’m starting to experience the familiar problem that comes with any decluttering practice: questioning whether this needs to be in my life vs holding on for nostalgia (“Wow, I remember when I used to live on those forums!”).

The numbers on the left here are not anywhere close to zero, but they’re significantly lower than the first image at the beginning of this post. And I’m still alive… and I’m still getting all the other things I have to do during the day done.

Permalink