Amazon’s Ring is the largest civilian surveillance network the US has ever seen

Ring is effectively building the largest corporate-owned, civilian-installed surveillance network that the US has ever seen. An estimated 400,000 Ring devices were sold in December 2019 alone, and that was before the across-the-board boom in online retail sales during the pandemic. Amazon is cagey about how many Ring cameras are active at any one point in time, but estimates drawn from Amazon’s sales data place yearly sales in the hundreds of millions. The always-on video surveillance network extends even further when you consider the millions of users on Ring’s affiliated crime reporting app, Neighbors, which allows people to upload content from Ring and non-Ring devices.

Then there’s this: since Amazon bought Ring in 2018, it has brokered more than 1,800 partnerships with local law enforcement agencies, who can request recorded video content from Ring users without a warrant. That is, in as little as three years, Ring connected around one in 10 police departments across the US with the ability to access recorded content from millions of privately owned home security cameras. These partnerships are growing at an alarming rate.

Because Ring cameras are owned by civilians, law enforcement are given a backdoor entry into private video recordings of people in residential and public space that would otherwise be protected under the fourth amendment. By partnering with Amazon, law enforcement circumvents these constitutional and statutory protections, as noted by the attorney Yesenia Flores. In doing so, Ring blurs the line between police work and civilian surveillance and turns your neighbor’s home security system into an informant. Except, unlike an informant, it’s always watching.

Full article: https://www.theguardian.com/commentisfree/2021/may/18/amazon-ring-largest-civilian-surveillance-network-us

Definition: Credential Stuffing

A hacking technique where login credentials are obtained (often stolen) from one site and used to attempt to log into one or more other services – typically higher value sites like banks, credit cards, etc.

This is why we recommend that you never re-use passwords.

The video below gives a pretty clear explanation of the problem, and offers some ways around it (password managers, multi-factor authentication, passwordless login). We’ll be covering passwordless login soon…

The Value of a Testing or Staging Site

A well accepted practice in the software development world is to run major software updates through a series of tests before running them on the live site. This allows the developer to catch as many bugs as possible before putting the changes in front of users. Unfortunately, that’s not a practice that many WordPress site owners employ.

Most WordPress updates come with the standard warning that you insure you have a fresh backup of the site before running them. But the support forums are full of panicking site owners asking for help: “I just updated <WordPress, a theme, or a plugin> and now <some function> is not working! How do I get it back?” so it’s pretty obvious that even that level of caution is often ignored.

Many site hosts (SiteGround, some GoDaddy plans, etc) offer the ability to create a staging site – essentially a mirror copy of the live site with a different web address – with just a click or two, at no extra cost. Ask your host if that’s available for yours. If your host doesn’t offer staging sites we can set you up with one for a fee – contact us for details.

Ideally, you’ll upgrade your staging site and give it a run through to make sure everything looks right and functions correctly. Check things like menu drop-downs, contact forms, product ordering pages (have a cheap test product as a draft – or use a real product and cancel the purchase afterwards), embedded videos, site banners, as well as the general layout. If anything is broken, get it fixed and re-tested before moving forward. If possible, make those same fixes on the live site before upgrading it.

Once everything checks out OK on the testing/staging site, take a full backup of the live site, then perform the upgrade there and re-test. Sometimes there are bugs which only show up on the live site, despite your having passed all the tests on the staging site!

Upcoming API Change Will Break Facebook and Instagram oEmbed Links Across the Web Beginning October 24, 2020

On October 24th, 2020, Facebook will institute a change which removes the ability to easily embed “link previews” on WordPress and many other sites using the popular oEmbed protocol.

oEmbed is what allows you to enter a link in your blog or site and present a preview of the target page.

Possible solutions include plugins such as  https://wordpress.org/plugins/oembed-plus/, https://wordpress.org/plugins/instagram-feed/
and  https://wordpress.org/plugins/custom-facebook-feed/

Source: https://wptavern.com/upcoming-api-change-will-break-facebook-and-instagram-oembed-links-across-the-web-beginning-october-24

How to Keep Your Stuff Safe While You’re at College (or anywhere, really)

There’s a well written article by iFixIt.com aimed at college students, but really it’s applicable to everyone who ever does anything in public space. Granted, that’s not happening as much with Covid19 precautions, but these suggestions should be part of your regular routine anyway.

Of particular note is the section on USB chargers and thumb drives. Many are not aware of the potential dangers, and some good tips are given on how to protect yourself.

See the article at https://www.ifixit.com/News/43770/how-to-keep-your-stuff-safe-while-youre-at-college

Why do we back up?

A perfect example from my security focused Twitter feed today:

well <explitive> my server colocation facility just burned down

“halon is great for when equipment is on fire, but not as useful when the whole entire west coast is on fire”

This of course is during the raging wildfires on the US west coast.

Frequent offsite backups are also a critical method of fighting Ransomware attacks.

FYI, we keep backup copies of all sites in several locations, using several different backup methods.

Stay Alert to New Scams and Tricks

Phishing attackers can play with web addresses in a number of ways to trick you into following the link:

Hiding the link with a link shortener (bit.ly, goo.gl, etc)

Hiding the link under a “Click here” or similar button

Substituting numbers for letters (the number 0 for the letter o, as in “dr0pb0x.com”)

Spelling an existing address incorrectly (Facbook.com instead of Facebook.com)

 

Page experience: a new Google ranking factor

A couple of weeks ago, Google announced Web Vitals — a new set of metrics to measure the speed and user experience of websites. Last week, Google announced that these metrics will make its way into a core algorithm update as new ways of judging and ranking sites based on the page experience they offer. This update is due to arrive some time in 2021.

Read up!  Article by Yoast SEO: https://yoast.com/page-experience-google-ranking-factor/

Don’t use names in your password!

Password management company NordPass has urged the general public not to include people’s names in their passwords.

Research released by the company found thousands of netizens worldwide are opting to protect their sensitive information with a password that includes a name.

According to NordPass, the name that cropped up most frequently in passwords is “Ashley.” The company discovered that the gender-neutral moniker was used 94,557 times to protect sensitive data.

The second most common name, used 78,914 times, was the similarly gender-neutral “Charlie.” The third and fourth most popularly used names, employed 71,035 times and 64,992 times respectively, were Michael and Nicole.

….

Passwords based around names are easier for cyber-criminals to crack as the combination of characters is more predictable.

According to the Department of Homeland Security, “most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them.”

“People also shouldn’t use any other obvious choices, such as their address, favorite band, sports team, pet’s name, the word ‘password,’ and any alternations of it.”

Full article at https://www.infosecurity-magazine.com/news/netizens-urged-not-to-use-this/