When it comes to security, the internet can sometimes feel like the wild west. Large commercial sites are routinely hacked and our private data feels like it’s behind a leaky sieve. How secure are we and what can we do?P
While some of us fire up Tor just to check email, other folks happily use public coffee shop Wi-Fi to manage their bank account without a care in the world. Where do you draw the line? Here to discuss online privacy and security is Karl Mattson, VP of International at Maxthon. Karl deals with security concerns every day at Maxthon, which has pioneered many areas of secure cloud-based web browsing. Have a question about your privacy and security concerns? Karl will be here for the next hour, so ask away!P
The Q&A is now over, but thanks for your great questions!
Have an expert you’d like to see participate? Email us.
IAmJared to Andy Orin
What’s the easiest and most consistent way to stay private on the internet?
Karl Mattson to IAmJared
First one needs to think about levels of privacy. If you want to surf the web completely anonymously, you’ll need to use a network like ‘Tor’ — that essentially covers your tracks — passing your requests through a sticky web of IP addresses. That, plus a ‘belt and suspenders’ approach to password management will keep you very safe. That’s the ultimate, a high standard. Unfortunately there is no easy way — but rather one needs to think of this in terms of using a set of best practices and tools. Password protectors to avoid identity theft. Avoid posting pictures of oneself to public networks. Manage your Facebook and LinkedIN profile settings actively. Reduce or refuse 3rd party cookies. There are many things one can do. Whatever you do — be wary of open WiFi networks.
iamazebra to Andy Orin
How do you draw the line between “keeping your privacy” and “being the product”?
For instance, if you had to sign up for an email service, how would you go about deciding between a service like Gmail or Yahoo mail and a paid service that guarantees your privacy like Hushmail or MyKolab?
Karl Mattson to iamazebra
Making that choice requires taking an end-to-end approach to your privacy. A service like Hushmail or MyKolab is only as secure as its internal data access and management practices are. Meaning, take the time to verify that MyKolab restricts and limits access from employeers to the servers it uses. To some degree, when looking at a service like Gmail or Yahoo — there is strength in size. Established publicly-traded companies like them tend to be much more thorough with their practices. But then again, their size also makes them a target of agency-level snooping a la ‘Prism’
charles lee to Andy Orin
is it worth having a personal vpn on a home server like logmein hamachi as well as a paid vpn to protect data until it reaches the paid server’s?
Karl Mattson to charles lee
That depends on your willingness to maintain such a system. Personal VPNs are getting easier every day, though. Personally, I do not. Rather, I segregate data locally on separate drives that are NOT wifi-enabled.
USER23 to Andy Orin
Hi Karl – I hear a lot about online identity theft. Where and when am I most vulnerable to this? Are there measures I can take to protect my personal information?
Karl Mattson to USER23
Identity theft is, more often than ever, the combination of both an online and an offline actions. For example, ‘Target.’ There the vulnerability was the physical Point of Service registers in the stores. Not much you can do about that. But, when you’re surfing the web you have options that empower your own security. First, recognize that the back door into more people’s operating systems — and their personal data — is usually through web mail viewed via web browser. Make sure the browser itself is secure — that it sandboxes processes and isn’t vulnerable to cross-scripting holes. Then, be smart about clicking on links, images and downloads in email —> EVEN if you believe that email is from a personal friend. And, definitely use a good anti-virus/security application with anti-phishing and malware protection.
velascomike to Andy Orin
What is your opinion on password managers like LastPass? Is it a secure option if used properly (like using two factor authentication)?
Karl Mattson to velascomike
Password managers like LastPass are worth the effort. Just know that you are then collecting and centralizing your passwords. I think two-factor authentication is necessary. I would like to see every website or app that uses even mildly sensitive data to adopt it.
JasonMTracy to Andy Orin
“other folks happily use public coffee shop Wi-Fi to manage their bank account without a care in the world.”
Why wouldn’t I? If I verify the certificate (I do), then what does it matter if I’m on public wifi?
In other words: Don’t trust a hardwired connection to your personal ISP any more than a coffee shop wifi.
Karl Mattson to JasonMTracy
Jason, you raise a good point. If you verify the certificate you can be reasonably sure you’re safe. Someone could still be logging your session — eg the MAC address of your machine and every IP address you went to and when. Taken alone you may think that doesn’t leave you very vulnerable. But, now more than ever before, that kind of seemingly useless session data is easily combined with other dis-aggregated data about yourself which allows for increasingly more complex and detailed profiles of who you are: what you do, where you go, how you shop, what you like/dislike. The aggregation of dis-aggregated personal data in the cloud is pretty creepy to me.
Karl Mattson to Karl Mattson
For most, the horse is out of the barn on that privacy issue. All of us have all lmany, many ‘identity breadcrumbs’ on the open web. And a slew of private and governmental agencies are mining it and creating behavioral profiles from it.
Casey to Andy Orin
How can I make my Android phone the most secure. If I download apps certified only by the play store, how can I add additional security? Recommendations?
Karl Mattson to Casey
Casey — that is a great question. When you talk to security professionals they’ll all tell you the same thing — Android is GROUND ZERO for identity theft threat. It’s open by design — and that means the bad guys have many holes to exploit. I use whole-device security apps on my Android devices — products like AVG Mobile, for example.
IMHO, privacy and security on the web require personal responsibility and a regimen. In the same way you have to take the time to learn the rules of the road and drively safely, so should you take the time to learn what and where about major web threats and how to protect itself. Privacy hygiene. You gotta’ practice it…
thinktechdude to Andy Orin
What are your thoughts about the death of Truecrypt? Is it still safe to use?
Karl Mattson to thinktechdude
I use encryption tools but have no illusions about the level of protection they offer. There is the very real unknown of undiscovered backdoors. And, the math behind cracking encrypted information is straightforward. It’s a function of computational power and randomness. Again — there is no magic bullet.
How can I stop companies from following me? For example I browse something on Newegg and for the following 7 days all I get is newegg ads, same with amazon or any store I browse. I know there is adblock plus and edge, but how can I completely stop these companies from getting my browsing information?
Karl Mattson to Lolobond
Use Adblock plus. Use a browser that supports ‘Do Not Track’ (and be sure it is enabled). Then, either don’t allow 3rd party cookies (look in your browser options menus) OR — and pardon the plug — use Maxthon’s browsers. Maxthon web browsers split how we manage 3rd party cookies — preventing the tracking kind from working while allowing the kind that, for example, remember your username, to work. So, you get convenience along with protection.
Andy Orin, Host to Andy Orin
Hi Karl, glad you could be with us today. What do you think’s the most common mistake that average people make that can compromise their online security?
Karl Mattson to Andy Orin
This will sound retro and remedial, but poor password management is the most common (and wholly avoidable mistake.) Before you do anything else re: security, find and use a password management app like ‘LastPass.’ It is fool proof? No — human error is at play, but they definitely make a difference.
Karl Mattson to Karl Mattson
On a more abstract level, the biggest problems we see in your user mail and focus groups arise from consumers not knowing when the security of one application or device ends and another begins. By that I mean, consumers needs to think about online privacy from at least two major areas — what happens on the device and what happens on the open web.
Andy Orin, Host to Andy Orin
I’m sure a lot people are also paranoid about their ISPs watching their traffic, not to mention some certain government agencies. Do you think normal folks would benefit from VPNs?
Karl Mattson to Andy Orin
VPNs will go a long way but if the concern is an ISP watching your traffic in an ‘NSA’ Prism – type dynamic, a VPN adds a level of protection but is not magic bullet. As long as traceroute exists agencies and governments will be able to extrapolate increasingly more accurate information about where you go online – -and can then make pretty accurate inferences from that.
Karl Mattson to Karl Mattson
Everyone needs to do a little personal soul-searching to examine what is *most* important them regarding privacy. On the web anonymity is a not binary. It’s a matter of degrees — from total anonymity on one end to ‘my life is an open book’ on the other. Each person needs to determine for him or herself where they sit on that scale.
Christina DiRusso to Andy Orin
Having an online presence in some cases is so important for building a career. How does an individual, especially within a job hunting scenario, strike a balance between building a public, online brand and privacy?
Andy Orin, Host to Christina DiRusso
We’ve talked about this a bit before, I think it’s really up to you to decide the line between personal and private—you could have a clean LinkedIn profile and maybe a totally private Facebook page, for example. Twitter is obviously another issue since it can be used for both work and to talk with your friends, but you could always make a separate, private account too.
Karl Mattson to Christina DiRusso
That is an interesting question — and from my experience the correct answer tends to vary along generational lines. The younger the professional, the looser he/she usually is regarding what they believe to be acceptable. For me, I recommend that people hold themselves to the ‘New York Times’ standard. Which is to say, never put anything online that you *wouldn’t* want to see on the front page of the NYT. Online presence is a critical part of one’s professional identity. You have to concede, from the get go, that you are trading a bit of privacy for the benefit that comes from putting your ‘brand’ on the web to your advantage. Yes, I said it. Like it or not, you have to approach from a brand management point of view. As in, ‘I’m the CEO of KarlMattson.com and this is my message. This is how I want to be known.’ Level of detail varies based on profession — certainly. But in general, stick to the professional and leave the personal for your private FB lists.
Bradlee Kuhn to Andy Orin
I know Lifehacker’s viewpoint on this but is it worth paying for internet security software for a normal household (non-business) user?
Karl Mattson to Bradlee Kuhn
I use it on all of my machines. I know it’s not foolproof — but the ways in which the McAfees and AVGs of the world work together to identity and stop new threats — and then share information between them is one of the more admirable examples of companies working together to protect users.
Andy Orin, Host to Bradlee Kuhn
That article is a little out of date, as you probably noticed— our pic for free anti-virus software is Avast. For most people, the paid options are probably not necessary.
LukeMeowingtons to Bradlee Kuhn
Passive scanning anti-virus is almost useless, you really want something that is multiple layers of protection. Most viruses are obfuscated and encrypted via a site that will do multiple passes of tests against all AV vendors products until none of them detect it, so you want something that can can for threats in a variety of different ways.
Karl Mattson to LukeMeowingtons
You’re right, Luke. Though I wouldn’t classify it as ‘almost useless.’ Rather — it’s not bullet proof. Just like in every other corner of the web, the level of sophistication from one virus to the next varies. So, using an AV product to get the low and middle-hanging threats is, in my view, worth doing.
LukeMeowingtons to Karl Mattson
Totally agree! Better something than nothing! I always try to push for Internet Security All-In-One solutions as I feel they are safer.