Little Snitch: The Essential Firewall for Your Mac

With digital privacy increasingly under threat, securing your online presence has never been more crucial. Little Snitch, a popular firewall for Mac, is a powerful tool to protect your data and monitor outgoing network traffic. Whether you’re browsing the web, using apps, or transferring files, Little Snitch gives you full control over what leaves your computer and where it goes.

How Little Snitch Works

Unlike traditional firewalls that primarily block incoming connections, Little Snitch controls outgoing traffic. Whenever an app tries to send data over the internet, Little Snitch alerts you with a notification. You can then decide whether to allow or block the connection. This flexibility gives you granular control over how your apps interact with the internet, ensuring that no unauthorized data leaks occur.

For example, you could set a rule for the Brave browser that blocks any connections to Facebook or to, say, Google advertising.

Moreover, you might not want a third-party app to send personal information or usage data back to its developer without your consent. Little Snitch lets you block that app from establishing an outbound connection, giving you peace of mind. This detailed configuration control helps ensure that only the applications you trust can communicate online.

Key Benefits of Little Snitch

  1. Enhanced Privacy
    Little Snitch shields your sensitive data from being sent to unknown or untrusted servers. Apps often collect and transmit user data for various reasons—some legitimate, others not so much. Little Snitch helps you identify and prevent these unwanted data transmissions, safeguarding your privacy.
  2. Real-Time Traffic Monitoring
    The app has a detailed overview of your network activity in real-time. You can see which apps are connecting to which servers, giving you a clear picture of what’s happening behind the scenes. This transparency helps you make informed decisions about which apps should be allowed internet access.
  3. Customizable Rules
    Little Snitch allows you to create custom rules for each app, so you can choose exactly which connections are permitted and which aren’t. These rules can be set globally or applied to specific network locations, giving you the flexibility to adapt your firewall to your changing needs.
  4. Automatic Alerts
    With Little Snitch’s automatic notifications, you’ll always be in the loop about which apps are making network connections. You can allow or block these connections instantly with just a click. It’s a simple yet powerful way to maintain control over your Mac’s security. If some part of an app is not working as expected after you block some connection, you can modify the Little Snitch rule for that connection as needed.
  5. Profiles
    You can also create separate connection profiles. For example, perhaps you might need a set of rules for “work” and another set of rules for “home”. You can also set up a profile to stop all Internet access when you are not using your machine.

Suspected Data Stealing Connections

Attempted outgoing connections to Google, FaceBook, and LinkedIn are all suspects for possible data stealing. Note that some application programs, for example, use Google “APIs” which an app may need to function.

Note that with many application programs, you can get many, many pop-ups for attempted outgoing connections. So, when adding a new application, especially any popular commercial application, plan to spend some time with Little Snitch to fine tune the permissions. You may need to look up some of the connection attempts online to get more information. Little snitch itself gives you some information, but it’s not always enough.

Checking and Updating Rules

While Little Snitch is incredibly effective at protecting your privacy, it’s essential to check and update your rules from time to time. Over time, your needs and the apps you use may change, and outdated or overly restrictive rules could interfere with your normal workflow. Regularly reviewing and adjusting these rules ensures that your firewall works optimally without blocking legitimate traffic. Sometimes, you might have been busy and just clicked “Allow any connection.”. Thus, by reviewing your Little Snitch rules from time to time, you can go back, review, and then further restrict, if needed, application outgoing data access.

For example, some apps may require certain network connections for updates or new features to function properly. If you’ve blocked these connections previously, you might encounter problems with the app’s performance. By revisiting your firewall rules, you can adjust permissions and avoid unnecessary disruptions.

Additionally, as new apps and system updates are installed, it’s important to verify the rules for these new connections. Not all apps are transparent about their network activity, so reviewing their outbound connections regularly helps you spot any unexpected or suspicious behavior.

Conclusion

With companies increasingly trying to monetize YOUR data (read: spying on you and your computer activities), Little Snitch is a must-have tool for Mac users who value privacy and want to maintain control over their online activity. Its intuitive design, powerful monitoring capabilities, and customizable rules make it one of the best firewalls available for macOS. However, to ensure ongoing protection, it’s crucial to periodically check and adjust your firewall rules. With Little Snitch, you’re not just blocking threats—you’re actively managing your digital security.

Please read our disclaimer on our home page…

GrapheneOS: A Strong Alternative to Google and Apple Phones

In today’s digital world, privacy is a growing concern for many smartphone users. Both Google and Apple, while offering impressive features and ecosystem integration, have been scrutinized for their data collection practices. GrapheneOS is a compelling alternative for those who prioritize privacy without compromising essential smartphone functionality.

Enhanced Privacy and Security

GrapheneOS is an open-source, privacy-focused mobile operating system based on the Android Open Source Project (AOSP). Unlike stock Android or iOS, it is designed with security and privacy at its core. GrapheneOS has various security enhancements that protect against both known and unknown threats. The OS does not rely on Google Play Services, which are known for tracking user data. By eliminating these services, GrapheneOS minimizes data shared with external entities, offering a more private user experience. Note: you can still use Google Play Services in with sand-boxed privacy.

Independence from Google and Apple Ecosystems

Google and Apple dominate the smartphone market with ecosystems that integrate cloud services, apps, and devices. This integration often reduces user privacy. Both companies collect much data to enhance user experience and, sadly, targeted advertising. In contrast, GrapheneOS operates independently of these ecosystems. Users thus have the freedom to decide what apps and services to install, giving them control over their data.

GrapheneOS also has many privacy-respecting applications and services, enabling users to maintain functionality without sacrificing privacy. For instance, users can install apps through F-Droid, a repository of open-source apps that respect user privacy, or use alternative app stores that do not track behavior.

Customization and User Control

GrapheneOS offers extensive customization. Users can tailor their devices to meet specific privacy and security needs, including fine-tuned control over permissions, application sandboxing, and network access. Unlike stock Android or iOS, which often limit user control, GrapheneOS gives users the power to lock down their devices as tightly as desired.

Additionally, GrapheneOS has regular updates that improve security and privacy. These updates are delivered without the bloatware and potential vulnerabilities that often accompany updates from Google or Apple.

Avoiding the Data Economy

When data is often referred to as the new oil, avoiding excessive data collection is increasingly challenging. Google’s business model heavily relies on advertising revenue driven by user data. Apple, while touting its privacy initiatives, still collects data to improve services and experiences. Apple’s data collection is more prevalent in iOS.

GrapheneOS is an alternative in this data economy. By stripping constant data collection and sharing, GrapheneOS allows users to disengage from the pervasive data-driven business models of major tech companies. This disengagement means fewer concerns about how personal data is used, stored, or shared, with more peace of mind for privacy-conscious users.

A Viable, User-Centric Option

For those who prioritize privacy over ecosystem integration, GrapheneOS is a viable, user-centric option. Its focus on privacy, security, and user control makes it an appealing choice in the digital age. While it may not yet offer the same level of ecosystem integration as mainstream counterparts, the trade-off for privacy and autonomy is one that many users may find worthwhile.

Check out many of the YouTube videos and especially the GrapheneOS website itself.

Please read our disclaimer on our home page…

Why Faceless Companies Never Pay for Data Breaches and What Can Be Done

Data breaches are a growing issue in the digital age, exposing sensitive personal information like credit card details, medical records, and social security numbers. Despite the significant risks these breaches pose to consumers, many companies fail to face meaningful consequences for their role in these incidents. This article explores why companies often avoid paying for data breaches and provides practical steps both businesses and individuals can take to mitigate these risks.

Why Companies Avoid Paying for Data Breaches (especially in the US)

Weak Legal and Regulatory Frameworks

One of the main reasons companies avoid significant penalties after data breaches is the inadequacy of current legal frameworks. While laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States are steps in the right direction, penalties are often insufficient when compared to a company’s total earnings. For instance, under GDPR, companies can be fined up to €20 million or 4% of annual turnover, but these fines are rarely substantial enough to act as a true deterrent for large corporations. Even when penalties are imposed, they often fail to impact the company’s bottom line in a meaningful way.

Externalized Costs

Another reason businesses avoid the consequences of data breaches is that many of the costs are externalized. The financial burden of a breach often falls on consumers, who may experience identity theft or fraud, while companies may rely on cyber liability insurance to cover immediate costs. This allows companies to minimize their financial exposure, while consumers deal with the long-term effects, such as the time and effort needed to resolve identity theft or credit issues. This externalization of costs weakens the incentive for companies to invest in stronger cybersecurity measures.

Risk Management via Insurance

Many companies also treat data breaches as an inevitable risk and factor potential breach costs into their overall risk management strategy. Instead of investing heavily in cybersecurity, businesses often purchase insurance policies that cover breach-related expenses. This approach allows companies to continue operating with minimal disruption and without facing significant financial consequences, which reduces the incentive to invest in more robust cybersecurity infrastructure.

What Can Be Done?

Strengthening Regulations and Penalties

Governments need to strengthen data protection laws and impose more substantial penalties on companies for failing to protect consumer data. For instance, penalties should be scaled based on the severity of the breach and the size of the company, ensuring that large corporations with greater resources face significant fines. Additionally, businesses should be required to compensate affected consumers for the direct financial losses caused by breaches, including fraud and identity theft, to hold companies fully accountable.

Increasing Corporate Accountability

Companies need to prioritize cybersecurity at the executive level. Appointing a Chief Information Security Officer (CISO) who reports directly to the CEO and board would ensure that data protection is embedded in the company’s overall business strategy. Regular audits, increased employee training, and the implementation of best-in-class cybersecurity measures should become standard practices. Businesses should also adopt a proactive approach to security, such as conducting regular penetration testing and updating their systems to defend against new threats.

Actions for Consumers

While businesses hold primary responsibility, consumers can also take steps to protect themselves from the consequences of data breaches:

  1. Use Secure Communication Tools: When sending sensitive information, avoid unencrypted email and text messages. Instead, use secure alternatives such as ProtonMail for email or Signal for text messaging. These platforms use end-to-end encryption, ensuring that only the intended recipient can read the message, making it far more secure than traditional email or SMS.
  2. Enable Two-Factor Authentication (2FA): Whenever possible, enable 2FA on your accounts. This extra layer of security makes it more difficult for hackers to access your accounts, even if they manage to steal your password. Favor hardware keys or Passkeys and never use the least secure SMS for 2FA.
  3. Monitor Financial Accounts and Credit: Regularly check your bank and credit card statements, as well as your credit report, to catch unauthorized transactions or signs of identity theft early.
  4. Use Strong, Unique Passwords: Utilize a password manager to generate and store complex, unique passwords for each account. Avoid reusing passwords across different platforms.
  5. Be Cautious of Phishing Scams: Always be suspicious of unsolicited emails or messages, especially those that ask you to click on links or provide personal information. These are common tactics used by hackers to steal sensitive data.
  6. Use Encryption Tools: For particularly sensitive communications, use encryption tools like VeraCrypt for file encryption or Cryptomator for cloud storage encryption. These tools can help protect your personal data from unauthorized access.
  7. Let these companies know it’s NOT OK for them to have your information hacked (in plain, unencrypted data) from their lacking IT practices, social engineering, or whatever the weak links they have are. Demand that they use encryption on their servers to safeguard your information so, if compromised, your data is gibberish to the attackers.
  8. Contact your Congressional Representatives to demand they introduce legislation to severally punish companies who have sensitive consumer data hacked, leaked, or similar.

Conclusion

While companies often escape the true financial consequences of data breaches, there are steps both businesses and individuals can take to reduce the risks and improve security. Strengthening legal penalties, ensuring greater corporate accountability, and promoting a culture of cybersecurity within businesses are key measures to address this issue. Consumers can also take practical steps, such as using secure communication tools like ProtonMail and Signal, enabling 2FA, and practicing vigilance in monitoring their personal information. By taking these actions, individuals and businesses alike can better protect sensitive data and minimize the impact of data breaches in an increasingly connected world.

Please read our disclaimer on our home page…

Do you skimp on privacy protections because you feel you have … “nothing to hide”?

The “I’ve got nothing to hide” argument often arises in discussions about privacy, surveillance, or data collection. People using this argument might suggest that, because they believe they are not doing anything wrong, they have no reason to worry about privacy intrusions.

Here, of course, we’re talking about emails, texts, and related data you use, share, or create on a computer. Now, when you have a conversation with someone in person, that conversation is automatically private. You never have to think about privacy. However, now that everything you do on a computer is stored on servers, potentially forever, privacy is something that is no longer guaranteed and seems to be quickly eroding from daily life.

1. Privacy is a Fundamental Right:

• Privacy is a human right that supports individual autonomy, freedom of expression, and democracy. Even if someone feels they have nothing to hide, upholding privacy is about maintaining the principle that individuals have the right to control their personal information.

2. Misuse of Data:

• Data collected can be misused in ways that individuals cannot foresee. For example, information could be taken out of context, used to manipulate or discriminate against individuals, or could be leaked or stolen by bad actors.

3. Chilling Effect:

Knowing that one’s actions are being monitored can lead to self-censorship, where people might avoid expressing certain opinions, exploring certain ideas, or engaging in legal activities simply because they fear being watched. This “chilling effect” can stifle free speech and creativity.

4. Evolving Norms and Laws:

What is considered acceptable or legal today might not be the same tomorrow. Information that seems harmless now could be used against someone in the future if societal norms or laws change.

5. Collective Impact:

The argument focuses on individual privacy but ignores the collective impact of mass surveillance. When large groups of people give up their privacy, it can normalize invasive practices and erode protections for everyone, making it easier for governments or corporations to impose even more intrusive measures.

6. Security through Obscurity:

• Privacy can act as a layer of security. Even if someone feels they have nothing to hide, keeping information private can protect them from identity theft, targeted advertising, or other forms of exploitation.

7. Selective Privacy:

• People naturally maintain privacy in various aspects of their lives, such as with passwords, personal conversations, or medical information. This evidence shows that everyone values privacy in some contexts, even if they claim to have “nothing to hide.”

8. Future Consequences:

What someone does today might seem innocuous, but the consequences of having that information accessible to others could be significant in the future, especially if their circumstances or the broader political environment changes.

These points help illustrate that privacy goes beyond individual concerns and touches on broader societal, ethical, and practical implications.

Stay tuned for a future posting with suggestions for taking back your privacy…

Please read our disclaimer on our home page…

Spotting Red Flags: Warning Signs in Technical Job Advertisements

This image has an empty alt attribute; its file name is frustrated-programmer.webp

Finding the right job can be challenging, and job ads are often the first step in the process. However, not all job postings are created equal (to say the least!). It’s crucial to read between the lines to avoid potential issues. This guide explores common warning signs in technical job advertisements and offers strategies for navigating them effectively.

  1. Vague Job Descriptions

A vague job description can be a red flag. If the responsibilities and requirements lack clarity, it suggests that the company hasn’t fully defined the role or its needs. Look for specific details about the role, including the technologies, tools, and projects involved.

For instance, a job ad might state, “Looking for a skilled software developer to join our team.” This description lacks specificity and doesn’t give any insights into the responsibilities or required skills. In contrast, a more detailed job description might read, “Seeking a software developer with expertise in Python and experience with web development frameworks such as Django or Flask. Responsibilities include developing scalable web applications and collaborating with cross-functional teams.”

  1. Unrealistic Expectations

Beware of job ads that promise too much. If a job offers high salaries and rapid career advancement without clear expectations, it could be a red flag. Unrealistic expectations may indicate a company that is out of touch with market norms or one that is trying to attract candidates with false promises.

For example, a job ad might claim, “Entry-level position with a six-figure salary and opportunity for promotion within six months.” While competitive compensation and career advancement are desirable, such promises without proper context or criteria may signal an unrealistic or misleading offer.

  1. Lack of Company Information

Reputable companies usually inform you about their history, mission, culture, and values. A lack of company information may suggest a lack of transparency or a failure to prioritize employee engagement. Research the company independently to ensure it aligns with your values and career goals.

An ideal job advertisement would include details about the company’s background, such as its founding year, core values, notable achievements, and company culture. This information helps candidates gauge whether they would be a good fit for the organization and demonstrates the company’s commitment to transparency and openness.

  1. Poorly Written Ads

Pay attention to the language and tone of the job advertisement. Spelling and grammatical errors, formal language, and vague statements can indicate a lack of attention to detail or poor communication skills within the company. Well-written ads reflect positively on the company’s professionalism and culture.

For instance, a job ad riddled with spelling mistakes, needless company boilerplate, and grammatical errors may raise doubts about the company’s standards and attention to detail. Conversely, a clear, concise, and error-free ad conveys professionalism and fosters trust with potential candidates.

  1. Excessive Requirements

Some job ads list an overwhelming number of requirements. While it’s essential for employers to identify their needs, excessively long lists of requirements may indicate unrealistic expectations or the company’s non understanding of the role’s requirements. Look for ads that prioritize essential skills and experience.

An example of excessive requirements might include a job ad for a junior developer position that demands proficiency in ten different programming languages, five years of experience, and multiple certifications. Such requirements may deter qualified candidates and suggest a lack of clarity or flexibility in the hiring process.

  1. Lack of Diversity and Inclusion

Diversity and inclusion are crucial for a healthy work environment. A job advertisement that lacks diversity in its language or fails to mention diversity and inclusion initiatives may suggest that the company does not prioritize these values. Look for companies that actively promote diversity and inclusion.

A job ad that emphasizes diversity and inclusion initiatives, such as employee resource groups, mentorship programs, and diversity training, demonstrates a commitment to creating an inclusive workplace where employees feel valued and respected. Candidates from diverse backgrounds are more likely to feel welcomed and supported in such environments.

  1. Pressure Tactics

Beware of job advertisements that use pressure tactics to entice candidates. Urgent deadlines or exaggerated claims about the competition may indicate a company that is trying to rush candidates into making hasty decisions. Take your time to evaluate the opportunity carefully.

For example, a job ad might state, “Limited positions available. Apply now to secure your spot!” Such tactics create a sense of urgency and may pressure candidates into applying hastily without thoroughly assessing the opportunity. A reputable company will provide candidates with adequate time to consider their options and make an informed decision.

  1. Lack of Feedback or Communication

Pay attention to the company’s responsiveness and communication throughout the hiring process. Delays or a lack of feedback after interviews may indicate poor communication practices within the company. Clear and timely communication is essential for a positive candidate experience.

An ideal hiring process includes regular updates and feedback from the company to keep candidates informed and engaged. For instance, a company that promptly acknowledges receipt of applications, provides updates on the hiring timeline, and offers constructive feedback after interviews demonstrates respect for candidates’ time and effort.

  1. Watch for Keywords

Watch out for keywords in job advertisements that may indicate a potentially problematic work environment. Phrases like “rockstar,” “ninja,” “self-starter,” or “work hard, play hard” may suggest a company culture that prioritizes long hours, competition, and burnout. While some candidates may thrive in such environments, others may find them stressful or unsustainable.

10. The Headhunter Is Not Your Friend

Don’t believe for a second that the friendly headhunter you’re working with will (probably) do anything to advance your cause with the hiring company, that’s your job. The headhunter wants to make the “sale” (you or someone else) so he or she looks good and makes money. (They’re not called headhunters for no reason.) There is nothing wrong with the headhunter’s goals as long as you take them into account.


In conclusion, by remaining vigilant and attentive to the warning signs in technical job advertisements, you can avoid potential pitfalls and find opportunities that align with your skills and career goals. Thoroughly researching the company and trusting your instincts are essential steps in the process. With careful consideration, you can navigate the job market successfully and hopefully find the right fit for your career goals.

Is AI Going to Take Over Tech Programming Jobs?

As technology keeps getting smarter, a big question on everyone’s mind is whether artificial intelligence (AI) will start doing the job of tech programmers. Let’s take a closer look at this and what current software developers can do to stay on top of things.

Will AI Replace Tech Programmers?

While AI has come a long way, it’s unlikely to completely kick human programmers to the curb in the next five years. Programming isn’t just about writing lines of code; it’s about problem-solving, creativity, and understanding complex stuff. Sure, AI can help with some tasks like writing code and spotting bugs, but it’s not quite ready to take over the whole show.

What Should Software Developers Do to Get Ready?

  1. Make Friends with AI: Instead of worrying about AI stealing their thunder, software developers can see it as a buddy that helps them work better. Learning how to use AI tools can speed things up and free up time for more interesting tasks.
  2. Brush Up on People Skills: Tech skills are important, but so are people skills like teamwork and communication. These are things AI can’t do, so they’re worth polishing up on.
  3. Keep Up with the Times: The tech world moves fast, with new stuff popping up all the time. Software developers should stay in the loop with what’s hot and keep learning to stay sharp.
  4. Find Your Niche: While AI can do a lot, there will always be a need for experts in certain areas. By specializing in something you’re passionate about, you’ll stay valuable.
  5. Keep Learning: The best way to stay ahead of the game is to keep learning. Whether it’s taking a course or picking up a new skill, staying curious will pay off in the long run.

In a Nutshell

AI might be getting smarter, but it’s not about to push tech programmers out of a job just yet. By teaming up with AI, sharpening people skills, staying up-to-date, finding a niche, and never stopping learning, software developers can keep on thriving in the ever-changing world of tech. For the time being, I tend to think of AI as a friend that can help you get your job done better and faster.

This image has an empty alt attribute; its file name is image-8.png

This article aims to advise software developers navigating AI and programming. While the future is uncertain, staying adaptable and open to learning will always be key.

Unlocking Two-Factor Authentication (2FA): A Simple Guide

In online security, protecting your digital identity is crucial. Two-Factor Authentication (2FA) is a powerful tool for keeping your accounts safe from unauthorized access. This posting breaks down 2FA, looking at its methods, benefits, and potential drawbacks.

Understanding Two-Factor Authentication

This image has an empty alt attribute; its file name is user-2fa.png

2FA adds an extra layer of security to the traditional username-password setup. Instead of just using a password, 2FA requires another way to confirm your identity, like using your phone or a fingerprint. By requiring two different methods to log in, 2FA makes it harder for hackers to get into your accounts, even if they know your password.

Exploring 2FA Methods

  1. SMS Authentication:
    • Pros: Easy to use, as it sends a code to your phone.
    • Cons: Vulnerable to attacks where someone else takes control of your phone number.
  2. Time-Based One-Time Passwords (TOTP):
    • Pros: Adds an extra layer of security by generating a unique code that changes over time.
    • Cons: Relies on having a device with the right software to generate the codes.
  3. Push Notifications:
    • Pros: Convenient, as it sends a notification to your device for approval.
    • Cons: Prone to phishing attacks, where someone tricks you into approving access.
  4. Biometric Authentication:
    • Pros: Convenient and secure, using things like your fingerprint or face to confirm your identity.
    • Cons: Can be risky if someone steals or copies your biometric data.
  5. Hardware Tokens:
    • Pros: Provides offline authentication, reducing the need for an internet connection.
    • Cons: Can be expensive and challenging to manage.

Choosing the Right 2FA Method

The best method for you depends on your preferences and security needs. While SMS authentication is straightforward, more security-conscious users might prefer methods like TOTP or biometric authentication.

Best Practices for Implementing 2FA

  • Educate yourself and others about the importance of 2FA.
  • Use 2FA on all your accounts whenever possible.
  • Keep your 2FA settings up to date and review them regularly.
  • Be cautious of phishing attempts and always verify requests for authentication.

In Conclusion

Two-Factor Authentication is essential for helping you protect your online accounts from unauthorized access. By understanding the different methods and following best practices, you can enhance your digital security and keep your information safe.

Stay vigilant, stay secure, and make the most of 2FA to protect your digital identity.

—–

Please read our site disclaimer.

Protect Your Online Security: The Risks of Reusing Passwords and Weak Passwords, Plus Top Password Manager Recommendations

In today’s digital world, keeping your online accounts secure is essential to safeguarding your personal information and digital identity. With over 1 Billion records exposed in various breaches, doing everything you can to keep your information as private as possible is critical.

Let’s try to avoid getting hacked!

However, there are common pitfalls that put individuals at risk: using the same password for multiple accounts and using weak passwords.

Let’s explore the dangers of these pitfalls:

(1) Using a Single Password for All Accounts:

Heightened Risk of Account Compromise: Reusing the same password across multiple accounts increases the chances of a security breach. If one account is compromised, hackers can access all other accounts using the same password, leading to potential identity theft or financial loss.

Vulnerability to Credential Stuffing: Cybercriminals exploit password reuse through credential stuffing attacks. Once they obtain login credentials from one breached account, they attempt to use the same credentials on other websites, exploiting the practice of password reuse.

Limited Protection Against Data Breaches: Data breaches are common, and passwords leaked from one breach can be used to access other accounts if the same password is reused. Using unique passwords for each account is crucial to minimizing the impact of data breaches.

(2) Using Weak Passwords:

Prone to Guessing: Weak passwords, like “password123” or common dictionary words, are easily guessed by attackers using automated tools. These passwords offer minimal protection against brute-force attacks. Try doing a search for the last year’s top worst 200 passwords. Sadly, this list is nearly identical from year to year! If you have a password that is similar to any of these, you really do not have a password at all.

Some examples of commonly used weak (non-) passwords that have been problematic for years due to their lack of complexity and susceptibility to being guessed or cracked easily:

  • 123456
  • password
  • qwerty
  • abc123
  • iloveyou
  • admin
  • welcome
  • letmein
  • 123456789
  • football
  • Password1

Susceptible to Dictionary Attacks: Attackers can use dictionaries of commonly used passwords or words found in literature, movies, or online forums to guess weak passwords. With readily available information online, it’s relatively simple for attackers to crack weak passwords.

Easy Targets for Phishing: Weak passwords often contain easily memorable phrases or personal information, making users more susceptible to phishing attacks. Attackers can exploit this information to trick individuals into divulging their login credentials.

To mitigate these risks, it’s crucial to practice good password hygiene and use a reliable password manager.

Below are two highly recommended password managers from reviews online.

1Password: 1Password is praised for its simplicity and robust encryption. It provides secure password storage, item organization, and integrates well with various platforms and browsers. Additional features include secure password sharing and a travel mode for enhanced protection.

Bitwarden: Emphasizing privacy and open-source software, Bitwarden offers end-to-end encryption and supports two-factor authentication. It’s highly customizable, allowing users to self-host their password vaults for maximum control over their data. Bitwarden also offers a free version which may be more than enough for most users.

The general consensus is to create a unique strong password (as long as a site allows) that you cannot remember (an indication of its strength) for every site you visit or for account you have.

By prioritizing password security and leveraging reputable password manager solutions like LastPass, 1Password, or Bitwarden, you can enhance your online security and protect your digital identity more effectively.

Things not discussed in this posting

After having written the posting above, Passwords may be (finally) on their way out! There have been so many strategies over the years to help people have and use safer passwords for basic password security.

Unfortunately, when the average user might have well over 100 sites or log-ins for which they need to manage passwords, without a Password Manager password reuse and weak passwords are common problems. Technologies like Passkeys may eventually replace passwords entirely.

Tom’s Guide Article on Passkeys

Today, there are sites that, even if you use a very strong password, they still force you to change the password on their site every so many months. Using current technology, using a strong password could take a hacker, using brute force methods, more years to crack then there are stars in the universe. (See our other posting on this calculation. )

Additionally, there are sites that still limit you to, say, 20 password characters or further restrict what characters you can enter. All these restrictions are ridiculous and point to no standards or oversight.

The bottom line, unfortunately, is we have no idea how a site handles our password. Is it hashed? Is it stored in clear text?

Using 2FA was also not discussed here as there are several 2FA types deserving their own posting. Each of these 2FA types has their own advantages and (security) disadvantages. In general, however, 2FA is a good idea for any site you can use it with, but be sure you understand the limitations and possible security implications (SMS 2FA vs hardware key, for example).

Stay tuned for further postings on these topics!

(Try to) Encrypt Your Important Emails!

Introduction

Many people still seem to think that sending an email is secure—that only they and the person receiving the email can read it. However, nothing could be further from the truth. Without you doing something on purpose, sending email (and any attachments) has the same security as sending a postcard in the US mail. Almost anyone with server access could read it.

From its humble beginnings, Email (sadly, like many current technical products still to this day), now in use for over 50 years, was never developed with security in mind. Email’s main goal was to allow people to send messages, where before email such communication was next to impossible. Although Email is ubiquitous today, what gets sent via email is much different, and often much more personal, than in the past.

Email’s missing security should concern you, since most people who ask you to email some document have no idea that possibly sensitive information you’re sending could bounce around the Internet unprotected from prying eyes. That email could be stored on multiple servers en route, read by any administrator, etc., before finally making it to the destination (think: doctor, lawyer, bank, and other non-technical people who may innocently ask you to email something extremely private). Unless you do something on purpose to safeguard your email, or you know you’re using an encrypted email service, your email is sent in plain text that’s easy to read. 


So, what to do?

Use a Third-Party Email Service to Encrypt Your Emails

One solution would be to use a service like ProtonMail, which encrypts emails and keeps emails encrypted on ProtonMail’s email servers. If both the email recipient and email sender have ProtonMail accounts, your emails are are always encrypted. The shortcoming with this approach is that, however trusted ProtonMail may be, they have the “keys” to your emails. So, in theory, however unlikely, they could read your email. Although it’s still much better to have encryption from a third-party like ProtonMail over none at all, letting another company control the keys to your email has the same inherent risk with any third-party email company you pick.

Set Up Your Own Encryption

A more secure solution is to set up your own encrypted emails. Most popular email clients like Thunderbird, PostBox, MacMail, and even Outlook (on the PC only, currently) support PGP either directly (Thunderbird) or using a plug-in. Plug-ins are either free (Thunderbird, PostBox) or inexpensive (MacMail and Outlook). Check with your current email client to see how (and if) it supports PGP.

PGP (“Pretty Good Privacy”) is an email encryption method in which you generate a public key and a private key for each email account you want to secure (Note: you can use PGP outside of email, too). You never need to share a password. You then share your public key, as described below, so that others can send you encrypted emails.

To set up encrypted emails, you start by creating a “keyring”. For each email account you have, you create a “key pair”. A key pair has a public key and a private key. The keyring is a software construct (a file on your computer) in which you store your public and private keys (you NEVER share your private key with anyone) and public keys you have imported for other people. The key manager software creates public and private keys for each email address. If your email program supports PGP, it should automatically work with a key manager. Then, once you’ve created the keys in the key manager, you can use them to send encrypted emails.
Normally, all you need to do is enter the email address in the “TO” line of an email and click “encrypt” (or similar, depending on the email program) and the email program will find the public key (in your keyring) of the person you are emailing and encrypt the email automatically when you send it.
Since many emails don’t need to be encrypted, encrypting an email is always optional. You decide which emails to encrypt and which not to encrypt.

Sharing Your Public Key and How to Send Encrypted Emails Back and Forth

To understand what’s really going on, here’s the flow: for person A to send an encrypted email to person B, person A has to first import person B’s “public” key into his keyring (you NEVER share your private key). Then, person A creates an email and encrypts the email to person B using Person B’s public key. Finally, person A sends the encrypted email to person B. When person B receives the encrypted email from person A, person B’s email program uses his private key (again, from the keyring) to decrypt and display the message person A sent him using person B’s public key).
Key point: The private key undoes the encryption the public key creates.
Note that many email programs will automatically know when you enter the email address, in this case for person B, that there is a public key available for person B and fill it in for you.
Similarly, for person B to reply to person A, person B would also have imported Person A’s public key.
Unless a key has an expiration date (an option when setting up the key-pair), you only need to import a person’s public key once.
Also, it’s perfectly acceptable to ask for someone’s public key to send a secure (encrypted) email.
There are also online public key repositories where some people store their public keys. You can also store your public key on your website. It’s public. A key benefit with PGP is there is no password sharing needed.

Limitations

The challenge with the encrypted email is that both email sender and receiver must be sharing their public keys. Therefore, to send/receive encrypted email with someone, you must have already set up PGP (creating your public and private keys for your email accounts and importing any public keys from people to whom you wish to send email). You can’t simply send an encrypted email using PGP to someone who has not shared their public key with you.
Another issue is that if you ask many people for their public key, they won’t have any idea what you’re asking them. You can try to explain what you are trying to do to secure your email, but you might only hear silence.
In cases where people have no idea what PGP encryption is, as mentioned above, you could try to use ProtonMail or a similar service. Using a third party company is still better than sending a totally insecure email. However, it may again be the case where the recipient does not use a third-party email encryption solution.
Another even less desirable option would be to send a password-encrypted zip file or similar. However, note that sending anything “password-protected” means you must share the password, which is the inherent problem PGP solves. With PGP, you freely share your public key. If you send a password using some other non-PGP method, then you must share that password. This old-style password approach is not secure since the password could be intercepted making your email readable again. Or, to share the password, maybe you call the person on the phone to say what the password is. Your (cell, VOIP, …) phone could be intercepted, too.
So, if all else fails, see if the recipient (the person who is asking you to send sensitive information in unprotected email) has a “portal” (a secure website you could log into) backed by HTTPS and then securely upload any documents.
The good news is that finding people who understand and use encryption is not as difficult as you might think and securing your personal and business data are well worth the effort.

Conclusion

Setting up secure email is often important for individuals and for businesses. Ask yourself if “this email” you’re about to send would be OK to print on a US postcard and drop in the US Mail in plain unprotected text. If you answer “no”, then you need to do something “on purpose” — like setting up encrypted email. There are plenty of “how-to” guides online that walk you through setting up PGP email (aka, GPG) for various email clients.
The workflow described above may sound complicated, but once you get PGP set up, and understand how it works, using it is simple and unobtrusive.
With any of these approaches above—even PGP, there is no guarantee what the recipient will do with your data once he decrypts your email and has your original, unencrypted, document(s). Thus, there is always the decision whether something should be emailed (sent) … at all.

This image has an empty alt attribute; its file name is image.png

Finally, with higher and higher Q-bit computing, we will probably soon need quantum-safe encrypted email. More on this topic in a future article.

Enjoy!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Please read our disclaimer available from our home page.

Understanding Exponential Growth

If your city is growing at 5% per year, is this a good thing? What will the size of the city be in 10 years? Is that a linear or exponential growth?  If your checking account has a 10% interest rate, how long until you double your money? All good questions.

It’s been said that no layperson understands exponential growth and unfortunately, if that’s true, then neither do the media or popular TV shows. Try to explain exponential growth to someone and you may be greeted by a blank stare. Why does any of this matter?

First things first…

What is an exponential function?

An initial explanation might be that exponential growth is when something is growing at a very fast (non-linear) rate though possibly not noticeable initially. In normal everyday life we tend to think of things linearly getting faster, slower, bigger or smaller, but at a constant rate.  Exponential growth is different. It is not linear as it gets very large, or quick, at some point, and that point is sooner than you might think.

In high school, most students learned about functions like 2^x (or, “2 to the x”: 2 raised to the power of  x). Here, we have an exponential function since the variable is in the exponent itself. Having a variable that increases while in the exponent is the basis of what an exponential function is. Of course, things can, and usually do, get more complicated, but understanding the variable in the exponent is a the first step.

Graph — Look at the data vs. the graph below to see how the graph changes exponentially vs linearly

Note that the linear portion (right side) of the graph has the variable “x” not in the exponent. The linear portion has a line with constant slope.

Why does it matter?

Exponential growth is everywhere. Understanding it is important not only for day to day activities, but to understand how things work. Something that may not seem to matter with a few trials may actually be extremely important once proper analysis is done.

Examples?

Example1: Your bank’s interest rate on your investments.

Simple Interest: Simple interest is when you get, say, 10% per year (or other fixed amount) interest on your account or investment. Not much going on there. With a $100 principal amount, that’s just $10 per year. Easy.  So, if your initial amount, or P, was $100, you would have $10+$10+$10+$10+$10 more in five years. Simple interest, or $100 + $50 = $150. The interest is growing linearly. If you looked at the formula for simple interest, you’d see there is no variable in the exponent.

Compound Interest: Compound interest gets more interesting, since the interest, if compounded yearly (or otherwise), takes into account all the money you’ve earned (including the previous interest) to calculate your future amount. A quick example.

Using the formula:   Balance = P * (1 + r) ^ n, where P is the principal amount, r is the interest rate, and n is the number of compounding periods. Here, exponential growth quickly outpaces simple linear growth. If we start with the same values and assume a 10% interest rate, we would have:

Balance = 100 * (1 + 0.1) ^ 5 = $161.

Not impressed yet? How about after 10 years?

Balance = 100* (1+0.1) ^ 10 = $259.


The side question often comes up as to how long it would take to double your money (dust off your college algebra for this one…)

    M = P (1+i)n

    Say you start with $100 and a 10% interest rate compounded yearly. How long would it take to double your money?
    200 = 100 (1+i)n
    2  =  (1 + 1)n
    or
    log(2) = n log(1.1)
    n = log(2)/log(1.1)

    napprox = 7.28 years.  (to double your money)

With compound interest, the money you earn is growing exponentially, not linearly.

Albert Einstein was supposedly quoted as saying the most powerful force in the universe is compound interest.

—————————

Example 2:

Doubling your money every day for thirty days starting with just one penny.

Say someone offered to give you (A) $500,000 or a (B) penny and double it every day for 30 days. Which would you take A, or B?

If you chose B, you’d be a lot better off since that daily penny doubling goes like this:

Day:            Pennies
———————————————————
1                1
2                2
3                4
4                8
5                16
.
.
.

30              536870912 pennies, or dividing by 100, $5,368,709.12 (over 5 million dollars!)

—————————

Example 3:

Paper Folding until you reach the Sun

Assuming you could physically fold a piece of paper in half over and over, how many folds would it take you to reach the Sun?  We can see that this is as 2^x exponential growth since each fold is doubling the paper thickness. We quickly realize that there is no way we could “physically” fold the paper in half more than a few times, but what if we could, at least theoretically? How many folds would it take to reach the Sun? You might (incorrectly) assume it would take too many folds since folding the paper once, then twice, then three times, doesn’t amount to much. Ah, but that’s the problem with exponential growth: the growth kicks in later.

Here are some possible answers to the question about how many folds, approximately, it would take to reach the Sun (which is closest).

What’s your guess?

A. 50

B. 500

C. 5,000

D. 5,000,000

Guesses?

Well, if you answered A or 50, you’d be right.

Here is the output of a computer program that actually computes this paper folding (you could get the same result manually).

We assumed the thickness of a piece of paper is 0.0001 feet and the distance to the Sun is 491,040,000,000 feet.

Let’s start folding…. (notice that nothing really happens on the first 10 to 12 folds, but then, with exponential growth, it gets interesting)

Let’s calculate this!

Number of Paper Folds so far: 1, distance traveled toward the Sun: 0.0002 feet
Number of Paper Folds so far: 2, distance traveled toward the Sun: 0.0004 feet
Number of Paper Folds so far: 3, distance traveled toward the Sun: 0.0008 feet
Number of Paper Folds so far: 4, distance traveled toward the Sun: 0.0016 feet
Number of Paper Folds so far: 5, distance traveled toward the Sun: 0.0032 feet
Number of Paper Folds so far: 6, distance traveled toward the Sun: 0.0064 feet
Number of Paper Folds so far: 7, distance traveled toward the Sun: 0.0128 feet
Number of Paper Folds so far: 8, distance traveled toward the Sun: 0.0256 feet
Number of Paper Folds so far: 9, distance traveled toward the Sun: 0.0512 feet
Number of Paper Folds so far: 10, distance traveled toward the Sun: 0.1024 feet
Number of Paper Folds so far: 11, distance traveled toward the Sun: 0.2048 feet
Number of Paper Folds so far: 12, distance traveled toward the Sun: 0.4096 feet
Number of Paper Folds so far: 13, distance traveled toward the Sun: 0.8192 feet
Number of Paper Folds so far: 14, distance traveled toward the Sun: 2 feet
Number of Paper Folds so far: 15, distance traveled toward the Sun: 3 feet
Number of Paper Folds so far: 16, distance traveled toward the Sun: 7 feet
Number of Paper Folds so far: 17, distance traveled toward the Sun: 13 feet
Number of Paper Folds so far: 18, distance traveled toward the Sun: 26 feet
Number of Paper Folds so far: 19, distance traveled toward the Sun: 52 feet
Number of Paper Folds so far: 20, distance traveled toward the Sun: 105 feet
Number of Paper Folds so far: 21, distance traveled toward the Sun: 210 feet
Number of Paper Folds so far: 22, distance traveled toward the Sun: 419 feet
Number of Paper Folds so far: 23, distance traveled toward the Sun: 839 feet
Number of Paper Folds so far: 24, distance traveled toward the Sun: 1,678 feet
Number of Paper Folds so far: 25, distance traveled toward the Sun: 3,355 feet
Number of Paper Folds so far: 26, distance traveled toward the Sun: 6,711 feet
Number of Paper Folds so far: 27, distance traveled toward the Sun: 13,422 feet
Number of Paper Folds so far: 28, distance traveled toward the Sun: 26,844 feet
Number of Paper Folds so far: 29, distance traveled toward the Sun: 53,687 feet
Number of Paper Folds so far: 30, distance traveled toward the Sun: 107,374 feet
Number of Paper Folds so far: 31, distance traveled toward the Sun: 214,748 feet
Number of Paper Folds so far: 32, distance traveled toward the Sun: 429,497 feet
Number of Paper Folds so far: 33, distance traveled toward the Sun: 858,993 feet
Number of Paper Folds so far: 34, distance traveled toward the Sun: 1,717,987 feet
Number of Paper Folds so far: 35, distance traveled toward the Sun: 3,435,974 feet
Number of Paper Folds so far: 36, distance traveled toward the Sun: 6,871,948 feet
Number of Paper Folds so far: 37, distance traveled toward the Sun: 13,743,895 feet
Number of Paper Folds so far: 38, distance traveled toward the Sun: 27,487,791 feet
Number of Paper Folds so far: 39, distance traveled toward the Sun: 54,975,581 feet
Number of Paper Folds so far: 40, distance traveled toward the Sun: 109,951,163 feet
Number of Paper Folds so far: 41, distance traveled toward the Sun: 219,902,326 feet
Number of Paper Folds so far: 42, distance traveled toward the Sun: 439,804,651 feet
Number of Paper Folds so far: 43, distance traveled toward the Sun: 879,609,302 feet
Number of Paper Folds so far: 44, distance traveled toward the Sun: 1,759,218,604 feet
Number of Paper Folds so far: 45, distance traveled toward the Sun: 3,518,437,209 feet
Number of Paper Folds so far: 46, distance traveled toward the Sun: 7,036,874,418 feet
Number of Paper Folds so far: 47, distance traveled toward the Sun: 14,073,748,836 feet
Number of Paper Folds so far: 48, distance traveled toward the Sun: 28,147,497,671 feet
Number of Paper Folds so far: 49, distance traveled toward the Sun: 56,294,995,342 feet
Number of Paper Folds so far: 50, distance traveled toward the Sun: 112,589,990,684 feet
Number of Paper Folds so far: 51, distance traveled toward the Sun: 225,179,981,369 feet
Number of Paper Folds so far: 52, distance traveled toward the Sun: 450,359,962,737 feet

Total Number of Paper Folds without going past the sun was: 52

WOW.

Conclusion.

Exponential growth is all around you. We use it in so many things in everyday life we sometimes aren’t aware it’s there.

People say (typically on “the news”) that things are (loosely speaking) “exponentially” bigger worse or whatever. This loose terminology is, unfortunately, slang for “getting really bigger! (or worse, etc.)”. In many of the circumstances where you might hear exponential growth used (again, often, sadly, in the media), the growth is really not exponential.  Note that a^x type function is also geometrically increasing since it’s a constant raised to a power.

We recently blogged another example of how exponential growth works when using a longer and longer key space with an iPhone passcode. With six characters and only numbers we had 6^10 permutations, but with letters and numbers (lower case) we had 6 ^ 32 permutations. Thus, the key space is getting larger exponentially (since the exponent has the number of letters possible) but it’s getting larger linearly with the passcode length itself.

Exponential growth is not difficult to understand and it’s everywhere!

Enjoy!

——–

Please read our disclaimer available from our home page