A Web App Security Chat with Shawn Freeman
I’ve come across a wide range of apps promising private communications, from Confide and WhatsApp to SnapChat and even Tor Browsers. I posted news of one of these apps to Facebook and got a very quick response from Shawn Freeman of TWT telling me the apps were pretty much useless.
That made me pause.
There’s certainly a call for them I figured, as evidenced by the sheer number of apps in the AppStore and on GooglePlay, but is there truly a need for them? I wonder, can we feel secure about our privacy if not using them?
Curiosity peaked, I asked Shawn a few not-so-completely-random questions…
RM: Do Snapchat users get the app intending to protect their privacy?
SF: No, I think they use it to push the limit a little about what they post with the assumption it’ll disappear and someone can’t hold it against them in the future.
RM: Is their privacy really protected?
SF: Not likely
RM: You’re holding back. I can tell. How is SnapChat any different from using Facebook Messenger or a lesser-known app like Confide or Signal which feature message scrambling and deleting? Beyond the fancy animated features, of course.
SF: I think they have a different demographic, which is expanding. I don’t use SnapChat myself as I’ve not found value in it when I had.
RM: What’s the skinny – your best guess – on why some of those Whitehouse insiders we heard were using privacy apps? Fake news?
SF: To mitigate their risk – even if not 100%.
RM: Risk? Nice avoidance of the fun part of that question. 😉 It stands to reason that someone thought they would keep their info private. Were they duped?
SF: No, I think they were just misinformed. As the technology matures we’ve seen that lots of good ideas end up having holes which opens a space for a new technology to try and fill the gaps.
RM: Without digging into the apps’ coding, can we assume conversations cannot be recovered from those apps? Or, can it be recovered by the devs for “phase 2”, selling the info of course?
SF: In my opinion about Confide, I believe they would not purposely store the data – that’s just asking for trouble down the road. That being said, data has to be transmitted – so potentially a network or hosting provider could in fact intercept the data and eventually un-encrypt it. Even though 256bit encryption is good right now, when more powerful computers come out (quantum) it won’t take long for them to decipher.
RM: How do those tools actually work, and do they have an Achilles heel? Feel free to let your inner geek shine through. 🙂
SF: These tools rely on encryption, data residency, and storage policies. Their Achilles heel is the physical world. The fact someone can see the message on a screen means that anyone could easily just record the conversation with a secondary device – it’s hard to defend against this.
The fact someone can see the message on a screen means that anyone could easily just record the conversation with a secondary device – it’s hard to defend against this. – Shawn Freeman
RM: Is user privacy really protected, should we even worry about it in the wake of the US gov stripping privacy laws from non-Americans?
SF: If privacy on the internet becomes a legal issue to the point where the US gov requires a back door to encrypted services – a new internet or technology will quickly replace it to fix this issue. You can’t stop the smart people (hackers, tech startups) with a law. Also, when geography isn’t an issue (think global internet via satellite) the US gov won’t be able to restrict how you access the internet in a physical means.
RM: What advice would you give to a client wanting to improve the privacy of their communications online… what are your top 3 best practices for improved privacy?
SF: 1. Quit using the same password for everything. Use a password app like LastPass etc to assist. Even with the issues these types of apps have had, it’s still 100x better than using your dog’s name for all your passwords.
SF: 2. Shred stuff. Scan it and then shred the physical paper. Hackers and identity thieves use these personal documents to pretend to be you and this could cost you a lot of money.
SF: 3. If an email looks suspicious, don’t click the link! If someone is asking you to transfer money or click a link and you didn’t already expect it , it’s probably fake. Think before clicking.
And, since we are on the passwords topic…
Why Too-Simple Passwords Are Such a Big Problem
As Shawn mentioned, most hackers and online thieves don’t need to be sophisticated criminals. Usually, they are people using automated bots (scripts or programs) or simple trickery. To get a sense of just how easy it is to hack your password, check out this website and give it a try (just don’t type in any of your real passwords).
What you’ll learn is exactly how easy it is for hackers to crack the simple passwords lots of people use – it’s often a matter of seconds or less, especially if the password is short, or only contains letters. The problem here has to do with simple math. If there are only a handful of possible combinations, it isn’t going to take a computer very long to figure out yours.
How to Choose Better Passwords (and Protect Them)
Luckily, it’s almost as easy to keep your passwords safe and protected as it is to be vulnerable. The first step is to choose stronger ones in the first place. Here are a handful of tips to help you get started:
1. Stay away from the obvious. Don’t choose your name, birthday, your pin number, a word from the dictionary, or anything else that would be relatively easy to guess. These are the things hackers will try first.
2. Keep a written record of your passwords somewhere safe. Obviously, it will be a hassle for you if you lose them, but you don’t want to store them on a file on your computer, or in a place where others can find them. Consider placing them in a small safe, or some other hidden and secure area.
3. Invest in well-known password security software. Top-rated password control apps such as 1Password and LastPass stand out. Use them to store and mix up strong, unique passwords. Don’t worry about forgetting one or deleting your app as most logins will allow you to send a password reset email should you lose one or suspect someone has breached your security.
4. Be more sensitive and spontaneous. Instead of simply using lowercase letters, mix it in with some caps (passwords are case-sensitive) along with numbers or symbols. It’s okay to start with a word, but then start substituting special characters, moving things around, and adding capitals where they shouldn’t be.
5. Keep writing. Longer passwords are inherently safer than shorter ones, because of the number of potential combinations that we talked about earlier. Every time you add another letter or digit, you increase the time needed to crack your password exponentially.
6. Change your passwords regularly. No matter how strong and secure your passwords are, you should consider refreshing them every few months. Just be sure you keep up the high level of security each time.
As important as it is to have secure passwords, it also matters that you don’t share them in ways that you shouldn’t. For example, you should definitely refrain from typing passwords into web pages – you never know which ones are truly trustworthy.
Likewise, you shouldn’t ever email your passwords to other people, even your web designer, since email connections aren’t secure (you’d be amazed at how many of my clients have done this). If you have to share a password, do it over the phone, or send it as an image with the background texture.
Protecting your passwords isn’t the same as becoming paranoid, but it can be the most important way to protect yourself and your company. There are always going to be people who want to take things from you over the Internet, so why make it easier for them?
All this aside, perhaps the best policy is to not share or engage in confidential communications online? That way, you have less of a need for privacy.