Sie erhalten wichtige Nachrichten und Warnungen zu Sicherheit und Datenschutz im Internet!
(Seien Sie geduldig – das Laden dieser Seite dauert einige Sekunden.)
Auf dieser Seite gebe ich Ihnen aktuelle Neuigkeiten, Warnungen und Hinweise zum Thema Sicherheit und Datenschutz im Internet. Sie allein können sich um Ihre eigene Sicherheit und Privatsphäre kümmern, und dies erfordert etwas Wissen, Strategie und ständige Wachsamkeit.
Im Moment haben wir nur Newsfeeds auf Englisch. Wenn Sie Nachrichten auf Deutsch oder Polnisch wünschen, senden Sie mir deren Webadresse und ich werde versuchen, sie dieser Seite hinzuzufügen.
(Auf der Seite DATENSCHUTZ RICHTLINIE finden Sie meine Empfehlungen für eine umfassende Strategie zum Schutz Ihres Computers.)
HAFTUNGSAUSSCHLUSS:
This is the second in a series of four posts about shadow IT, including how and why teams use unapproved apps and devices, and approaches for securely managing it. For a complete overview of the topics discussed in this series, download Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it.
High productivity levels are generally a good thing. For most organizations, the answer to the question, “Is it important for your employees to be productive?” is a resounding “Yes!” However, when employees ask to use a tool or app to boost productivity, companies may want to say “yes”, but often find themselves saying “no”.
What gives? Security concerns. And they’re legit. Companies are in the midst of experiencing a brave new world called hybrid work. Gone are the days of on-premise servers, software, and devices (and employees) that were relatively straightforward to manage and secure.
Now knowledge workers can get things done in coffee shops and their own living rooms. Companies turn to cloud services to support flexible working with “access from anywhere” apps and online collaboration tools, collectively known as software-as-a-service (SaaS).
Employees have become much more likely to select these cloud services and apps (not all company-approved) to get their work done. While hybrid and remote work was slowly starting to become a thing before, the pandemic accelerated it, and here we are.
So the million-dollar question is: If employees want to use their preferred apps and tools to be more productive, how can companies leverage this employee productivity while still protecting themselves from cybersecurity risks?
And what does worker burnout (the opposite of employee productivity) have to do with the IT department’s security strategy for shadow IT?
The first post in this series, What is shadow IT and how do I manage it?, explains what shadow IT is and what it may look like across different company departments.
To recap, here’s a quick definition: Shadow IT refers to the apps and devices that aren’t licensed and managed by a company.
These aren’t obscure apps used for nefarious purposes. Examples of shadow IT can be anything from Google Docs to social media. The issue is that employees may enter company information or client data in them and, if they log in with a weak or reused password, it can cause vulnerabilities that may result in a data breach.
This new hybrid, cloud-based work environment and employee experience requires a shift in companies’ security strategy. There are no walls. Instead, security and IT teams are managing a nebulous perimeter that’s constantly shifting and often spans the globe. In The new perimeter: access management in a hybrid world, we highlight four key considerations for securing the new perimeter of a hybrid workforce:
Productive employees. Burned-out employees. At the opposite ends of the spectrum, yet both contribute to the risks of shadow IT at companies everywhere.
At one end, employees are using shadow IT to help them increase productivity levels or do their jobs better. A Gartner survey shows that we’re using twice the number of apps we did in 2019, and use continues growing.
At the other end of the spectrum are employees who are being stretched too thin. And it’s not a few outliers. A 1Password report on burnout revealed that 80% of office workers feel burned out, and one in three workers say burnout is affecting their initiative and motivation levels.
It’s worth noting that this research was conducted during the height of the pandemic, when we’d expect burnout levels to be particularly high – but it’s also worth noting that we haven’t solved burnout since then.
In addition to the obvious physical and mental health effects, worker burnout can present a severe, pervasive, and multifaceted cybersecurity risk. This is because employees who are feeling burned out can be more lax about following security protocols. They also are more likely to use shadow IT. Here are some additional eye-opening findings from the 1Password report:
Why is this so concerning? In addition to the important concerns about human health and employee well-being, burnout and resulting low levels of employee engagement negatively affects adherence to security protocols.
Bottom line? Nobody wins when an employee is burned out. When workers are so tuned out that they’re less likely to follow security rules, and more likely to use weak passwords or fall for phishing scams, it increases cybersecurity risks.
Adding complexity to the challenges of securing the new perimeter, it turns out (surprise!) that IT/security professionals aren’t superhuman. The 1Password report shows that they’re experiencing burnout in even greater numbers than the general employee population (84% vs. 80%).
While 89% of security professionals say they favor security over convenience, they also admit that they take shortcuts. For example, they use shadow IT (29%) or work around company policies to solve their own IT problems themselves (37%) or because they don’t like the company-approved software (15%).
Even more worrying, security professionals are twice as likely as other workers to say that due to burnout, they’re “completely checked out” and “doing the bare minimum at work” (10% vs. 5%).
That’s not good news, especially if a company has a reactive approach to managing shadow IT that depends on the vigilance of team members and their ability to quickly respond to problems.
As security professionals know, prevention is often more effective than protection. Taking a proactive approach to managing shadow IT – securely enabling it – is the only viable path forward.
It starts with understanding employee productivity, workflows, and potential security vulnerabilities in every department. A next step is working to secure the “path of least resistance” for all employees at the individual level so they can use the apps and tools they need to boost productivity.
The good news is, by securing credential sharing and standardizing how access to tools happens, you also protect your organization against lax security practices and behaviors.
Next, we’ll explore how to identify shadow IT, what it may be used for (such as project management, social media, productivity tools, and file sharing), and common vulnerabilities for different departments, including Finance, HR, Engineering, and Marketing.
To learn more, follow this series on the 1Password blog exploring shadow IT over the next few weeks or download the ebook: Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it.
Learn why teams like Finance, Marketing, and HR use shadow IT, the security vulnerabilities that can follow, and how to manage it all.
Download now
1Password’s Go-to-Market (GTM) team is critical to achieving our mission of helping businesses, families, and individuals protect their passwords and other private information.
GTM helps our company understand the real-life problems that businesses are facing and how 1Password is best equipped to solve them. It’s a fast-growing team and we’re delighted that women like Jess Plowman, Senior Sales Development Representative, and Tiphanie Futu, Sales Enablement Manager, are playing such an integral role in its success.
Curious what it’s like to work in the GTM team at 1Password? Read on to learn about Jess and Tiphanie’s professional journeys, as well as their current role and day-to-day responsibilities.
Why did you join 1Password, and how did you end up here?
Back in 2022, I was made redundant from my previous role working as a sales development representative (SDR). I shared my experience on Linkedin and 1Password reached out to see if I would be interested in applying.
After doing my research, learning about the company’s values and meeting the team, I decided t it would be the perfect next step to develop my career. And I’ve never looked back.
What do you enjoy most about your role?
The highlights of my role involve speaking to a diverse range of people on a daily basis, learning about their needs for a password manager and how best I can assist them.
1Password’s culture focuses on development and progression, so I love helping with the onboarding process and watching my colleagues progress in the company and grow their skills. This focus on development and progression also helps me in my personal growth!
If you were interviewing for a role on your team at 1Password, what are your best words of advice?
First of all, I would 100% recommend it! We’re a friendly and welcoming team! The SDR role is a great way to get started in the cybersecurity industry, learn about sales and develop an in-depth knowledge of the product.
Remember to be yourself, be open to learning and ask lots of questions. The role is remote but you’ll never feel alone!
How would you describe your team in three words?
Supportive, hard working and fun!
Why did you join 1Password, and how did you end up here?
In 2022, I was impacted by a round of layoffs like many other people who work in tech. At that time, the company I had been working for helped us and shared our profiles on Linkedin.
The Director of Business Development at 1Password then reached out to me to see if I’d be interested in joining her team. The business development representative (BDR) team at 1Password was just forming and I loved the idea of participating in its conception.
What’s your current role, and what are your day-to-day responsibilities?
I currently work as a Sales Enablement Manager for the BDRs, SDRs and BDR growth. My role is to provide those teams with the tools, resources, training, and processes they need to effectively do their job.
My day-to-day responsibilities include onboarding new reps, creating and sharing content for the team to leverage, and meeting with sales leaders to identify underlying issues or challenges, and craft effective solutions to address them.
You’ve transitioned roles at 1Password. What was that journey like?
Transitioning roles at 1Password was a rewarding journey marked by support and encouragement from my colleagues and leadership team. I had been with the company for over a year and was eager to explore new opportunities for professional growth.
When I noticed an opening on the enablement team, I started a conversation with my manager, Brandon, who was incredibly supportive from the outset. The leadership team’s support throughout the application process was truly encouraging. Their guidance and mentorship helped me navigate the transition smoothly.
What do you enjoy most about your role?
I enjoy the opportunity to collaborate with various teams and gain insights into their unique perspectives. Working in this way allows me to understand their specific challenges and needs, enabling me to tailor my support to suit their needs better. This collaborative approach not only fosters stronger relationships across the organization but also allows me to continuously learn and grow professionally.
Who was an influential woman that made an impact on your career to date?
So many women have had an impact on my career. My cousin, Endji, who is about to become a doctor, and my little sister who created her own business, are the best examples of resilience and perseverance. My last manager, Diana, who is always sharing career guidance and advice, and all my friends who constantly encourage me in everything that I do.
Editor’s note: These interviews have been lightly edited for clarity and brevity.
Browse our current job openings to see if there’s an opportunity that matches your career goals.
View our open positions
This is the first in a series of four posts about shadow IT, including how and why teams use unapproved apps and devices, and approaches for securely managing it.
Whether or not you’re familiar with shadow IT, know this: it’s everywhere. Fighting it is like playing a game of whac-a-mole: Try to eliminate it and it will pop up again elsewhere.
So what’s IT and Security to do? A more realistic approach is to enable and secure it, so you can leverage the benefits of shadow IT without the security vulnerabilities it brings with it. Read on to find out how.
For a complete overview of the topics discussed in this series, download Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it.
In this series, we’ll cover:
Traditionally, employees used the software applications provided and licensed by their company to do their work. IT and security teams were effective gatekeepers, securing and managing access with identity and access management (IAM) tools like single sign-on (SSO).
Today, there’s an app for… everything. Grammar checking apps. Language translation apps. And a whole new, emerging category of AI apps. The choices are many and they are compelling. In fact, in 2021, 1Password research revealed that more than 60% of respondents said they had created at least one account their IT department didn’t know about.
That’s shadow IT: any technology (usually a personal device or a cloud service) employees are using without the Security or IT department managing it – and sometimes not even knowing about it. You may think there’s not much shadow IT at your organization, but the reality is that it’s there, and you’ll find it across any number of teams. If Microsoft Word isn’t managed by IT, it’s shadow IT. Same if workers are using Google Docs for collaboration, or Dropbox for file sharing, or any other cloud service.
While employees adopting “unofficial” websites or apps may seem like no big deal to some, IT and security teams know that entering company information or client data on these websites and apps can cause vulnerabilities that may result in a data breach.
Why do employees use shadow IT? Why are they making security and IT’s job more difficult? First, most employees probably don’t realize the impact their actions have on security and IT.
Second, there are benefits to shadow IT. Use of shadow IT is not malicious. It’s about productivity, innovation, meeting deadlines, and doing good work. When the work pressure is high, employees look for tools to help. When someone’s on a tight deadline, security risk is often the last thing on their mind – especially if they’re feeling stressed or burned out (we’ll touch more on the security challenges of worker burnout in the next post).
So people will simply turn to the tools that help them get the job done.
What does shadow IT look like in the wild? There are countless examples of shadow IT, and use varies by team and role.
For instance, finance teams need to quickly share data with external partners like auditors, board members, or investors. HR teams commonly use external platforms for recruiting and hiring. And the marketing department wants apps to streamline tasks like customer relationship management (CRM), project management, and collaboration with external partners.
If there are no apps in the suite of company-managed tools with the functionality they’re looking for, workers will solve those inefficiencies themselves with shadow IT.
Survey says: Nearly three-quarters of North American companies have deployed single sign-on (SSO) tools. But despite that adoption, 30% of applications used by employees are not managed by the company.
Why? In addition to the plethora of apps at their disposal, hybrid work environments enable employees to split time between home and office. Some remote-first companies no longer even have office space, making bring-your-own-device (BYOD) even more common.
And when working from home, employees may be more relaxed about security risks, opting for the convenience of personal devices such as laptops or smartphones when accessing work emails and documents. One survey shows that 55% of employees say they use personally owned smartphones or laptops for their work at least some of the time.
Just like they find apps for personal use, many employees do the same when it comes to work – creating accounts for apps without going through IT, either because they aren’t thinking about security measures, or because they just want to get something done.
The uptick in app usage is huge: a Gartner survey shows that the average employee uses 2x more SaaS applications today than they did in 2019.
While single sign-on (SSO) tools are an important first step for securing access to enterprise tools, they fall short when it comes to managing shadow IT.
SSO can only secure access to apps the company or IT department knows about. Shadow IT, by definition, is a blind spot. This leaves critical gaps in a company’s identity and access management strategy. Those gaps are shadow IT.
There’s also a cost factor: it can be expensive for tools to be integrated and managed by an SSO vendor, with some software-as-a-service (SaaS) apps charging extra to be put behind SSO – a cost known as the SSO tax.
If SSO tools aren’t sufficient for managing security risks of shadow IT, what should companies do? Fight it? Try to stop shadow IT use? That’s unrealistic and unsustainable. The only viable path forward is to embrace it.
When nearly a third of applications used by employees aren’t being managed by their companies, it’s time to pause and figure out a better path forward.
You can’t realistically eliminate shadow IT. Therefore, the challenge is to enable and secure it so teams can access the tools they want to use, but in a secure way.
This can be achieved by making sure that each employee – on every team and across different data access points – has comprehensive protection. Approaching the issue at the individual level is important because shadow IT looks different for different roles and departments.
Where do you start? It’s most important to secure credential sharing and standardize how access to tools happens – so you can secure that access.
For example, for the finance team, access to things like bank accounts needs to be locked down – and they need secure methods for file sharing. For marketing teams that use and test apps like social media and messaging platforms, it’s critical to make sure only approved team members have the appropriate access to social profiles.
Applying the principle of least privilege (PoLP) can also help. That means making sure that employees have the minimum amount of access they need to do their jobs. For example, HR probably doesn’t need access to marketing analytics or campaign spend details.
It’s up to IT and security to figure out how to secure and enable these systems. 1Password can help. 1Password is an enterprise password manager (EPM) that provides teams with a centralized solution to use, access, and share critical company data with role-based access controls and ensures employees adhere to your security policies. EPMs can help you make the easy way to work the secure way to work.
Shadow IT is here to stay. It will likely continue growing, especially as new cloud services like generative AI garner wider use. And as it does, if left unchecked, it can increase your company’s attack surface, expose sensitive data (sometimes inadvertently), and increase the risk of a data breach.
In other words, no cybersecurity plan is complete without addressing shadow IT.
In the coming weeks, we’ll explore shadow IT in more depth here on the 1Password blog, including how to do more with less with valuable IT resources. In the meantime, you can learn how to manage shadow IT, shore up your data security, and protect your company against cyberattacks by downloading Managing the unmanageable: How shadow IT exists across every team – and how to wrangle it.
Learn why teams like Finance, Marketing, and HR use shadow IT, the security vulnerabilities that can follow, and how to manage it all.
Download now
When daydreaming about the future, it’s fun to imagine faraway, fantastic, and possibly impossible scenarios. Moving sidewalks. Personal jetpacks. Unconfusing TV remotes.
But to make the world a better place, we need to balance small improvements with audacious moonshots. As science fiction novelist William Gibson famously put it: “The future is already here — it’s just not evenly distributed yet.”
A good illustration of that quote can be found in Estonia, where citizens have been using digital identification to vote and access public services for over a decade. Estonia is living in the not-too-distant future, waiting for the rest of us to throw away our laminated ID cards.
Delivering these kinds of improvements is easier said than done. The paradox of working at a technology company is that you need to build small but innovative products and features (the future) with tried-and-true approaches (the past). Tight deadlines often discourage experimentation but, in order to stay competitive, it’s important to revisit your processes on a regular basis. In other words, how you build can be as critical as what you build.
The good news, according to William Gibson, is that there are plenty of new ideas out there. You just have to know where to look.
In that spirit, the content design team at 1Password has been trying out an approach called concept-first design.
You might be familiar with content-first design — letting the key pieces of communication (i.e. content) between the system and the user determine the shape and flow of the experience. Concept-first design, meanwhile, is a way to make sure that users won’t find those key pieces of communication confusing. Concept-first design helps simplify complex product ideas earlier in the process. This makes it easier to translate those key ideas into language and UX that users will recognize, understand, and adopt.
That’s a lot to unpack, so the rest of this article will explore concept-first design in theory and practice, the benefits of using it, and how we’re starting to apply it at 1Password.
So what, exactly, is concept-first design? Let’s use Hipmunk, the late, great, travel site, as an example.
Hipmunk wanted to help users pick the best flight based on factors like the number of connections and the airline’s on-time performance. Instead of a convoluted bar graph that put the burden of interpretation on the user, Hipmunk created an Agony index. Which is almost exactly what it sounds like. Finding the right balance of pain and price in order to minimize agony was an easy-to-grasp concept for anyone who’d endured a terrible flight to save some money.
Now, in order to do concept-first design well, you’ll need to start by shifting your perspective.
As Elizabeth McGuane, a UX director at Shopify points out, concept work requires swapping Figma and Adobe Photoshop (at least initially) for design tools like metaphor and narrative. In her recent book Design by Definition, McGuane notes that “every digital product starts out as a problem to be solved. The idea, or concept, is the way we meet that problem – the premise of our solution.”
Instead of immediately pushing pixels around, McGuane challenges product designers to brainstorm a bunch of metaphors by asking:
As McGuane notes, “metaphors bring the abstractions of software closer to life, making interfaces feel real.” If you keep something real and relatable in mind while you’re designing software, there’s a greater chance the user will grasp the final concept and find it intuitive. (As a security company, 1Password has found the padlock to be a particularly useful bit of inspiration).
Starting with the core idea of a feature – the concept – is a way to get everyone in your company on the same page. This, in turn, allows your product and content design teams to work more effectively in parallel. A shared language gives your team a shared understanding of what you’re building and, as a nifty bonus, it makes it easier to name things too.
Speaking of which, McGuane has an entire chapter about naming in her book, which reinforces how important it is to product work. As she points out, endless arguments about product or feature names are usually due to a hazily-defined concept. Naming is hard but tech companies often make it much, much harder by starting with weak or confusing concepts.
That’s why 1Password’s content design team, with help from product marketing, has been working on different ways to improve the name game. This includes team-wide Mad Libs exercises, where we test out potential names and concepts in realistic situations. We’ve also conducted UX research sessions where we ask customers to explain what potential names mean to them.
Without giving away any top-secret information, 1Password plans to expand our offerings in 2024. That’s why, in the spring of last year, senior content designer Chantelle Sukhu and I gave a talk at a product manager meeting about how content design can improve the stuff that 1Password builds and ships.
As our offerings expand, it’s even more important to think carefully about concepts, complexity and clarity. To make sure everyone on the call understood the worst case scenario, Chantelle and I shared an example of concepts gone rogue:
“The Zoom Rooms Controller app provides an ideal way to manage a Zoom Room meeting without having to interact with the in-room Zoom Rooms Controller.”
That’s not an excerpt from an unpublished Dr. Seuss book. It’s actual help content on the Zoom support page. Now, to be fair to Zoom, many other companies find themselves in similar situations when product concepts aren’t thought through and carefully managed. The result of this chaos? The user is forced to learn, understand, and memorize a series of unclear concepts.
We noted during our talk that successful content design is often invisible. But users definitely notice intricate error messages, inconsistent labels, and confusing products that require complex instructions.
Successful content design is often invisible.
Along with helping product managers avoid Zoom doom and gloom, the content design team at 1Password has been working to identify and eliminate unnecessary concepts.
In the same way a product can accumulate technical debt, it can also suffer from conceptual debt. As McGuane notes in her book: “Technology companies are machines for meaning.” And too much meaning is as bad as too little. Making our products and features less confusing demonstrates user empathy and makes it easier for everyone at 1Password to do their best work.
The first step of this digital spring cleaning has involved concept mapping. This is a way to visually capture the key aspects of 1Password and the interconnections between them. Creating a concept map for 1Password has helped us see the bigger picture and made it easier to integrate passkey options and identify improvements for how users sign in to our app. It’s also yet another way to create products that feel more consistent and easier to start using right away.
For all the value they bring, identifying and debating concepts can be tricky.
To make our naming and mapping work more tangible, 1Password content designer Grace O’Neil created ConceptMania: a single elimination tournament bracket for ideas. Working in groups, the goal was to determine the clearest concept in 1Password. The exercise sparked a lot of discussion about what makes winning concepts like “subscriptions” and “tags” easy to understand and communicate to users.
ConceptMania was fun and useful, especially because it reminded the team about mental models: a tool our brain uses to handle complexity. A mental model is a representation of how something works based on our real-world experiences. Since users bring their mental models into 1Password, our concepts need to reflect and build on those mental models.
As usability pioneer Jakob Nielsen famously put it: “People spend most of their time using digital products other than yours. Users’ experiences with those other products set their expectations.”
That’s why, a few months after ConceptMania, our design team published competitive audit guidelines. A competitive audit is a systematic look at direct and indirect competitors. It’s a way for us to spend time with products other than 1Password to better understand common concepts. And by thoroughly exploring the problem space, we can avoid being insular in our thinking and instead rely on concepts that our users are already familiar with.
Concept-first design doesn’t solve every product problem — nor is it meant to. But it’s a fantastic way to make the often invisible work of content design impossible to ignore.
Defining, describing, and solving core product problems with a conceptual framework creates stronger connections and a clear sense of purpose between content designers, UX researchers, and product designers. And concept-first design helps avoid, or at least minimize, tricky debates about naming — which in turn reduces the content design agony index.
And, even more importantly, designing with clear, thoughtful concepts leads to products that are easier for users to grasp and enjoy.
Author’s note: This blog post is based on a talk I gave at 1Password’s 2023 Product and Design offsite.
It’s essential during Women’s History Month to recognize the strides women have made in various fields. However, networking remains one area of career advancement and satisfaction where women often face unique challenges. From battling imposter syndrome to navigating male-dominated spaces, women encounter obstacles that can hinder their networking efforts.
If you’re struggling or unsure how to grow your professional network, fear not! In this blog post, we’ll address common fears and challenges that women often face while networking, and give you some strategies to overcome them. We’ll also explain the importance of shamelessly networking and cultivating meaningful connections.
Networking takes a lot of confidence. It’s natural to feel nervous about introducing yourself to new people and building real, meaningful connections. Here are some specific fears that you might have about networking, and some tried-and-true solutions:
Many women struggle with the feeling that they don’t belong in professional settings, which leads to self-doubt and hesitation in networking. You can combat imposter syndrome by acknowledging your achievements and embracing your unique skills and experiences. (If you haven’t done so already, create a new note on your PC or phone to track your accomplishments!)
Remember, you’ve earned your place at the table.
It’s natural to fear rejection when reaching out to new contacts. However, don’t let the fear of “no” hold you back. View each interaction as an opportunity for growth, and remember that rejection is not a reflection of your worth. The other person simply may not have the time to develop a new professional relationship at the moment.
Keep persevering, and you’ll find the right connections.
If you’re unfamiliar with a specific industry or new to a workplace, it can be intimidating to navigate conversations. You might be thinking: “What happens if I run out of things to say?”
It’s okay not to be an expert and simply asking for advice on a particular topic can be an incredible tool for opening up meaningful conversation.
In industries traditionally dominated by men, women may feel out of place or overlooked. Instead of shrinking into the background, assert yourself confidently. Your voice and perspective are valuable assets, so speak up and make your presence known.
Shameless networking is about being bold and owning the fact that you want to meet new people and find opportunities for professional growth. Embrace the power of networking events, conferences, and online platforms to connect with like-minded individuals. Don’t be afraid to initiate conversations, share your accomplishments, and express your career goals.
Remember to look for ways to offer value to your connections, whether it’s through sharing insights, providing referrals, or offering assistance in their projects. By putting yourself out there unapologetically, you’ll increase the chance of finding valuable opportunities and advancing your career trajectory.
Building a strong professional network isn’t just about collecting business cards or LinkedIn connections – it’s about fostering genuine relationships based on trust and mutual support.
Approaching networking in this way will also increase your overall career satisfaction. How? Creating genuine connections will also give you access to more resources, support and opportunities that enhance professional life.
Here are some tips for cultivating meaningful connections:
Be authentic: Authenticity breeds trust and rapport. Share your passions, interests, and goals genuinely, and seek connections who align with your values.
Offer value: Networking is a two-way street. Be proactive in offering assistance, advice, and resources to your connections. By adding value to others, you’ll strengthen your relationships and build a reputation as a valuable ally.
Follow up: Don’t let your connections fade into obscurity after the initial encounter. Follow up with personalized messages, schedule coffee meetings or virtual catch-ups, and stay engaged with your network regularly.
As women continue to shatter glass ceilings, networking remains a powerful tool for career advancement, professional success and overall satisfaction. By overcoming common fears and challenges, shamelessly promoting oneself, and cultivating meaningful connections, you can build a robust network that supports your aspirations and helps you thrive in any industry.
This Women’s History Month, let’s celebrate the resilience and tenacity of women in networking and champion each other’s success. Consider reaching out to one new person today, whether that’s in person or on a platform like LinkedIn. It’s guaranteed to make their day!
Together, we can create a more inclusive and supportive professional landscape for generations to come.
Joined by the popular Mac Admins podcast cast, we dive into Apple security and privacy, and how Macs are being integrated into workplaces everywhere. Find out whether an Apple product on its own keeps you secure and safe from viruses, or if you need additional security apps to protect your devices.
Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password chats with Tom Bridge, Marcus Ransom, and Charles Edge – three of the rotating cast of Apple expert hosts and consultants – on the Random but Memorable podcast. To learn more, read the interview highlights below or listen to the full podcast episode.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: A lot of people believe that buying an Apple product or a device keeps them secure and safe from viruses, is that true?
Charles Edge: No. The first viruses were written – or the first viruses for personal computers at least – were written for the Mac, so I don’t think it was ever true.
Having said that, I do think Apple makes a lot of privacy and security decisions on our behalf out of the box that make the platform very secure, comparably. That’s not to say I don’t think third-party products have a place. Take 1Password as an example. Keychain’s awesome. 1Password has all these things that make it even better. And the same can be said for endpoint detection and response solutions (EDR).
“Apple makes a lot of privacy and security decisions on our behalf out of the box that make the platform very secure."
Tom Bridge: I don’t think that there’s a ton of need to go out and invest in EDR like a Carbon Black or a CrowdStrike for your personal individual machine. I don’t think that that’s a great use of money or time.
But there are some common-sense things that you can do to protect yourself. Some of the more consumer-friendly solutions are a good option. But business needs are a little bit different than say, an individual focus.
Marcus Ransom: The other way I like to look at it is, the computer itself is pretty safe. It’s a pretty robust platform. As Charles mentioned, Apple has done an awesome job of building something that has a level of protection and privacy and makes it really hard for third-party threat actors.
But one of the biggest problems is the person using the computer and their behavior. Once again, Apple has done a really awesome job of trying to encourage and promote good behavior, but there are still plenty of things you can get absolutely wrong if you’re not mindful of what you’re doing.
“One of the biggest problems is the person using the computer and their behavior."
It’s quite amazing to see what sort of paths people attacking Mac users will use compared to the typical Windows virus, which is a whole different kettle of fish.
MF: Apple consistently adds new security features and new privacy features to their products. What has recently come out from Apple that has got you excited as admins or changed the way that you do device management?
CE: Passkeys. We can start there since we’re on a podcast from a company that supports them!
TB: Passkeys and iCloud Keychain. As we pivot into the business for a second, the ability to put those in a managed Apple ID keychain is absolutely right.
Then we go one step further: being able to tie the authentication of your managed Apple ID to an external identity provider that isn’t just Google or Microsoft. That could be a JumpCloud, an Okta, or anybody else along those lines.
That’s a huge step forward for a lot of business organizations in terms of making managed Apple IDs more approachable, more familiar, more comfortable for the average end user. So that they can know: “Hey, look, I don’t have to remember a different password. I don’t have to get out an SMS-capable device to complete authentication.” To be able to do it the same way that I normally authenticate to do any of my other business tasks is so crucial.
I’m really excited to see Apple moving in that direction and supporting that kind of managed Apple ID federation.
CE: Some of these things are not things that users are even asking for. As an example, just last week, Apple introduced post-quantum encryption (PQ3) for iMessage. Now it’s like: “Oh, you don’t even need Signal or one of the other apps in order to have that same level of encryption to protect data, whether it’s at rest or in transit, on that device.
TB: While the texts I exchange with my friends aren’t something that I’m worried about, the fact that any messages I send are safe from quantum cryptography attacks… that’s a real good feeling. And it wasn’t something that I sought out to ask from Apple, but boy, are they out there looking out for the people that use their platforms in ways that other companies just aren’t.
MR: One of the things that I really love is Apple’s idea of containerization. On your personal device, you can have your work applications, but rather than having a portal that you go into for work or a different account that you sign into, the apps are all there, on your phone. If you use a work app, the company has responsibility for that work and can see what’s going on in there. If you’re using personal apps on the same phone, work can’t see it.
One of the details I really love is that they won’t even know the serial number of your device because that serial number can be used for narrowing down who you are or identifying you. The idea is making things secure for an organization and doing a really good job being able to prevent copy and paste and clipboard between personal and work – but at the same time giving the user privacy.
I remember back to the early days of MDM (mobile device management) when, if a personal device was enrolled in MDM, you were able to see what’s on it, like what apps they have installed in an iPad. From that, you could draw conclusions about a person.
Not having that available any more is really refreshing. We see so many organizations saying, “Oh, we need to be able to geolocate all of our users wherever they are.” Most of these ideas come from a good place. They’re thinking about the value that they can have.
“If a personal device was enrolled in MDM, you were able to see what’s on it. Not having that available any more is really refreshing."
But then you think about what happens if somebody with either bad intentions or sloppy digital hygiene gets access to that information. The next thing you know, your company is in the news! And as a user, something very personal of yours is now public, and you can’t walk that back.
I love the way Apple makes decisions on behalf of Mac admins, about what they can and can’t do, really, to protect us from ourselves in a way.
MF: What do you think is the perception of Apple devices in corporate environments these days? Do you see it shifting? There was a time where Apple was pushing out ad campaigns like, oh, you can do that on a Mac, too, like Microsoft Office and things like that. But obviously, there’s a lot more than just running Office to bring a Mac into a corporate environment.
TB: I see it shifting and that it’s shifted a lot over the last five years. If we think about how businesses have traditionally seen Apple – in the “before times” and the “long ago” – we certainly saw Apple devices as “less than”. A lot of corporate IT departments were like: “Oh, that one Mac over there, I was made to support it by my evil boss.”
If you want to put one person’s name out there – and I don’t like putting one person’s name because there was a whole team that was working with this person – but go look at Fletcher Previn. He was at one point CIO of IBM, and he’s now, SVP and CIO of Cisco. If you look at the programs that he helped build, he basically said: “Hey, it’s okay to use a Mac at work. If you want to use a Mac, you should be able to.”
That approach has paid such dividends for IBM, Cisco, and other organizations throughout the Fortune 500. Now there isn’t anybody any more without some plan for supporting Macs in the enterprise.
CE: The one thing I would add is that I do see an almost overcorrection in some organizations. They equate the Mac with the “digital transformation” buzzword. They’re like: “Well, if we allow a thousand Macs here, then we have completed the digital transformation.”
In my experience, digital transformation is about things like automation, cost-cutting, and getting to market faster with new product development. Just allowing a Mac and treating it like Windows is not synonymous with digital transformation unless you’re looking to also automate things and get things to market faster.
MF: Let’s talk about the cybersecurity landscape, which is constantly evolving. How do you stay informed about emerging threats and vulnerabilities that are specific to Apple products? What steps can admins and users take to stay ahead of these potential security risks?
CE: I can speak to what I do. I watch every video from Objective by the Sea (Mac security conference). It’s a wonderful conference that talks in depth – it might be too in-depth for the average user. I also typically look for everything about iOS, Mac, iPad, vision OS, passkeys even, that pop up at DEF CON and Black Hat conferences. Again, that’s pretty deep for regular people who are just trying to protect their machine at home.
TB: Well, I’m a little bit of an outlier too because my next-door neighbor is one of the program managers for CISA, which is the cybersecurity and infrastructure security agency here in Washington DC. I just go across the fence and ask Dave what happened!
But really what I do is I read a lot of things. I will call out Objective See Foundation. As Charles mentioned, they have a conference, but Patrick Wardle also has a Patreon and a blog, and that’s a great place to go look. I love the threat labs research topics from the folks at Jamf, and from Kandji.
And Malwarebytes. They’re doing great work out there, and that is a great place to go see what the cutting edge of threats is. I also want to caution you, if you read all this and you get scared, take a deep breath. It’s going to be okay. A lot of it’s theoretical.
CE: Or been addressed in a point release or a security update.
TB: The number one thing that anybody can do to protect their own security is keep their machine up to date. Period. Full stop. Apple patches the latest version of the operating system for all of the security bugs. And keep your third-party software up to date too. I know that it’s fun to click the box that says “not now” or “ask me again tomorrow”, but don’t get in the habit of doing that for three and a half years!
“The number one thing that anybody can do to protect their own security is keep their machine up to date. Period."
CE: Don’t enable sharing. Read the dialogue boxes. Ask questions like, “Why do you want access to my Camera Roll?”
MR: There’s also some basic digital hygiene as well. There’s this great auto login functionality in macOS, so when you turn on your machine, it just logs in, which is a great convenience. Unfortunately, it’s also a really good way to give somebody else access to what’s on your machine if they have physical access to that machine. So use a good password manager. Use passkeys when you can.
CE: Don’t reuse the same password.
MF: Where can folks go to find out more about you?
TB: You can find the podcast at podcast.macadmins.org. You can join us in a 65,000-person-strong Slack for people who manage Apple devices at scale. Check that out, read the code of conduct. We really like to keep it a safe place for people to participate and to be themselves, so please give that a look and come join us.
Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community.
Subscribe to our podcast
We recently introduced labs, a new and pioneering space in the 1Password apps that lets customers opt in to test experimental features.
For us, innovation isn’t just a buzzword – it’s a big focus for all of our teams. We are always looking for ways to evolve 1Password so we can offer a leading-edge experience in both security and convenience.
As the only password manager involving our customers in the early stages of development, we are breaking new ground in creating a truly human-centric experience. With customer feedback helping us shape experimental features before we commit to bringing them to all 1Password customers, every new addition to labs is actually tailored to real-life use-cases.
By testing exciting, new features through labs, but also continuing to focus on making 1Password more user-friendly and intuitive, we’ve been able to balance innovative additions to 1Password while also improving existing features and functionality of our apps.
Since labs was launched, we’ve been busy sharing new experiments and using customer feedback to improve those features and officially add them to 1Password for everyone to use.
Here’s a breakdown of what we’ve been working on with the help of our customers.
Default details for a smoother autofill experience
The first experimental feature introduced to labs was the ability to set default details. Given the positive feedback received from customers, our teams iterated on this feature, made improvements, and shipped it to all customers under a new “Profile” tab in the 1Password apps.
By setting default details, you can select your preferred payment card and identity item, which includes things like your name, address, email, and phone number. Your chosen selections always take precedence in the list of options the next time you need to autofill any of that information. This can be set for each of the 1Password accounts you are signed in to, so if you have a work and personal account, you can set your default details for each of them.
Next time you’re filling out online forms or making online purchases, you can enjoy a seamless and improved autofill experience, ultimately saving valuable time and simplifying digital interactions.
Custom browsers for more flexibility and control
If you’re using 1Password on macOS and opt for different browsers, like Orion or Wavebox, you can now authorize 1Password to connect to those browsers and improve the functionalities of the 1Password browser extension. This brings significant improvements, such as letting you to unlock the 1Password browser extension with Touch ID in those browsers.
This is a significant step toward providing greater autonomy and flexibility in browser selection, streamlining workflows, and enhancing your experience – and it lets more people than ever experience all the benefits of 1Password.
Nearby items for convenience on the go
With nearby items, you can assign a location to any of your 1Password items. Then, on the 1Password mobile apps, a new dedicated section on the home tab will display when those items are physically close to you.
Imagine having quick access to essential information based on your location – whether it’s the door code at your workplace or the combination to your storage shed. With people becoming increasingly mobile, this feature aims to provide tailored convenience wherever you go.
The 1Password community was very engaged with this feature and shared a huge amount of feedback that we were able to implement. For example, some use cases from the community include: office Wi-Fi passwords, gym locker PIN codes, garage door or gate access codes, debit card PIN codes showing near ATMs, health or benefits insurance for when you’re at the dentist or doctor, and membership cards at specific branches (such as library cards, gym cards, etc.)
New vault view in 1Password.com for consistency across platforms
Our desktop application is the best way to manage your items in 1Password. This update not only aligns the design of 1Password.com’s vault item view with our main desktop application, but also enhances our ability to consistently introduce new features across all platforms.
The current version offers read-only functionality, serving as an early testing phase to identify potential issues. However, over the next few months, 1Password will gradually introduce full functionality that aligns with the current web interface as we continue testing and development.
Unlike other experimental features in labs, this update doesn’t require manual activation and won’t appear under the “Labs” tab in the 1Password apps. Instead, you can access it directly via an in-app banner within the vault item view on 1Password.com
Beta: Auto-type for Windows for simplified logins
Auto-Type via Quick Access on Windows simplifies the login process for you. By enabling this feature on labs through the beta build, you can quickly fill and submit your login credentials into various applications and forms using a simple shortcut (Ctrl+Shift+Space).
Once activated, it automatically types the username and password into the respective fields, enhancing efficiency and saving time. Additionally, for logins with two-factor authentication (2FA), the one-time code is conveniently copied to the clipboard for easy pasting. While not a substitute for Universal Autofill on Mac, Auto-type via Quick Access provides a similar streamlined experience, offering you a seamless way to access your accounts across different platforms and applications.
All the experimental features in labs are turned off by default, which means you’ll have to opt in for each experiment you’d like to try out, giving you full control over the experience. In the 1Password mobile and desktop apps under Settings, you’ll find a Labs tab. Select Labs, and you’ll see a list of all available experimental features. From there, you can easily toggle each feature on or off at any time.
We track the performance of each experimental feature by:
If an experimental feature has enough positive feedback, the feature will progress through the beta 1Password apps and eventually be officially released into all 1Password apps.
We’re not just committed to continuously enhancing the 1Password experience – we also want to transform the way people manage the tension between security and convenience by making the secure thing the easy thing.
With support from inventive initiatives like labs and customers like you, we’re well on our way – and we’re just getting started. Stay tuned for more ways we plan to shake up password management and reshape online security.
Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial.
Try free for 14 days
We’re thrilled to announce the availability of a partner rebate incentive for partners of 1Password. As valued members of our partner ecosystem, you play a pivotal role in our collective growth journey.
With this program, we aim to deepen our partnership, drive mutual prosperity, and unlock new opportunities together.
Partner rebate programs are not just about offering financial incentives – they’re about fostering stronger relationships, driving collaborative growth, and rewarding your dedication and efforts. By participating in our rebate program, you gain access to benefits designed to amplify your success:
Increased earnings potential. Earn attractive rebates on your performance by achieving sales targets, expanding market reach, and driving customer engagement.
Alignment of interests. The rebate program is designed to align with your business objectives, making sure that our mutual interests are in sync and driving toward shared success.
Recognition and appreciation. Your dedication and contribution to our partnership do not go unnoticed, and the rebate program is a way for us to recognize and appreciate your hard work and commitment.
How to get started:
Review program details. Familiarize yourself with the program details including eligibility criteria, reward structures, and performance metrics.
Promote and sell. Leverage partner resources to support your ability to promote and sell our product. Use marketing materials, training, and enablement tools to maximize your effectiveness.
Claim your rewards. Once you’ve met the program requirements, our team will ensure a seamless payout process.
We’re excited to embark on this journey together and empower you to reach new heights of success and unlock boundless possibilities together.
Learn more in the 1Password Partner Portal or sign up to be a 1Password Channel Partner today.
If you think security is all about risk management, cybersecurity expert Greg van der Gaast thinks you’ve got it all wrong.
Van der Gaast – chief information security officer (CISO), consultant, author, world-famous former hacker and undercover agent – talked with Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password, on the Random but Memorable podcast about why taking a different approach, especially in a world of increasing security incidents and ballooning budgets, can be a much more effective strategy to reduce both vulnerabilities and cost.
What’s different in Van der Gaast’s approach? It has a lot to do with focusing on quality and process before risk. And repeatedly asking “why” to get at the root of upstream security issues. Read on for the interview highlights, or listen to the full podcast episode.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: What was your journey from undercover hacker for the FBI and Department of Defense (DOD) to cybersecurity consulting?
Greg Van Der Gaast: As a teenager growing up in Holland, I started learning about operating systems and how stuff worked and how you could break stuff and make it do other stuff.
I semi-accidentally hacked into a nuclear weapons facility somewhere overseas – I think three or four weeks after they set up five atomic bombs on the ground. It was quite a hot topic at the time. I just realized what it was, downloaded a bunch of research, and next thing I know – I had moved to the States at this point – it’s like CIA, DIA (Defense Intelligence Agency), and FBI.
I had four suits show up at the door. The first one said he was from the DOD. I invited him in and I told him, “Look, I was living in Holland at the time. This was somewhere over in Asia. I don’t think I’ve broken any U.S. laws. I was worried you guys were from Immigration.”
That’s when suit number four raised his hand and said, “I’m from Immigration.” I was put into the back of a van, taken to a detention facility where, to this day, I still don’t know where it was.
About a week later, more suits came and made me a job offer I couldn’t refuse. I spent the next three years working undercover, getting paid cash by federal agents in underground car parks.
What I do now is at the extreme end of the strategic- and business-focused leadership and root cause big-picture stuff that isn’t on the radar of most security people. Part of my challenge has been that no one’s asking for this because no one knows that these are even valid approaches.
“What I do now is root cause big-picture stuff that isn’t on the radar of most security people."
I think my overall mentality is more one of a problem-solver rather than just a “security person”. I started looking at the bigger picture of, “Well, we’re deploying all these firewalls and database encryption and intrusion prevention systems, all the latest stuff. Are we actually protecting the business? Do we know what data is where and who’s doing what and how these business processes work and what data I should even be seeing over this network that I’m monitoring?”
It dawned on me that everybody else hated process. But I realized that if we’re not consistently implementing, configuring, monitoring, managing any of this stuff, how are we sure we’re not missing anything? I started focusing on “how do I make sure I mature the technical tooling?” I started realizing a lot of these things wouldn’t happen if it weren’t for some root causes elsewhere.
So why don’t we focus more on our IT maturity rather than spending an absolute fortune on security operations? If those decisions are made by other departments, how do I influence change and create a program?
Learning about the business language and about business took me down this journey where security is about risk management – and I think that is completely backwards. We should be like most other industries, like in manufacturing, aviation, oil and gas, healthcare – it’s about quality management.
It’s about having really high quality processes so you don’t have defects that cause issues. We don’t do that. We don’t go upstream. We don’t go holistic. We just constantly detect and respond to the defects being exploited.
That’s brought about this really different approach to security that’s process focused, not about doing IT security, but about going through your business processes and making sure they’re secure.
In other words, stop doing cybersecurity, start doing business securely.
MF: You mentioned other industries that are heavily process oriented and quality focused. When I think about that from a software point of view, my brain says: “We can’t just build a resilient widget because the platform on which that widget rests is constantly shifting."
It’s an apples-to-oranges comparison. Am I thinking about this the wrong way?
GVDG: Every industry – aviation, automotive, transport, oil and gas – focuses on quality management. They focus on addressing the root causes behind problems. I see incident responses like: “Oh, the root cause was that this got exploited.” Why was that exploitable?
“Oh, well, because so-and-so did X.” Okay, why did so-and-so do X? “Oh, because they had this.” But why did they do X without considering the downstream impact? “Oh, because there’s no awareness.” Why? Why? Why?
Toyota has a “five why” system to find a root cause. They ask “why” five times and go five levels deeper. When you address those things, you get this downward curve of issues or defects over time.
If you think about security vulnerabilities, they’re actually quality defects in code, in the configuration of a system, and how a system is built for users. But there is a point at which there is a diminishing return in resolving the root cause of this thing that caused 50% of our issues. Or the second thing that was 30% of our issues. You end up with this level of residual activity where it’s just not worth it to fix the root cause because it’s too expensive or happens so rarely that it’s just not cost-effective.
That is the point at which risk management should start. Because if you look at the number of most vulnerabilities out there today – I’m going to say 98% of them are known defects.
“If you look at the number of most vulnerabilities out there today – I’m going to say 98% of them are known defects."
If we started doing those things, we would reduce our exposure by probably one or two orders of magnitude. That’s really significant. That’s what I’m getting at because we’re at a point where instead of having that downward curve in security, every year we spend more money and every year we have more incidents.
We see new applications all the time that have four-, five-, six-year-old Common Vulnerabilities and Exposures (CVEs) in them. If someone’s using six-year-old code to build a new platform, that’s a process issue. We know how to fix this, but we don’t.
Only once you’ve done all that, should we risk manage residual issues. But we’re not doing the big picture. Very few people in security are bringing that total business lifecycle so that management appreciates the real cost. The reaction I get from CISOs and security leaders usually falls into two camps.
The first is: “Yeah, I get it but please shut up because I like my job security.” We don’t want to fix the problem because it threatens our employment! Really, if you’re the one fixing the problem, you become far more valuable. This is how I’ve grown in my career – not by creating more problems to keep me busier, but by learning to fix bigger problems that create value.
The second reaction, which is quite common, is a problem of structure. It’s: “Yes, Greg, I understand that these process issues somewhere upstream are causing me all this work and it’s costing the business all this money to mitigate and remediate, but I don’t own those things. I don’t own the IT department. I don’t own the engineering function. I don’t own the fact that the salespeople put contract data in this platform. So I can’t do any of that.”
And I think that’s a truth. But now that you’ve identified the problem, you need to influence processes somewhere else to create a structure where you can drive change even though you don’t own it.
Every security issue is a quality issue, but not every quality issue is a security issue – but the root causes can be the same. So, if I fix whatever causes my engineering teams to produce a lot of vulnerabilities in what they develop, quite often I end up with cleaner code. It runs faster, it’s more stable, my customers are happier.
“Every security issue is a quality issue, but not every quality issue is a security issue – but the root causes can be the same."
My AWS compute costs go down dramatically. And you end up saving the business a lot of money because you’re making quality enhancements that go beyond just removing vulnerabilities. They remove other defects, they improve performance, they improve reliability. There’s a lot of benefits and they’re all cumulative and sustainable.
MF: It sounds like you’ve met some resistance when spreading your thesis out in the world. Can you talk about the differences between the companies that are very receptive to this type of approach versus the ones that aren’t?
GVDG: There’s a real lack of accountability in security. There’s a lot of elitism. We’ve all sat in the room with security people badmouthing the users and the business, like: “Oh, management won’t give us money.” But we’re all very confident about how important we are.
But if I go up to your head of InfoSec, who is asking for $2 million of security spending, and I ask them, “Will there be a positive return on investment for the business?” They’re absolutely adamant: “Oh yes, yes, we’ll definitely save money this way.” I’m like: “OK, how about you pay for it yourself and then you get to keep all the ROI?” All of a sudden, no one’s very sure anymore.
I often say that security in many ways is the best job in the world because no one really understands what you’re supposed to be doing. No one knows whether you’re actually doing it. And, if you screw up bad enough, they triple your budget!
When I would go into a place as an auditor or a consultant, especially as a consultant, where you’re really trying to help them, they would get very upset at you.
They don’t like you criticizing or pointing things out that they didn’t think of. It’s very much like you’re calling my baby ugly. It gets hostile very quickly.
But, if you put the same group of people in a room and you’re not talking about their business specifically – you start explaining the concepts – then they just kind of light up and say: “This makes a lot of sense.”
They’re very keen to go into work the next day and start applying the principles because you haven’t insulted them directly. You’ve given them an idea, an approach that they can implement, take credit for, and then they’re all too happy to do it. But the direct approach tends to be very, very difficult.
MF: It’s easier to say “well, we mitigated these 47 vulnerabilities this year” than it is to say “nothing happened this year again. We’re all set.” How do you change the conversation to: “This is how you should start advocating for changes so that people can see the value. Because if you don’t, the bottom line is going to win out over everything else."
GVDG: I think risk quantification is quite interesting but also pointless. Because OK, we removed 47 vulnerabilities, but what is the actual value of those vulnerabilities? Risk management calculations are – even the quantitative ones – extremely arbitrary.
And the next thing you know, it’s like, “Well, yeah, you removed vulnerabilities, but it’s actually running on a hypervisor running Windows 2008.”
Everything you’ve done can be circumvented like that. So how can you stand behind that value? I think risk quantification as a whole is very tricky because there’s no way of saying what those risks actually cost or whether they would’ve been exploited or not.
One of the points I like to make sometimes is this. You say: “We’ve done all the calculations and we’ve got an annualized loss expectancy for this risk of £200,000. We can mitigate it 90% for £50,000.”
That’s a good ROI if that quantification is accurate, which I highly doubt it is. But let’s assume it is. But then, what if you increase the scope of it: “We’re going to spend, let’s say £50K to eliminate a risk of £100K. What could marketing do with an extra £50K?”
And if the answer is, “Well, marketing could probably give us an extra million quid in sales if we give £50K,” does it still make sense to spend that money in security? Isn’t it better for the business to not do the security and do the marketing instead? How do you reconcile that?
I don’t think security should be risk-led at all. I think it should be business-led and a quality function – fixing your engineering defects.
“I don’t think security should be risk-led at all. I think it should be business-led."
For example, by fixing the engineering defects that are introducing the security vulnerabilities, I am lowering your AWS costs by €2 million a year. I’m doing a security review of your Salesforce (this is an actual scenario), in which I spent €20,000 and have removed all the excess accounts, reducing your spend on Salesforce by €48,000 per year. I’ve just made you money by securing you.
If you look at security as a quality function on pure cost savings and agility enablement, you can justify it. The risk reduction is a byproduct. You don’t even have to count it. It’s just gravy. That’s the approach I’ve been taking because I can actually save the company more than double the cost of the security function – demonstrably.
I probably can’t even demonstrate half of what I’m saving them, but I can demonstrate that I’m saving them more than what they’re paying me!
MF: Where can folks go to learn more about you and the consultancy work? How do they bring you in and have you help them put some of this stuff into practice?
GVDG: I wrote a book about three and a half years ago called Rethinking InfoSec, which was just an amalgamation of articles. I’ve recently done a collaboration with Hitachi Vantara, a book called What We Call Security. That one is really calling out this quality approach because what we are doing simply is not working. Every year we spend more and every year we spend more as a percentage of budget. It’s unsustainable.
I’m also starting a new consultancy. I’ve not actually launched it, but by March it’ll be out there. The website’s up, it’s sequoia-consulting.co.uk. I’m hoping to really help people address these high-level, strategic structural leadership issues.
Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community.
Subscribe to our podcast
Android enthusiasts, your time has come. If you own a phone or tablet running Android 14 or higher, you can now save and sign in to many Android apps using passkeys.
Today’s announcement builds on the passkey support we released for the desktop version of 1Password in the browser and 1Password for iOS last year. Mac, Windows, iOS, Android – no matter your platform preference, you can now go passwordless and start unlocking the web in a faster and more secure way.
We’re thrilled that so many people have started using passkeys, and are delighted that Android device owners can now embrace them too.
Passkeys are a new kind of login credential that lets you quickly and securely log in to accounts on your desktop and mobile devices. They’re a form of passwordless authentication – so there’s no password involved – that are backed by the largest technology companies and built on open industry standards.
Curious how passkeys work? Behind the scenes, the passwordless credential relies on public-key cryptography. That means every passkey consists of two parts: a private key and a public key. The private key is just that – private – and never shared with the service you’re signing in to. The other part is the public key, which is seen and stored by the website or app.
When you sign in with a passkey, the website or app creates a technical “challenge”, which is a bit like a special puzzle. You “sign” this challenge with your private key, which is then verified by the website or app using your public key. This quick back-and-forth relies on an API called WebAuthn, which was developed by the FIDO Alliance (1Password is a member of the Alliance!)
You can think of passkeys as the modern successor to passwords. Here are just a few ways that the two differ:
Here’s what you need to start saving and signing in to Android apps with passkeys:
Remember: You can also use 1Password on any Android device to view, organize, share, and delete your saved passkeys.
You might be wondering: what’s the benefit of saving my passkeys in 1Password instead of Google Password Manager? It’s a great question.
Here are two reasons to choose 1Password:
1Password works everywhere. Google Password Manager is designed to work in three places only: Android, Chrome, and ChromeOS. 1Password, meanwhile, has thoughtfully-designed apps for every platform and supports every major web browser including Chrome, Firefox, Edge, Brave, and Safari.
1Password helps you organize your entire digital life. Google Password Manager is focused on passwords and passkeys. 1Password goes beyond a simple password manager by letting you store, manage, share, and conveniently autofill credit card numbers, addresses, documents, and all of your other sensitive information.
Creating a passkey for the first time couldn’t be more straightforward. First, open Watchtower (you’ll find it in the navigation bar at the bottom of 1Password for Android) to see which of your logins can be updated to use a passkey.
We recommend these three Android apps if you’ve never created or used a passkey login before:
If it’s not already on your device, download the relevant Android app from the Google Play Store. Next, open the app and select the option to start using a passkey – it may be on the sign-in screen or in your account settings. Follow the instructions and, if prompted, choose to save your passkey in 1Password.
Once you’ve created and saved a passkey, you can use it every time you want to sign in to the associated account.
We’re delighted that so many Android developers have already updated their apps to support passkeys, and look forward to seeing the options grow in the coming months.
We’ve said it before and we’ll say it again: we’re all in on passkeys, and believe they’re our ticket to a truly passwordless future. This type of login credential offers a faster and more secure way to sign in to online accounts. It’s supported by a growing number of websites and apps, as well as all of the major operating systems and password managers like 1Password.
If you want to be an early adopter and fully embrace this new era of online security, 1Password is the way to do it. For years, we’ve offered a safe home for your passwords, credit cards, medical records, and more. And we haven’t tied you down into any specific platform or ecosystem. Now you can add passkeys to the list of data that 1Password keeps secure at your fingertips.
Ready to create some passkeys? Learn how to get started with 1Password for Android.
Get started with passkeysSave, manage, and securely share passkeys on your Android devices using 1Password for Android.
Download 1Password for Android
When you work in IT, you have a lot to manage. And while everything can feel critical – keeping the computers on might not mean much if your small business experiences a data breach.
According to recent reports, cyber attacks are currently disproportionately targeting small businesses.
“70% of cyber attacks target small businesses” – Business Insider
With the average global cost of a data breach being $4.45 million, many small business owners simply don’t have the capital to survive the damage caused from a cyber attack. From losing critical data, time spent trying to recover, and a loss of customer trust, it’s not surprising that 60% of small and medium-sized businesses (SMBs) that are hacked go out of business within six months.
But while the stakes may be high, IT teams can protect their businesses by bumping security up their to-do list and prioritizing proactive security measures.
There are many different types of cyber attacks businesses need to protect against but we’re going to focus on four threats: phishing, weak passwords, reused passwords, and shadow IT. All of these risks have one thing in common: credentials.
Phishing attacks are a type of scam designed to trick people into sharing sensitive information. Often taking the form of emails, cybercriminals are in search of passwords, logins, or other secrets that they can use to gain access to secure systems.
Password reuse is one of the most common security vulnerabilities businesses face. If the same password is used for multiple accounts a hacker just needs one login to gain access to all of the other accounts. And so if a single reused password is caught in a data breach, it could lead to multiple accounts being compromised.
Probably the most obvious risk is weak passwords that are easily guessed or cracked. Brute force, dictionary, and social engineering are all common attack types that take advantage of weak passwords.
Shadow IT refers to the apps your employees use that IT doesn’t know about. If a password is caught up in a data breach in a shadow IT app, the IT team would have no idea to request employees update passwords on those accounts, or if any important information has been exposed.
Credentials are basically the lock on the digital front door of your business. But unlike a physical building with one or two entrances, your online space can have infinite entry points.
Indeed, each new account for every app by every employee creates a new door that gets locked behind a password. This exposure is what makes access control one of the most important parts of your cybersecurity strategy.
If every login is seen as a door into your business then the one who holds the keys can be seen as the employees who create the locks. When it comes to credential security, employees aren’t deliberately putting their company at risk when they fall to phishing scams, or when they use weak passwords or apps that fall outside of security’s purview.
Like IT teams, employees are trying to get their work done. Security policies can sometimes feel like a barrier to that end goal. Having to remember multiple complicated passwords slows down sign-ins when employees just want to get into an app. It’s convenient to use the same password for everything, but it’s definitely not secure.
And when it comes to using apps outside of the IT team’s purview, employees are usually just trying to use the best tool available. With a long to-do list, IT teams don’t always have time to review apps, and so employees just quietly use what they need in the shadows.
So what can IT teams do?
IT teams in small businesses are, unsurprisingly, usually quite small – sometimes even having just one person responsible for IT, security, and more.
Trying to manage security effectively alongside competing IT and business responsibilities can require a constant act of juggling priorities. With limited bandwidth this can create a constant reordering of to-do lists, trying to just stay on top of incoming requests and leaving little room for proactive work.
The way work gets done has significantly shifted as businesses move to hybrid models and some require employees to use their own devices. And as new apps to get work done come into play the challenge to secure every employee, on every app, in any location is only becoming more complicated.
Even if an IT team has managed to put security policies in place, making sure employees are following them is a whole other story. It can be easy to think security challenges are the IT team’s responsibility, but business cybersecurity is a team sport – you’re only as strong as your weakest link.
Creating a culture of security helps your team prioritize while also working with them. A few high level ways you can make the two work in harmony are by providing flexibility, increasing security adoption, and improving your overall security posture.
Security and productivity don’t have to be a one-or-the-other option. Check out our ebook Small business. Large security risks. for a more detailed look on how to keep your business safe and productive.
Read this ebook to learn how securing access to sensitive information and maintaining productivity doesn’t have to be a one-or-the-other option.
Download now
1Password doesn’t just keep your personal and work-related data safe. It also helps you keep them separate – and your company’s 1Password Business accounts include free 1Password Families memberships for all team members.
1Password Families is a personal account for you and up to 5 family members. It works in much the same way your business account does – but instead of being owned by the company, you own it. And instead of admins managing the account, family organizers manage it (that’s you, and anyone else you designate).
Because you own the account, if you and your employer ever part ways, you can keep using your Families account by simply updating your payment method. Access won’t be interrupted, and the personal data in your account will remain yours, completely unaffected by your departure from your company.
Employers never have visibility or access to anything stored in personal accounts. In fact, your company’s 1Password Business account and your 1Password Families account aren’t connected in any technical way. You simply have access to a free 1Password Families account by virtue of your employer’s 1Password Business account.
1Password Business | 1Password Families |
---|---|
Managed by your employer | Managed by you and/or a family organizer |
Paid for by your employer | Free when linked to a Business account. Paid for by you if you leave the business account |
The account can be deleted by your employer at any time | The account can only be deleted by a family organizer in your family account |
Why offer free Families memberships to 1Password Business team members? Because separating your business and personal information and logins helps foster the ideal security culture: work information in 1Password Business accounts; personal information in 1Password Families accounts.
Mixing personal information with work information is a risk for you and for the company – especially when either one contains vulnerabilities like weak or reused passwords.
More than that, though, we offer free Families accounts for the same reason we offer 1Password at all, to anyone, and for the same reason we built it back in 2006. It should be easy to navigate your digital life securely. Every protected login is a win.
Redeeming your free 1Password Families account is easy. Follow these steps if you haven’t yet redeemed a Families membership:
If you do already have a 1Password Families membership, you can use it for free by linking it to your 1Password Business account:
If your 1Password Business admin has enabled the policy to help separate work and personal information, 1Password Watchtower can let you know if any items may be in the wrong account. In addition to tiles for things like weak passwords or compromised websites in Watchtower, you’ll see a tile for items you may want to move. Select “Show all items” to see them all as a list.
To clean up your work and personal accounts, and make sure each item is in the appropriate account, you can drag-and-drop items between vaults.
If you’re using 1Password for Mac, Windows, or Linux, make sure you’re signed in to both your Business and Families accounts, and click your account or collection at the top of the sidebar and choose All Accounts. Then, just drag existing items to a new vault to move them.
If you’re using 1Password on iOS or Android, select (or multi-select) the items you want to move. Next, tap the item menu and select “Move,” then choose the vault to move the item(s) to.
Visit 1Password Support for complete instructions for all platforms.
1Password Families is the easiest way to protect and securely share passwords, financial accounts, credit cards, and other sensitive information with the whole family. Learn how to invite your family, create a recovery plan, and more by visiting 1Password Support.
Fumbling with an app when you’re already stressed? We know the struggle. Also, is it just us, or does it always happen when you’re already having a bad day?
It may seem silly, but sometimes, a few extra clicks or typing can feel painful when you’re just trying to get stuff done.
That’s why, in 2024, we’re focused on making 1Password smoother, simpler, and more intuitive. We’re dedicated to making sure the secure thing is always the easy thing.
Throughout the year, we’ll continually improve 1Password so it can reliably work as you expect. No more struggles. We’ll keep you updated on added and improved features along the way, because every click and tap should feel effortless. The seamless experience you deserve.
Since the end of 2023, we’ve already made nearly 200 updates to 1Password. These updates focused on overall performance, reliability, and usability with the goal of simply making sure things work better.
This round, we devoted our energy to the browser extension experience and search within the 1Password apps because they are the quickest, most effective tools to find and use your passwords while online. We’ll be working on plenty more updates in the near future, so stay tuned!
In this blog, we’re sharing some highlights on how we’ve improved several different features in the 1Password web browser extensions and 1Password apps including:
1Password browser extensions:
1Password apps:
If you’d like to learn more about all the updates we’ve made, check out our release notes for all the details.
Some private web elements used to prevent the autofill dropdown menu from appearing or prevent autofill on login forms on certain websites.
We’ve addressed this, so you can now seamlessly autofill on more sites, login forms, and much more! The 1Password browser extension will now work more regularly in username fields, email fields, addresses, and form credentials. The extension will also autofill more efficiently on hundreds of sites, like Reddit and CVS.
Plus, we made a fix for many top popular sites, like Walmart and ESPN, that used to close the 1Password browser extension before it could complete autofilling.
The 1Password browser extension now leverages smart titles for the top 900+ sites online. Previously, a site like American Airlines might have been automatically labeled simply as “AA” for the title of the item, but now, it’s accurately and automatically titled as “American Airlines,” making it more contextually relevant to the item you’re saving.
This streamlines the process of creating and saving new items faster and more accurately, and also makes it much easier to search for and find items later on.
If you’ve dealt with the pain of an unstable internet connection, you’ll love this update. Before, if you tried to save an item in the browser extension but you were offline, the item would save locally in the extension, but wouldn’t sync across your other 1Password apps, like on your phone or tablet. That means you couldn’t access that item until the connection was re-established, which wasn’t happening quick enough.
Now, the browser extension will better recognize when you’re on or offline, meaning if you’re ever disconnected and then reconnected to the internet, your password will save and sync across all the 1Password apps faster.
If you’re a Chrome user, you know the browser updates quite often as Google pushes out new features and security updates for users. Previously, this caused interruptions in the connection between the 1Password for Chrome browser extension and the 1Password desktop app, leading to frequent password re-entry to unlock the extension again after Chrome updates.
We heard your feedback on how frustrating that was, so now, whenever Chrome issues a pending update, you’ll no longer need to unlock 1Password, experiencing less interruptions to your daily tasks.
With this new update, we estimate that we prevented nearly 20 million instances of unexpected re-authentication. With each login taking about two seconds, we’ve collectively saved our customers approximately 462 days worth of time. That’s enough time to watch the entire The Lord of the Rings Trilogy Extended Edition 932 times or sail a pirate ship across the Atlantic Ocean 18 and a half times. Phew, that’s a lot of time saved!
Before, the 1Password for Safari browser extension didn’t filter suggestions in the autofill menu like it did for extensions for other browsers, like Chrome and Firefox.
We’ve fixed that, now making it easier to find and autofill the right details depending on what site you’re on – plus, if you have to use different browsers for any reason or end up switching some day, you can expect a consistent and familiar 1Password experience.
Now in the 1Password beta extensions, when you sign in to a site that you haven’t yet stored a credential for, 1Password will automatically create and save the credential for you after you’ve logged in – meaning you no longer have to manually save an item before you sign in.
Not only does this make saving your logins easier, but it also means you no longer have to manually update an item if you entered the wrong username or password and already saved it to 1Password.
But wait, there’s more!
Autofilling credentials is handy, but you often have to manually submit the form you’ve filled, keep clicking to progress through multiple pages, and select autofill again in the next form fields that could come up, like two-factor authentication (2FA).
That’s too much work, so we’ve introduced improved autofill automation for your logins. Now, once you’ve selected a credential to autofill, the rest of the process autofills, auto-submits, and auto-progresses through multi-page sign-ins all on its own, including 2FA codes.
Previously, if you were searching for something in 1Password, the result would be shown within a list of all your 1Password items. This means if you picked the wrong item or wanted to look at multiple items with similar characteristics, you had to start your search completely over. Now, we only show you the list of items that match your search until you initiate a new search.
Plus, search filters are now visible and usable across all of the 1Password apps. This means you can easily see all of your recently searched items on all devices for faster searching. We’ve also improved functionality to support search queries from customers, so we will keep making search even better this year.
We’re continuously working to make sure 1Password is simplifying your online world, all while keeping you safe. With subscriptions based on your needs, you can protect yourself, your business, and even an enterprise, with the most reliable password manager around.
Your feedback about 1Password is incredibly valuable to us. Without you, we wouldn’t have been able to make all these improvements, or all the ones to come. Keep letting us know what you think – we can’t wait to hear from you!
Keep all of your accounts secure with 1Password, the world’s most-trusted password manager. Get started today with a free 14-day trial.
Try free for 14 days
This is the fourth and final post in a series on how to secure your hybrid workforce. For a complete overview of the topics discussed in this series, download The new perimeter: Access management in a hybrid world.
In the initial post in this series, we outlined four key considerations to securing your hybrid workforce: identity, shadow IT, the security vs. productivity tradeoff, and security costs.
Now that we’ve seen why identity is the right place to start, and how to secure access to both managed and unmanaged apps, let’s talk about worker productivity and cybersecurity costs.
Security software is notoriously hard to use. Instead of making things easier for end users, security tools often introduce new frictions into workflows. Hence the perpetual dance between security and productivity.
The situation also pits IT and other employees against each other. IT’s goal is to reduce their attack surface to avoid a security breach. Employees want to get things done. If security software is hard to use, those two goals are at odds. It’s zero-sum.
And when productivity and security face off, productivity often wins. A recent study found that 85% of employees knowingly broke cybersecurity rules to accomplish a task. IT and security teams are left with an impossible choice: Impose more tools and security measures to strengthen their cybersecurity posture, or reduce friction to help employees get things done. Either you reduce the risk of a cyberattack, or you make workers’ lives a bit easier. You can’t do both.
But those workarounds aren’t a malicious attempt to thwart IT. It’s just people trying to do their jobs. Employees are using their personal devices and preferred apps to get the job done, not to sabotage the company’s security posture.
Resolving the paradox requires expecting more from our security solutions, specifically in terms of user experience.
To illustrate how we might do that, consider the desire path. When building spaces, landscape architects (naturally) include paved walkways in their plans. But those paved walkways aren’t always the preferred route of those who use the space.
When people continually cut across the grass of a park, for example, and eventually wear down the grass to create an “unofficial path,” that’s a desire path. It wasn’t in the designer’s original plans, but that doesn’t matter to those using the space – they’re just trying to get from point A to point B as quickly as possible.
Hybrid work has created a similar, digital desire path. Instead of using only the apps managed by the company, they’re using shadow IT – both on company devices and personal devices – to get things done. That introduces new vulnerabilities. But what if IT could simply secure that desire path, instead of trying to force workers to stick to the paved walkways they’ve been avoiding?
If a security tool is hard to use, people won’t use it. Consider a few findings from 1Password’s Unlocking the login challenge: How login fatigue compromises employee productivity, security and mental health:
And that’s just logging in. If IT teams not only understood these frustrations, but did something about it – say by providing an enterprise password manager (EPM) that did the work of logging in for them – both security and productivity would win.
Let’s say Taylor, a new employee, is setting up a new Airtable account to check the publishing calendar for their role on the social media team. Instead of creating a weak password that’s easy to remember, or reusing a password, Taylor uses an EPM to generate a strong, random, unique password.
Because admins can customize password policies, the password Taylor creates automatically complies with company security policies. And Taylor doesn’t have to remember that password or record it. The company can even mandate multi-factor authentication, which modern EPMs support.
And the next time Taylor logs in, they don’t have to guess how they logged in. Was it an email and password? Did they log in with their Google account? SSO? A passkey?
It’s all moot if their EPM remembers for them, and automatically logs them in. And when they need access to the company Instagram account (for which there’s only one login for everyone on the team), a colleague can securely share those credentials with Taylor.
To secure access to shadow IT, you have to make it easy for workers to do their jobs securely. They have to want to use the security tool you’re offering. And that only happens when that security tool helps them get things done, instead of getting in their way.
Security can feel like a game of whack-a-mole. New technologies pop up, workers adopt them, and IT rolls out new tools to address the vulnerabilities those tools introduce.
It all adds up. Overhead and tools are two of the biggest contributors to cybersecurity costs. But it is possible to create efficiencies across both.
IT spends a surprising amount of time resetting passwords. 57% of IT workers reset employee passwords up to five times a week, and 15% do so at least 21 times per week.
That leads to IT spending nearly 21 days of work each year on tasks like resetting passwords and tracking app usage.
But both IT and workers can wrestle back a significant portion of that time with an EPM. For example, in The Total Economic Impact™ of 1Password Business, Forrester found that deploying 1Password results in:
SSO and EPMs can work well together within an identity and access management (IAM) framework. SSO secures access to applications managed by IT, while EPMs secure access to unmanaged apps, or virtually everything else.
But the costs of SSO can add up. It can take weeks or even months to implement SSO, and each application placed behind SSO needs to be configured. EPMs require less custom configuration – it’s a one-time setup and doesn’t require every app to be configured.
And even once SSO is deployed, it only secures access to 50-70% of the apps in use, according to Gartner. IT will have to dedicate time to add new applications, and many of those applications will charge extra for the ability to integrate with your SSO provider, a cost known as the SSO tax.
EPMs not only secure access to the unmanaged apps that SSO doesn’t cover, but also reduces cybersecurity costs with a less costly rollout and by eliminating the SSO tax.
As a quick recap, here’s what we’ve covered in this series:
For an overview of each of the topics we’ve explored, download The new perimeter: Access management in a hybrid world.
Learn about the four key considerations to securing your hybrid workforce, and why reducing risk starts with securing employee login credentials.
Download now
Protecting remote and hybrid work requires securing both identity and devices, regardless of where employees work.
At this point, it’s safe to say work has changed. But the reality is that for those yearning for employees to return to the office, hybrid and remote work is the modern “business as usual,” and there is no going back. Unsurprisingly, our new way of work has brought a slew of new security challenges that companies struggle to address.
Security is inherently a people problem. And when people no longer predominantly work from a corporate office, relying on security technologies built to secure physical corporate networks, and everything plugged into them, is now creating gaping holes in company defenses.
At 1Password, we’ve always put people front and center of security, striving to create products that are easy to use and make employees more productive. By making the productive way to work the secure way to work, we help companies enlist their employees to be a part of their perimeter defense.
That brings us to today’s news: 1Password has acquired Kolide, a next-generation device security solution.
Why would 1Password acquire a device health and contextual access management solution? The reality is that access isn’t secure if the device doing the access isn’t secure. This is part of the complexity of the modern way we work. Every device, regardless of location, must be secure – just as every log-in, regardless of location, employee, or type of device used, must be secure.
This is where Kolide fits into the 1Password story. Kolide is a leader in device health and contextual access management, and companies need a way to ensure that both the device used and every access request are secure. What also makes Kolide particularly compelling is how the company has taken a similar approach to 1Password and works to enlist employees to deliver better security. This is only possible by providing employees with tools that make security easy to use and adopt, enable them to secure their own activities, and provide them with the context to make the right decisions at the right time.
In fact, Kolide’s philosophy of Honest Security mirrors our deeply held values - that security can only work through a positive relationship with end users, and that privacy must be respected at every stage of the journey, being demonstrated through informed consent and transparency. Kolide’s message is resonating across the market, and leading companies including Databricks, Robinhood, Discord, and Anduril rely on Kolide to secure their teams.
Turning your employees into security advocates is critical, because it’s no longer possible for IT or security teams to micro-manage every device or every application that employees use – especially for remote and hybrid workforces. By shedding light on the currently untenable state of IT and security, corporations can shift their mindset toward an approach where security empowers end users to use the tools they need, while also making them active participants in securing the applications they use. And 1Password with Kolide does just that.
Please join me in welcoming the entire Kolide team to 1Password. We’re thrilled they’re joining us on our shared mission of building a safer, more secure future. And based on Kolide CEO Jason Meller’s perspective below, I’d say we’re well on our way.
“Kolide was founded on the idea of Honest Security, a philosophy that, when combined with the principles of Zero Trust, transforms end users into the most effective security solution IT will ever have. We are combining forces with 1Password for one reason: we both believe every company on Earth needs user-focused device security. With 1Password, we now have the resources to make that belief a reality.”
If you’d like to learn more about how Kolide and 1Password solutions can secure your organization, let us know.
Last week was a hackathon week at 1Password. We take time twice a year to pause our normal day-to-day tasks and focus on exploration and learning. These hackathons are a great opportunity to work with different folks, exercise some different muscles, and have a great deal of fun in the process. I’d love to tell you more about our latest hackathon!
The hackathon’s theme was “Beyond Boundaries”, and it had a few broad categories for staff to choose from:
We encourage everyone in our Tech, Product & Design departments to set aside work to participate in the event, and ask them to self-organize into teams and projects. This means that the hackathon projects aren’t defined by leadership – they’re entirely grass-roots driven.
We recommend folks work with others outside of their team, as this is a great way to meet others and learn from them. This can be a bit of a chicken and egg problem … how do folks know who to work with? Surely they won’t go knocking on a random person’s [virtual] door and say:
“Can we hack together?"
We solve this by having a centralized hackathon project idea list. If there’s something a member of staff really wants to work on, they put it up on the list and see if others gravitate towards it. People can work on any part of the product, meaning they aren’t constrained by the area they normally work on at 1Password. The project board lists the skill sets that would be useful for each project, including non-coding skills, which helps people more easily find a great project to contribute to.
For this hackathon, I personally deviated from our guidance a bit. I’ve recently created a new team, and it’s still in its forming stages, so I proposed that we use this opportunity to work closely together on a project. We added our project to the list and a few developers from other teams joined us because the project appealed to them.
Our hackathons are short. Or at least they feel short. It’s one of those things where any fixed period of time will feel too short as our dreams are always bigger than what the time will allow for. Our hackathons are effectively split into three parts:
Naturally this is where we sit down and actually write our prototype. There really aren’t any limits here other than “fit into one of the broad categories.” The goal is certainly not to write code that will ship to production right away. Instead, we put a strong emphasis on creating a MVP of the concept.
We work hard to prove that our ideas are possible. Words like “hack-crimes” are uttered frequently as developers try to find the fastest way to demonstrate their idea, and folks commonly share their most heinous crimes with the rest of the team on Slack.
The actual output of our three days of hacking away is a video demo, so while we’re building we also need to plan and produce the final video.
Of course, we all want to see what everyone else has built. We used to have each team present their project but as we’ve grown, so have the number of projects. So this approach has become unsustainable. Instead, each team is expected to create a demo video of their project, helping others understand the challenge that their project is targeting, and how it solves the problem.
The only constraint imposed: The video should last only two minutes.
The creativity that comes out of these videos is pretty amazing. Two minutes is simply not a lot of time, so everyone tries to find ways of cramming as much information as possible. And then there’s the production quality! I’m always blown away by the amazing videos that are produced. They’re inspiring, and just a little silly.
These videos are all due by the end of day three. For our latest hackathon, you better believe that I was up until midnight putting the final touches on ours. I was unlucky enough to have the video editing app I was using crash after two hours – and I hadn’t hit the save button. Was I ever thankful that it had auto-saved a few minutes prior to the crash!
Day four is when everyone is expected to watch the demo videos. Some teams create watch parties and view them all together.
A little bit of friendly competition can make anything more fun. The hackathon organizers chose some judges for each category, and all of the participants voted on the “Bits Choice” award. On Friday we do a large call where the winners are announced.
Regardless of who wins awards, we all come out winning (and I don’t just say this because our team didn’t win). It’s a week where we get to set aside our normal routines and deliverables, and scratch whatever itch we may have. It’s amazing to see so many great ideas from so many different teams.
It’s also not uncommon for one or more of the hackathon projects to turn into full-fledged features after the fact. For example, the recently released Nearby Items came out of the last hackathon.
I’d love to share a few of the demo videos that have come out of the Beyond Boundaries hackathon. I want to emphasize that these projects do not necessarily represent our roadmap, and are a reflection of the ideas that individuals have, as opposed to the entire company.
First up we have 1PasswIRC, who aimed to answer the question: “What if we leveraged the End to End Encryption technology we had to power group chat within the app?”
Next is B5X Diagnostics Reports. B5X is what our Browser Extension is called internally, it’s by far the most popular way to use 1Password. This group decided to see how we could more easily get Diagnostics Reports from the app so that we could better support our users.
Lastly we have Webhooks For Item Updates. I love seeing integrations between 1Password and other services, and webhooks are a great way to enable that.
I hope you enjoyed the videos. If these hackathons sound like fun to you, consider joining our team!
Browse our current job openings to see if there’s an opportunity that matches your career goals.
View our open positions
“A man walks into a bank…” That may sound like the start of a joke but as hacker and security consultant Jayson E. Street tells it, it’s really nothing to laugh at. He’s walked into banks, hotels, government facilities, and biochemical companies all over the world and successfully compromised them.
Street is an adversary for hire, Chief Adversarial Officer for Secure Yeti, a DEF CON group global ambassador, and the author of the book series Dissecting the Hack. He sat down with Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password, on the Random but Memorable podcast to share some fascinating stories about how he “hacks” human nature to get in the literal front door and compromise businesses.
Read the interview highlights below or listen to the full podcast episode.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: How did you get into penetration testing?
Jayson E. Street: In 2000, I found out that you could do security and computers. A VP of an internet bank hired me into network security. For the first 10 years of this new career, I was doing defensive blue team work (defending against attackers). Then I realized: I have to start testing the things that I’m making as if I were a hacker.
Around 2010, I was working for a bank, testing our defenses. That’s when I discovered I was really good at robbing banks. I started doing that more, as well as consulting. I branched out to robbing hotels, research facilities, and government facilities.
In 2016, I started a thing that’s never been done before: security awareness engagements where I use red team tactics (attacking cybersecurity defenses), but for educational purposes.
One of the things I love about Secure Yeti is that they believe in this too – that it’s about education, not exploitation. It’s about educating people so they can become better. The red team only exists to make the blue team better. We’re there to help validate their security, build them up, and teach them what they need to do – not just try to tear them down and break stuff.
MF: Can you walk us through your process for penetration testing? I’m sure the ultimate goal is getting in and getting the prize, but how do you approach it?
JES: Honestly, that’s not always the goal. I guarantee to my clients, in our contract, that I will get caught during the engagement. Because again, I’m trying to teach them. If we give them a report and it’s like, “Oh, I just destroyed everything,” the only thing that gets back to the employees is that they failed.
I’ve had to work at giving wins, but I make sure that everybody wins at least once. Then I can say, “Okay, yeah, we have to work on these things. But hey, look at Ann. She didn’t open the door for him. She questioned him. She checked his ID, she reported it to security and he got caught.” It makes it a little more of a positive experience.
There are so many red team people who are so focused on winning and think: “I’m going to go in, I’m going to punch them in the face and shoot the guy.” There’s all this toxic masculinity throughout the red team, unfortunately.
My whole thing is, I don’t want my clients to see sophistication. I want to show them how bad the situation really is – how basic it can be.
" I want to show them how bad the situation really is – how basic it can be."
I’ve got a video that I did at a talk. I use a hidden camera to show how I literally walk through the front door of a bank while employees are still on their lunch break and compromise the first machine in 15 seconds. I finished the attack in under 30 seconds.
An employee did the right thing and stopped me, but then she allowed me to do sort of an interception of the conversation where she thought that I was going to be honest when I talked to the manager. She escorted me to the manager’s office, the manager saw that I was waiting, but there was someone else in the office. The employee believed me when I said, “I’ll talk to him,” and I dismissed her and she left.
I went into the manager’s office and assumed the role of, “I’m here with the help desk. We’re trying to make the network faster.” He escorted me to every machine, and I did a 100% compromise of every machine in that branch, including the wire transfer computer and the network servers. He gave me full access to everything, and he walked with me to do it.
MF: Wow.
JES: Everybody worries about Zero Days. It’s like, “Oh, I got to worry about AI. I got to worry about all this blockchain and the kill chains coming in at us.” And I’m like, “You keep talking about how we need to secure low-hanging fruit. Screw the tree, OK? You’re not ready for the low-hanging fruit. You’ve got fruit rotting on the ground. Pick that stuff up, do some proper asset management, and do some proper patch management."
We want to keep looking at all these other things that we’re supposed to be defending against when it’s the simple stuff of someone walking in off the street. Or someone sending an email that ends up costing a company $300 million.
MF: Can you recall an infiltration where you really had to do your research? Maybe you used social engineering, or monitored people’s patterns at work?
JES: One time I was robbing an institution in New York City. It was across the street from Ground Zero in the financial district. It was very high security. They did not expect me to get in. This is the reason why I still say to this day that the only thing worse than no security is a false sense of security.
They had canine SWAT police officers patrolling the mall and the lobby areas. They had four to six security guards. In the main elevator lobby, you had to show them your driver’s license and get an ID name tag with your picture on it before you were allowed to go through the metal detectors, which led to the elevator and up to the office.
I went in on the first day. I went up to the security desk to see if I could get a job interview. They were like, “Nope, you have to call ahead.”
So the next day I go back in. By the way, you always try to attack people in office buildings with building security between the hours of 4PM and 6PM. The 7AM to 3PM shift, that’s your A team, the people who are on the ball. The 3PM to 11PM shift goes to new hires, the ones that aren’t set in the patterns, the ones that don’t know everybody.
“You always try to attack people in office buildings with building security between the hours of 4PM and 6PM."
When I showed back up the next day around 4:30PM in the afternoon, the company was having a meeting upstairs and there was another guy waiting to get up there, too.
I did a crosstalk attack like I did with that bank manager. I talked to one security person and then I talked to the other one and they saw me talk to that person. They made my ID and created my badge. I struck up a conversation with a guy who was legitimately going to this place like, “Oh, you’re going up there, too?” “Yeah.” It made it look like we were together. So when the receptionist came down to escort us up in the elevator, she made the assumption that we were together.
As soon as we got upstairs into the lobby area, I said: “I’ve got to go to the restroom. I’ll meet you in the conference room.” I go and I see an open door that goes to the mailroom. There’s an unlocked computer there and I compromise the first machine. I’ve already compromised their network. And then I go to the break room.
I don’t attack people over social engineering. I attack human nature. How people operate. Being on the spectrum, it’s like I had to be raised to try to watch people and figure out how normal people work, because they’re terrifying. That’s why I’m so successful at robbing people on five different continents.
“I attack human nature. How people operate."
It’s like the biggest myth that society tells us: that we’re so different. The truth is we’re all humans! I don’t care if you’re in China, Singapore, Brazil, or Britain – guess what? You’re the same people. You all still come up with the same assumptions. You still come up with the same kind of attitudes. That’s what I’m trying to rob – I’m going after human nature.
MF: I’m curious to hear a story where you were just completely shut down at every turn, where people did everything right.
JES: I’m so glad you asked that. No one talks about it enough. It’s like everybody wants to talk about me accidentally robbing a bank, or something like that, because it sounds cool.
But I did rob a bank in 2020 where it was a fail. I had robbed the same place in 2019, and I destroyed them. They’d never had a red team engagement where they actually got up into their office area. And within 30 minutes, I was sitting at the desk of the person who hired us. When he came out of a meeting, he saw me at his desk. He had to go with me to take the badge back that I had stolen off of someone’s desk. It was bad. But that’s not the story.
Companies are paying for you to communicate to management why these changes need to happen. I did a report. I didn’t do a nice little written report. I educated management about what was going on, how I was able to do these things. I had security go on a walk with me and watch as I compromised some people live – and their jaws just dropped.
In January 2020, I went back to this client. I changed my appearance. It’s like I knew it was going to be more difficult. I might be recognized. It was a brand-new receptionist. Didn’t matter. I didn’t get in. I walked up like I owned the place. I didn’t even get to the stairs in the lobby before she said: “Excuse me, you need to sign in.” I was like, “How does she know I’m not an employee?”
That year, during their company all-hands meeting, the CEO, who only gets one hour to speak, spent 15 minutes on security. He spent 15 minutes talking about the responsibilities of employees for security awareness, maintaining the security of their personal items, computers, and cubicle space.
“During their company all-hands meeting, the CEO, who only gets one hour to speak, spent 15 minutes on security."
They also instituted color-coded lanyards. If you had a green lanyard, you were an employee. If you had a red lanyard, you needed to be walked in and escorted everywhere. And if you had a yellow lanyard, you were a contractor, but not trusted. I didn’t know that at first. So, I registered. I put the name of the person I’m supposed to be working with, and then of course, I was like, “I need to go to the bathroom.”
Instead of turning left into the bathroom, I turned right down this hallway and compromised two machines right off the bat. I’m technically successful. But that didn’t matter. Because there was a woman who was in her office. She got on the phone and reported me because she knew I was sketchy. It was awesome.
“She got on the phone and reported me because she knew I was sketchy. It was awesome."
I could have gone to the stairs so I could say I ‘escaped’ and therefore won. But no, that’s not what it’s about. So, I start walking toward the receptionist’s office. The guy who I was there to meet was already coming down the hallway because reception reported that I deviated from the path. There was a camera right above the hallway that she gets to watch. She saw that I went the wrong way.
Throughout that whole engagement, even though I compromised every section, someone stopped me. Someone said “no”.
And that’s including the second day. That night, I went back and I got the cleaning crew to let me in. I broke in and I stole all the lanyards – the green ones and red ones and yellow ones. On the second day, I had a green lanyard because those were cool. But they still questioned me and said “no.” They were like: “I’m not allowed to let anybody plug anything into the computer unless I get an email from the help desk. I didn’t get one. If you don’t mind, I’ll call them and verify. And what’s your name again? So I can see if they know you.”
I validated that their security programs were working because, even though I was successful, I was not successful for more than 15 minutes without someone stopping me.
“We need to stop trying to build defenses as walls. What’s more important is how quickly you can detect and how quickly and effectively you can respond."
Humans make mistakes but if they correct it and someone reports it, you’re dealing with a 15-minute breach versus a five-month breach. That’s important because we can’t prevent things. We need to stop trying to build defenses as walls. What’s more important is how quickly you can detect and how quickly and effectively you can respond. That’s the dealbreaker for a company that’s going to survive a breach or not.
MF: I appreciate you making the time for us today! Is there anywhere that people should go to learn more about you?
JES: My main site is jaysonestreet.com. Places I go: hackeradventures.world. And I live-tweet my life on Twitter.
Listen to the latest news, tips and advice to level up your security game, as well as guest interviews with leaders from the security community.
Subscribe to our podcast
This is the third in a series of four posts on how to secure your hybrid workforce. For a complete overview of the topics discussed in this series, download The new perimeter: Access management in a hybrid world.
In the first post in this series, we identified four key considerations to securing hybrid workforces: identity, shadow IT and bring-your-own-device (BYOD), security adoption, and security costs.
Today, let’s talk about shadow IT.
In a hybrid world, not only do we work from everywhere, we use a huge number of apps – 130 at the average organization – to get work done. Some apps are sanctioned by the IT/Security team. Many are not.
Those apps not managed by IT/Security are, by definition, a blind spot. And because you can’t secure what you can’t see, those unmanaged apps are known as shadow IT.
Shadow IT is all the apps we use to get things done that haven’t been explicitly approved – and therefore secured – by IT. It’s usually cloud-based apps, or software-as-a-service (SaaS), which means the data (often sensitive data) we’re storing on them is stored on someone else’s server. It’s the Google Sheet you spin up to keep track of expenses for a project, the Microsoft Word file Legal uses to draft a document, the Dropbox folder someone is using to share files with partners or clients.
If IT doesn’t know about it, it’s shadow IT.
By some estimates, shadow IT comprises as much as 50 percent of the apps we use to get work done. And those apps – those cloud services – are being accessed from airports and coffee shops, from employees' homes and on their commute, from their phones and tablets and personal laptops.
That’s the new perimeter businesses are tasked with defending. And that’s why, in the world of hybrid work, securing that perimeter starts with securing identities – i.e verifying that the people accessing those apps are indeed who they say they are.
Historically, shadow IT has been something to be feared and fought. It’s an unsanctioned box or server sitting under someone’s desk. But shadow IT is what we use to get things done – and a growing number of CIOs and CISOs see it as an opportunity.
We use shadow IT because we bump up against a limitation in the suite of approved/managed apps at our disposal. Getting things done, after all, is why we work. For that reason, sometimes shadow IT boosts productivity. Sometimes it’s the difference between whether employees complete a task or not.
Of course, there are security risks. But there are also ways to mitigate them. Embracing shadow IT requires a mindset – and a toolset – shift.
70% of data breaches involved an identity element, which can be as simple as a stolen password. Forrester expects that number to grow to 90% in 2024.
Here’s a simplified version of what’s happening: Sam in Sales needs to share a file with a prospect. There’s no great way to do that with any of the apps sanctioned by IT, so they create an account on a file-sharing service, upload a couple of files, and send the link to the prospect.
Mission accomplished, from a business standpoint. But when Sam signed up for the file-sharing account, they created it with a relatively weak password to do so. It’s also one they’ve used before for other services, because it’s easy for them to remember.
Now that login is vulnerable, because the password protecting it isn’t strong, random, or unique. And Sam uploaded company data to the service, so if attackers stole the password, they could also use it to access other services Sam uses. Now the company is at risk – and IT has no idea.
This kind of thing happens all the time: 1Password research found that 63.5% of respondents had created an account their IT department didn’t know about in the previous 12 months. Gartner estimated that one-third of successful cyberattacks will be on data stored in shadow IT infrastructure. And that was a few years ago. The risk of shadow IT has grown since.
In a perfect world, Sam could have gone to IT and explained what he was trying to accomplish. IT would then provide Sam with a tool to get it done.
But IT’s job in a pre-hybrid world was to secure a well-defined perimeter – often one that they themselves had built. Which is to say the default answer to Sam’s query is, historically, a resounding “No.” If IT can’t secure it, employees can’t use it. (In some cases, especially in large organizations with sufficient resources, IT can sometimes build the application themselves.)
But the role of IT is evolving. Many IT departments are beginning to understand their role as an enabler of the business, rather than being an obstacle to productivity. IT directors are making a deliberate effort to understand the goals of the business, and to leverage the technology available to them to help the business accomplish those goals.
To do that, they need new tools, particularly in their identity and access management (IAM) stack. Tools that will secure every access attempt, regardless of whether access originates on a cell phone in a coffee shop or on a company laptop in the office. Or for a sanctioned app or a non-sanctioned app.
Single sign-on, or SSO, plays a crucial role in the IAM stack. Without it, employees sign up for services, log in to them on their own, and manage all those logins themselves.
With SSO, employees log in to their SSO provider instead. When they do, they see a list of all the services IT has already vetted and approved. They select the service they want to sign in to, and the SSO provider signs them in using a single, strongly vetted identity.
With SSO, then, employees only need to manage a single login: their SSO provider credentials. It’s much easier than managing a ton of credentials, and IT teams get the oversight they need to secure access to those applications.
But SSO doesn’t cover every login – only those IT has vetted and approved. Shadow IT is, by definition, not vetted or approved. So SSO doesn’t help secure shadow IT.
This is where the enterprise password manager (EPM) comes in. EPMs can secure every single set of credentials, first by creating strong, unique, random passwords – or better yet, passkeys – for each login. The EPM can then autofill those credentials, effectively signing in for employees so they don’t have to. Because the EPM both generates and autofills credentials, employees don’t have to remember their passwords, let alone manage them all.
This is how, when the EPM and SSO work together, you fill the holes in your sign-on security model. SSO protects managed applications, and the EPM protects virtually everything else.
That combination mitigates the security risk of shadow IT – not only by protecting each login with stronger, randomly-generated credentials, but by making those logins visible to IT, subject to company security policies, and included in audits. That means that if IT chooses to implement, say, a minimum password length, the EPM can enforce that requirement by automatically generating compliant passwords – and only compliant passwords – when employees sign up for any particular service.
Those policies can be further unified with SSO integration provided by the EPM, meaning the same set of IT policies can apply to services governed by SSO and those managed by the EPM.
This is how IT supports business goals and productivity, rather than inhibiting those goals.
But there is a catch: In order to secure shadow IT, strengthen your security posture, and enable productivity, the EPM, like any cybersecurity tool, has to be widely used. And in order to be used, it has to provide a good experience to the worker. If it doesn’t, we’re back to square one: Workers will simply skirt the intended workflow to get things done, and IT will remain in the dark.
Good UX, then, is a boon to security, increasing adoption to help you secure your hybrid workforce without slowing them down. We’ll explore the relationship of productivity and security – along with getting a handle on security costs – in the next post.
Learn about the four key considerations to securing your hybrid workforce, and why reducing risk starts with securing employee login credentials.
Download now
Today, it’s our pleasure to announce a new global partner program for 1Password resellers, distributors, cloud service partners (CSPs), system integrators (SIs), and global system integrators (GSIs).
If you’re part of the global ecosystem of 1Password partners, you’ll notice new investments to help you secure your customers, differentiate your offering, and grow your revenue. That includes key sales, marketing, and enablement resources and a simplified partner experience in the near term, with many more initiatives to follow in the coming months.
And if you’re looking for a world-class solution that can provide enterprise password management with simple, lucrative and supportive partner programs, look no further. We encourage you to learn more and understand how we can help you achieve your growth objectives while simultaneously increasing your customers’ security posture.
The new partner program is a reflection of our deep commitment to the resellers, MSPs, and distributors that comprise the global ecosystem of 1Password partners. Throughout 2024, we’ll introduce new tools, resources, and incentives to help partners secure their customers and grow their business, including:
Register for the 1Password Partner Program to protect your customers and grow your business.
Register now1Password is excited to announce the development of our MSP solution, available later this year, which will provide MSPs:
All this functionality and more will allow MSPs to manage multiple customers from a single purpose-built platform.
In the meantime, MSPs and managed security service providers (MSSPs) are invited to join the new 1Password MSSP Incubation Program to take advantage of the many opportunities for us to work together to secure your customers and grow your business. We’re offering assets tailored for MSPs today with additional incentives for MSPs and MSSPs coming later this year – and you’ll also have a chance to be part of the MSP beta platform testing and launch.
Learn more about exclusive MSSP Incubation Program features.
Get the detailsWith 1Password, IT gets control over the security policies that govern employees' use of passwords and other sign-in details, and they get insight into potential vulnerabilities like weak or compromised passwords.
And 1Password is leading the way to a passwordless future, which is in fact a passwordless present. We look forward to continued growth within the partner community.
Celebrating Black innovators and their contributions to society is incredibly important. It’s an opportunity to reflect on history and recognize the impact these visionaries have had, both by shaping our present and influencing the future.
This Black History Month, 1Password proudly spotlights some extraordinary figures who have made significant contributions to technology, agriculture, education, media, culinary arts, and other important fields. Join us in acknowledging these trailblazers, as we believe their stories are integral to a more inclusive and enlightened narrative.
Mark E. Dean, an American computer scientist and engineer, played a pivotal role in developing the original IBM PC and color PC monitor. His contributions extend to the invention of the first gigahertz chip, showcasing his pioneering work in computer technology.
Tope Awotona, a Nigerian-born entrepreneur, founded Calendly, a widely-used scheduling tool that simplifies appointment management. Awotona’s background in software development and entrepreneurship led to the creation of this user-friendly platform.
Frederick Hutson, an American businessman, founded Pigeonly, a company that connects people with incarcerated loved ones. Hutson’s entrepreneurial spirit took flight early, having launched and sold his first business while on active duty in the United States Air Force.
Lisa Carter, award-winning Tech Entrepreneur and CEO of Discussion Box, leads a virtual events platform for culture-shifting brands.
Renowned for his groundbreaking research on peanuts, sweet potatoes, and soybeans, George Washington Carver had a huge impact on American agriculture. His work promoted crop diversification and sustainable farming practices.
Tinia Pina, founder and CEO of Re-Nuble, focuses on sustainable waste management and regenerative agriculture. Advocating for climate-smart agriculture, Pina leads a social enterprise that uses unique technologies to upcycle organic waste.
Jasmine Crowe-Houston, founder and CEO of Goodr, addresses food waste and hunger by connecting surplus food from businesses to communities in need.
Mary McLeod Bethune, an advocate for racial and gender equality, founded a boarding school for African American girls in 1904. Her contributions extended to advising U.S. presidents on minority affairs.
Dr. Johnetta MacCalla, CEO of Zyrobotics, pioneers inclusive STEM-related educational technologies that address the diverse needs of children, especially those with differing abilities.
Gori Yahaya, founder and CEO of UpSkill Digital, focuses on providing digital skills training and consultancy.
Bob Johnson is an entrepreneur, media magnate, and investor. He is the co-founder of Black Entertainment Television (BET) and made history in 2002 by becoming the first African American majority owner of a major professional sports team in the United States.
DeShuna Spencer, founder and CEO of kweliTV, promotes diversity and inclusion in the media industry through a streaming platform that showcases independent films and documentaries.
Joseph Lee, an African American chef and inventor, credited with inventing the bread crumb machine, revolutionized food waste reduction.
Riana Lynn, founder of Journey Foods, leverages artificial intelligence and data analytics to deliver personalized and healthier food products.
Dr. Lisa Dyson, CEO and co-founder of Air Protein, pioneers sustainable protein production by transforming carbon dioxide into protein using innovative microbial technology.
These trailblazers have not only shaped the present but are influencing and inspiring the next generation. By highlighting the remarkable contributions of Black visionaries we hope to weave a new narrative in society that enriches our collective understanding of history and paves the way for a more inclusive future.
Now, as we shift our focus to celebrating Black History Month at 1Password, we carry forward this commitment to diversity, inclusion, and the amplification of voices that have, for too long, been underrepresented. Black History Month provides a meaningful opportunity to amplify and celebrate the rich contributions of Black people.
Here’s how we’re striving to create a more inclusive narrative inside 1Password:
Real Talk Panel. We’re putting on a panel with four of our Black Caucus ERG (employee resource group) members who will share the profound impact of art, music, dance, and literature on their lives.
Black Caucus-led Book Club. We’re excited to offer a book club to our ERG members to create a space that celebrates the diverse voices of Black authors across genres. This isn’t just about reading; it’s a powerful way to support Black creatives and contribute to a more inclusive literary landscape.
Virtual Celebration with DJ K-Love. We’re excited to present DJ K-Love who will guide our employees through an hour of music by Black artists across all genres, accompanied by engaging and fun music facts.
And here’s what we’re doing externally to make a positive impact:
Donating 1Password memberships. In the spirit of giving back, we’re donating 100 subscriptions to a Canadian-based organization that supports Black youth. By providing resources and tools, we aim to contribute to the growth and development of future leaders.
Supporting Big Brothers Big Sisters. We’re encouraging our employees to volunteer at Big Brothers Big Sisters, a charity that provides mentorship to young people and, in the process, strengthens local communities. Through conscious choices, we can collectively contribute to a more vibrant world.
We hope you join us in honoring the past, celebrating the present, and working towards a more inclusive future. Your participation and support make a difference not just this month but throughout the year. Let’s continue building a community that values and uplifts diverse voices.
It’s easy for leaders to get swept up in the fast-paced and always-on nature of our jobs, leaving little opportunity for downtime. My mind races far too much, so it’s become important to find activities to engage in regularly that take me away from Zoom and Slack, and give me perspective.
In today’s busy world, the emphasis on being constantly connected and productive can be overwhelming. However, through my own work and career, I’ve noticed an essential truth: everyone needs a hobby or distraction from work. It’s more than just a hobby though – it’s a necessity for maintaining a healthy mind and body.
For those who don’t know me well enough just yet, that escape is my tractor. Large equipment has always been a significant part of my life. This hobby started when I was 8 or 9 years old with my granddad bringing me to the rock quarry where he worked and letting me “drive” the various machines. As part of my upbringing, this hobby is both a connection to my past and something that grounds me in the present.
I’m fortunate to have a small farm on the outskirts of Waterloo, Ontario, Canada – a few acres of corn and soybean along with some forest and trails. Being out in nature, driving my tractor and tending to my property requires a perfect combination of focus and attention. I find it incredibly grounding and in complete contrast to the around-the-clock nature of my job. It’s also a welcome change of scenery that allows me to recharge my batteries.
Working on my tractor has become more than just a pastime – it’s an opportunity to center myself and find balance. It keeps me refreshed and ready to tackle any tough problems that come my way in life.
There’s also this undeniable satisfaction in getting my hands dirty – it’s a rewarding experience that’s completely different from what I encounter in my day-to-day work at 1Password. Everything feels a bit more manageable when I’m on my farm – it’s like my own personal version of yoga! The feeling of accomplishment when I do something ‘hands-on’ is therapeutic in a way that’s hard to put into words.
The beauty of this hobby is that it demands just enough concentration to prevent my thoughts from drifting back to work, yet it’s not so demanding that it creates another source of stress.
For me, the difference between fun and frustrating is the amount of time it takes to accomplish a task, and because of that, I set no deadlines on my tractor work. In the moment, time slows down, and I have a sense of peace that can be hard to come by in the hustle and bustle of the tech world. It’s just me, the tractor, and the land, and the simplicity of that is something I find invaluable.
In tech, we often talk about innovation and pushing boundaries. But sometimes, simply stepping away from the screen can result in returning to a task with a clearer and more effective state of mind. I solve problems better, think through complex issues more creatively, and (I believe) become a better leader.
My hobby feels like hitting the ‘reset’ button and giving myself opportunities to find clarity and inspiration. It’s a self-reminder that success isn’t just about the hours we put into our work – it also comes from the ways we recharge and take care of ourselves.
If you haven’t done so already, I encourage you to find your ‘tractor’. It should be something that requires just enough attention to force your mind away from work but not one that adds extra pressure to your day.
Finding this balance is crucial. Engage in what ignites your passion, and watch how it transforms not just your free time but your productivity and mindset too. It could be anything that resonates with you. Just make the time for it. What matters is that it’s an activity that allows you to unwind and offers a sense of fulfillment.
As for my current project, I recently bought a 10-year-old tractor that I’m excited to bring back to life. Revitalizing it is a lot like working through the various challenges that crop up in the tech world. You learn, adapt, and see pieces come together in a rewarding way. It’s already been an exciting adventure that helps me clear my mind – and if you’re curious, you’re welcome to follow along on Instagram.
Read more of my thoughts and advice, as well as updates about what's happening inside 1Password, over on LinkedIn!
Follow on LinkedIn
This is the second in a series of four posts on how to secure your hybrid workforce. For an overview of the topics discussed in this series, download The new perimeter: Access management in a hybrid world.
In the first post in this series, we identified four key challenges to securing your hybrid workforce: identity, shadow IT, the security vs. productivity tradeoff, and cybersecurity costs.
Today, let’s dive into identity and access management. (We’ll explore the other topics in upcoming posts, so stay tuned.)
In 2023, 70% of data breaches involved an identity element, which can be a vulnerability as simple as a stolen password. And that number is growing – Forrester expects it to climb to 90% in 2024.
This is happening for a number of reasons, but hybrid work is high on the list. Instead of badging in to a secure workplace, or using a VPN to access a secure network, we’re working everywhere: from the office, from home, from the coffee shop, at the airport.
And instead of working on-premises solely from company-provided devices, we’re working both in the office and remotely from many devices, including our own personal devices.
We’re also using a ton of apps to get work done. Today we use twice as many apps for work as we did in 2019, according to Gartner.
It’s a lot. And as a result, IT has to manage and secure about 125 apps. We access them from multiple devices and from many different locations, and so the perimeter that IT is tasked with defending is porous and always moving.
It’s no longer possible to build a virtual wall around those company networks and company-provided devices. Instead, securing a hybrid workforce requires verifying identity. Not just “should this access attempt be allowed?” but “Is this person who they say they are?”
If a cyberattack starts with access, every access attempt starts with identity. When you verify identity, you secure the source of the access attempt.
But how do you do that? What additional security measures help verify identity to secure a hybrid workforce? To answer that, let’s start with a new technology that illustrates why strong identity verification works so well: passkeys.
Passkeys are a more secure replacement for passwords. They consist of two parts: a public key and a private key.
The public key resides with the service you create the passkey for. The private key stays on your device. The two keys are mathematically linked, like interlocking puzzle pieces. When you try to access a service, that service checks to see if the puzzle pieces fit together. If they do, you’re signed in.
Passkeys are often backed by biometrics. You give the service in question permission to check that your private and public keys match up using your device’s built-in biometrics, like your fingerprint or Face ID.
Let’s break down why this is more secure than traditional passwords.
Think back to what you know about multi-factor authentication (MFA). The reason it’s “multi-factor” is because it uses multiple factors to sign you in. Those factors come in one of three forms: something you know, something you have, or something you are.
MFA typically uses two of those three factors. It wouldn’t be particularly secure to back up something you know with something else you know, since both can be stolen.
The password, for example, is something you know. If you use a hardware key (like a Yubikey) for two-factor authentication, you’re combining something you know (your password) with something you have (the Yubikey). That’s harder to falsify.
Biometrics verify your identity with something you are (your face or fingerprint). So while passkeys are something you have (the private key on your device), they’re backed up with something you are (biometrics) when you give a service permission to access that private key.
That’s how passkeys verify your digital identity: by verifying something only you have and something only you are. And the private key never leaves your device, so it can’t be compromised in a phishing attack. In fact, that’s what makes it resistant to most social engineering attempts.
So, passkeys illustrate why verifying an access attempt at the identity level is the secure way to go.
Partly for that reason – and partly because they’re so darn convenient – passkeys are the future (and the present).
But passwords aren’t going away anytime soon. They’re too ubiquitous, too widely supported, and everyone knows how to use them.
That doesn’t change the fact that weak, compromised, and reused passwords are still the weakest link against cyberthreats.
But if we’re juggling dozens if not hundreds of apps, how realistic is it to expect employees to create strong, unique passwords for every app they use – let alone manage all of them themselves?
Not very, which is why an enterprise password manager (EPM) is the key to securing a hybrid workforce.
It doesn’t matter if employees are signing in to an approved app on a company device from the office, or a productivity app on their phone from the airport. If they’re using an EPM, the EPM is doing the work for them.
Companies can set their own minimum security requirements, and the EPM will ensure that every sign-in, on every device, meets those requirements. It can also flag weak, reused, or compromised passwords so employees can fix the problem before it becomes an issue.
That being the case, employees don’t even have to remember, let alone manage, all those passwords. The EPM will simply autofill their credentials for them. This is what it means to make the secure thing to do the easy thing to do.
Most EPMs also support passkeys, to varying degrees. So employees can stop thinking about how they sign in (Password? Passkey? Something else?) and just… sign in.
Finally, the principle of least privilege is another key aspect of identity security. PoLP is usually at the heart of a robust zero trust strategy.
The premise is simple: only give people the minimum amount of access they need to do their jobs, and no more. By minimizing the total number of assets someone has access to, you reduce your overall risk and your attack surface.
Again, EPMs make this easier by giving you control over how your employees access, use, and share items. Because you have control over user access, you can permit access in a way that aligns with your security policies. That might mean creating IP restrictions, mandating certain MFA requirements, or integrating with your SSO provider and policies.
Passkeys, strong, unique logins, and the principle of least privilege help us secure hybrid workforces at the source of each access attempt. And that might be enough, if we knew exactly what employees were logging in to. But with hybrid work, we often don’t.
So in addition to securing access to the apps we know about (managed apps), we have to secure access to the ones we don’t (unmanaged apps, or shadow IT). We’ll explore how to do that – including the mindset shift it requires of IT and security teams, and why single sign-on alone leaves gaps in your sign-on security model – in the next post.
In the meantime, you can learn how to secure your hybrid workforce right now by downloading The new perimeter: Access management in a hybrid world.
Learn about the four key considerations to securing your hybrid workforce, and why reducing risk starts with securing employee login credentials.
Download now
This is the first in a series of four posts on how to secure your hybrid workforce. For a complete overview of the topics discussed in this series, download The new perimeter: Access management in a hybrid world.
To secure your company, it used to be enough to secure the workplace and its entry points – because work was happening at work. There was a clearly defined perimeter to defend against attackers.
In hybrid work environments, work happens everywhere: in the office and at home, at coffee shops and coworking spaces, on laptops and phones and tablets. And to get that work done, we use a lot of apps.
Hybrid work – which was a thing well before the pandemic, but was massively accelerated by it – is the new normal we’re all adjusting to. Even now, office attendance is 30% lower than it was pre-pandemic. There’s no going back.
Suddenly secure networking, VPNs, endpoint protection, and employer-provided devices (basically the entirety of our old cybersecurity toolset) are no longer enough. How do you secure access in a hybrid world where remote work is more common than ever?
How do you protect a perimeter that’s constantly shifting and often spans the globe?
This is the question every CISO, every IT and security team, and indeed every business is grappling with. And while the discussion of how to protect your company against the next big data breach or cyberattack could fill a library on its own, the question of where to start is surprisingly simple.
Let’s break down four key considerations to securing your hybrid workforce: identity, bring-your-own-device (BYOD) and shadow IT, the security vs. productivity tradeoff, and security costs.
For a deeper dive into these four considerations, download The New Perimeter: Access management in a hybrid world.
70% of data breaches in 2023 still involved an identity element. Protecting your company starts with validating the identity of every single sign-in attempt. Frankly, many companies don’t do this particularly well right now, so herein lies the greatest opportunity – the lowest-hanging fruit – to strengthen your security posture.
Identity requires arguably the biggest mindset shift in a hybrid world. Instead of securing the entry point for a given access attempt, hybrid work requires that we secure the source of the attempt: the identity of the person or entity trying to gain access to business resources.
In other words, instead of asking “should this person have access to this resource,” a focus on identity means asking “Is this person who they say they are?”
For example, single sign-on (SSO) providers were built for a pre-hybrid world. A predefined list of company-approved apps are secured behind SSO, so that no one can sign in to those services unless they first sign in to their SSO provider. It’s a stronger credential that users are signing in with – but SSO alone can’t prove that someone is who they say they are.
SSO also leaves gaps in coverage, because only the apps and services that IT knows about can be approved, and thus put behind SSO.
But on average, 30% of applications used by employees are not managed by the company, according to Gartner. In fact, they’re a complete blind spot: IT doesn’t even know workers are using these apps to get things done. That’s shadow IT.
When someone in Finance spins up a Google Spreadsheet instead of the company-approved Excel, or someone in Design uses Sketch instead of the company-approved Figma, that’s shadow IT. By definition, IT can’t see that sign-in, so they can’t secure it.
All those sign-in attempts can originate anywhere, on any device – and IT only provides secure access to a sliver of them.
Workers aren’t trying to skirt security protocols, of course. They’re just trying to get things done, and sometimes the approved tools are limiting.
85% of employees have knowingly broken cybersecurity rules in order to get work done (Harvard Business Review). Historically, strong security comes at the cost of diminished productivity. This is a false tradeoff.
This is because it used to be IT’s job to stop certain unvetted activities from happening. Today, IT needs to be a business enabler. To do that, they need to understand business goals and how workers get things done, in order to help them get those things done securely.
Taking this path requires, first and foremost, the right tools for the job. Where legacy security tools are notoriously difficult to navigate and impose new friction in workflows, the ideal tool does the opposite, making the secure thing to do the easy thing to do.
In that scenario, everyone wins: The tool itself ensures that minimum security requirements defined by the company are always met, and the worker doesn’t have to use crazy workarounds that compromise security to do their job.
The cost of continuing to do things the old way grows every year. There’s the cost of a data breach itself ($4.45 million on average, according to IBM).
There’s the SSO tax, or the cost of adding new services to your SSO provider. And there’s the cost of things like password resets, which comprise a surprising amount of IT’s overall workload.
It all adds up, but it doesn’t have to.
In the coming weeks, we’ll explore these topics in more depth here on the 1Password blog, but you can learn how to secure your hybrid workforce right now by downloading The new perimeter: Access management in a hybrid world.
Learn about the four key considerations to securing your hybrid workforce, and why reducing risk starts with securing employee login credentials.
Download now
The mother of all breaches (MOAB). That’s how security experts are referring to the recent discovery of a massive database that is composed of data from thousands of previous breaches, leaks, and private data databases.
“But why should I care? How does it impact me?”
The breach includes over 26 billion records. That’s staggering. And that means if any of your accounts are included (or if you reuse passwords anywhere), you need to take action in order to protect yourself and your family.
Here’s the TL;DR.
Anyone that has an account with these sites, or has reused passwords associated with these sites, should take action immediately. That means resetting passwords and updating login information wherever necessary to protect yourself. If you have a family, don’t forget to check and update any of their passwords as well.
Long term, there are a few things you can do to help prevent this from happening to you in the future. You can:
The breadth and scale of breaches today makes it all but inevitable that some of your credentials will eventually be compromised. Not even the most sophisticated companies in the world are immune to this.
1Password can help you get a handle on all of your passwords, while also greatly simplifying the hassle of managing them. With 1Password, you can:
Password management is a great example of “an ounce of prevention is worth a pound of cure.” While it may seem like a lot to get it under control, it is still significantly easier to manage than having your identity be compromised.
You can get started with 1Password today.
Use 1Password Families to protect your online accounts and share important passwords with the people you trust and care about.
Try free for 14 daysKeep all of your accounts, documents, and credit cards secure with 1Password, the world’s most-trusted password manager.
Try free for 14 daysHAFTUNGSAUSSCHLUSS:
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your security when sharing files.
Unfortunately, you can’t password-protect a folder in Google Drive. The best you can do is set permission controls that let you determine who can and cannot access a folder — or more precisely, which email addresses.
If you’re the owner of a folder (the person who created it), you can remove permission to access it from whomever you gave it to whenever you want. While this gives you some measure of control, it may still feel a little unsafe, especially when sharing folders. After all, when you share a file or folder, you want to make sure only the intended recipient can access it.
If you want to password-protect a shared folder or have real control over the files you share and who you share them with, Proton Drive makes access control simple. We developed our cloud storage service so everyone can securely store their files online and access them anywhere.
There are several factors that make Proton Drive unique among cloud storage providers. Most importantly, we use end-to-end encryption to protect your files and folders, meaning your files and their metadata are encrypted at all times. As a result, nobody but you and your intended recipient can see the files you share, not even us. Google Drive does not offer this type of security.
On top of that, we offer a lot more access control options when you share folders. For example, besides letting you decide exactly who to share your files with and allowing you to revoke access at any time, you can also set expiration dates on links. Most importantly, you can also password-protect links for extra security, adding a layer of security that Google Drive and most other cloud storage services simply don’t have.
We can do all this because unlike Google, we put our customers first. While Big Tech firms rely on surveillance capitalist business models, we’re entirely supported by you, the Proton community. As a result, we can focus on providing features and services that help you protect your information rather than trying to find ways to collect it surreptitiously.
We offer up to 5 GB of storage for free, so anyone can try Proton Drive. If free private storage with a company that puts you first sounds like something you’d like to be part of, create an account today.
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing attacks and make your online experience smoother and safer.
Unfortunately, Big Tech’s rollout of this technology prioritized using passkeys to lock people into their walled gardens over providing universal security for everyone. And many password managers only support passkeys on specific platforms or provide them with paid plans, meaning you only get to reap passkeys’ security benefits if you can afford them.
We’ve reimagined passkeys, helping them reach their full potential as free, universal, and open-source tech. We believe online privacy and security should be accessible to everyone, regardless of what device you use or your ability to pay. That’s why passkey support is now available to the entire Proton Pass community.
Passkeys are a new way of authenticating yourself when signing in to an account. When you create an account, instead of entering a username and password, you create a pair of cryptographically linked passkeys: one public, one private. The private key is stored in your device or password manager and confirms your identity when you log in to your account.
Passkeys are a promising alternative to traditional passwords and two-factor authentication as they streamline the login process. Few websites currently support passkeys, but the adoption rate is increasing as more and more people see their benefits. By adding support for passkeys alongside passwords, Proton Pass allows you to always use the most secure option available.
Learn more about how passkeys work
Proton Pass is giving everyone access to this basic security tool. Passkeys make security easier, which makes everyone more secure. Proton Pass’s approach to Passkeys is markedly different from that adopted by other password managers and embodies Proton’s philosophy of making security and privacy tools as widely available as possible.
Passkeys are platform agnostic in Proton Pass. You can easily store and manage your passkeys on any browser and in all our apps, giving you the choice of what platform to use.
We’ve also given passkeys and passwords equal priority so that you can use them interchangeably in our apps. This means you can store, share, and export passkeys just like you can with passwords. This flexibility is part of our commitment to maintaining convenience and interoperability, ensuring passkeys are as user-friendly as traditional passwords.
Proton Pass simplifies the already simple process of using passkeys with our user-friendly interface. You can use passkeys to log in to a website or app with a single click or tap, making passkeys as easy to use as passwords (if not easier), ensuring everyone can log in quickly and securely.
Our passkey implementation is open source and based on the open FIDO standard, so you can verify the security of our code like you can with all our applications and features. And like all Proton apps, Proton Pass protects your passkeys and their associated metadata (like URLs) with end-to-end encryption, so nobody else can see your data, not even us.
Passkey support is available on all plans, including Proton Pass for Business. This gives your organization added security against phishing attacks and data breaches for your team accounts that support passkeys. Our intuitive interface doesn’t require any training to onboard your team, enabling businesses to instantly improve their security.
Adding universal support for passkeys is just one of the many new features we will be introducing in Proton Pass this year to ensure that everybody can have access to easy-to-use and platform-agnostic password management.
To learn more, you can also check out our guide for using passkeys today.
Adding passkey support to Proton Pass is just the first step towards broader passkey support in Proton, and we look forward to continuing to serve the community in the years to come.
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, and how does it work?
A passkey is a form of identification you can use to gain access to an account. Passkeys replace the need for passwords and two-factor authentication (2FA) by using your device to identify you. Since you no longer have a password to steal, passkeys protect against phishing. Passkeys are also less susceptible to brute-force attacks as they work by creating cryptographic keys.
The definition above probably sounds vague, so the best way to explain is by comparing passkeys to something you’re more familiar with, namely passwords. Normally, you gain access to an account by entering the credentials you gave when you created it: your username (often your email address) and password.
Not so with passkeys. When you create an account with a service that supports passkeys, your password manager generates a set of encryption keys. The next time you try to access the site, it will recognize the keys you hold and log you in without the need to enter your password.
Passkeys use the principle of asymmetric or public-key cryptography. We go into more detail about this in our article on how encryption works, but the short version is that when you create a passkey, your password manager generates two mathematically connected numeric keys: one public, one private.
The service you’re signing up for holds the public key, while you as the user hold the private one, which is stored on your password manager. When logging into the service, the public key sends a challenge to your device which can only be answered correctly by your private key, identifying you as the account owner.
The system is very secure and practically impervious to brute force attacks. To crack the kind of numbers used in public-key cryptography would take a combination of the world’s supercomputers billions of years.
For you, the user, the whole login procedure is entirely seamless: All the above happens automatically and virtually instantly. The only real downside to using passkeys is that few sites use them at time of writing, adoption is slow as implementation can pose problems. Supporting passkeys can get very technical, and since passwords and passphrases are highly secure there’s not always a direct need to bother with it. On top of this, there are moments when using a passphrase can be more useful as they can be more easily memorized.
Even if more sites used them, another issue is that many devices don’t support passkeys. For example, Android users can only use them if they’re using Android 14, and even then only if they have enabled some specific options — read more about this in our article on enabling passkeys.
To use passkeys, you need to use a program that can send and receive the keys that make up the passkey. For most people this will be a password manager, a program that stores and manages passwords and, more recently, passkeys. Currently, not all password managers support passkeys, across all devices, but Proton Pass does.
As secure as passkeys are, they do create a single point of failure: if somehow somebody gets access to your passkeys, you’re in trouble. To prevent this from happening, Proton Pass uses end-to-end encryption to make sure your passkeys are always stored safely on our servers; nobody can access them, not even us.
On top of that, we are also platform agnostic: You can use passkeys on any site that supports them, using any of your devices as long as they are compatible.
Add to this our acclaimed interface, and you have a convenient way to implement this modern security tool. If you’re interested in knowing more about how Proton works, create a free Proton account today or check out our guide on how you can get started using passkeys.
No, you can’t log into Proton Pass apps using passkeys, but with passwords or passphrases, or via biometrics.
No, they replace passwords completely as they work entirely of keypairs.
An encrypted version of your private key is stored on Proton’s servers, while the public key is held by the service you have an account with.
Nothing, they will still be on your device, making it imperative that you secure your Proton Pass app with a PIN or biometric scan.
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.”
But Apple’s lawyers are telling a different story. In a recent court filing, they told a judge, “Given Apple’s extensive privacy disclosures, no reasonable user would expect that their actions in Apple’s apps would be private from Apple.”
This article, part of our series on privacy washing, examines several reasons the iPhone doesn’t live up to its marketing claims or consumer expectations. It certainly doesn’t align with the privacy standard we use at Proton. But there are a few steps you can take to improve your iPhone privacy.
This article explains what data Apple collects about you and highlights two recent revelations: that Apple was secretly sharing data with law enforcement agencies and left a security backdoor that may have been exploited by the Chinese government for political repression.
Contrary to the claim that what happens on your iPhone stays there, Apple constantly gathers data from your phone whenever you use Apple services, the App Store, or the Apple News or Stocks apps, each of which has its own privacy policy.
Apple can see all your data in iCloud Mail, Contacts, and Calendar. If you use these apps, there’s no way to turn on end-to-end encryption.
By default, Apple can also see your photos, iCloud and Messages backups, notes, reminders, voice memos, and more. You can, however, turn on end-to-end encryption for this data by enabling Advanced Data Protection.
We explained the limitations of Apple’s encryption in our article about iCloud privacy.
There’s a perception that, as a hardware company, Apple doesn’t need to collect personal data. But as computer and phone sales slow down, the company is searching for new revenue sources.
In fact, from 2022 to 2023, Apple’s hardware sales fell by over $18 billion. Meanwhile, revenue from services, including advertising, has grown steadily.
To deliver targeted ads, Apple collects information about your device, location, App Store searches, shows you watch, and books and articles you read.
Read more about Apple advertising tracking here
In December 2023, a US senator revealed that Apple had received sealed court orders that forced it to secretly share push notification data with law enforcement agencies in the US and foreign countries. (He did not reveal what other countries.) Apple claims federal authorities prohibited them from disclosing these surveillance requests.
As a US-based company, Apple is vulnerable to this kind of secret surveillance. Even so, Apple did not take even minimum precautions to protect users’ privacy, such as requiring a court order before disclosing push notifications. The company quietly updated its privacy policy following the scandal.
Proton, by contrast, is based in Switzerland, so it would be illegal for us to comply with a foreign request without a valid Swiss court order. We not only require court orders but also often challenge them.
In January, another story broke. This time, security researchers in Beijing reported an Apple bug that allows attackers to identify senders via AirDrop, which Chinese government officials said they used to identify people sharing “inappropriate information”.
It turns out that a German research group had notified Apple about this very issue in 2019, but the company didn’t fix the problem. The group subsequently published an open-source fix in 2021. But Apple left the vulnerability in place.
Compared with other hardware manufacturers, Apple offers much greater privacy, robust security features, and a great user experience. If you use Apple products, there are simple steps you can take to keep the company out of your data.
First, you can turn on Advanced Data Protection or turn off iCloud syncing if you don’t need it. You can also turn on Advanced Data Protection while turning off iCloud specifically for the services that don’t support end-to-end encryption, such as Mail or Calendar. You can also turn off location tracking for apps that don’t need it.
Next, you can switch to privacy-focused alternatives for Apple Mail, Calendar, iCloud, iMessage, and other apps. Signal is an encrypted messenger service. And Proton offers end-to-end encrypted alternatives for email, calendar, cloud storage, and password manager. Since our only source of revenue is subscriptions, we don’t need to collect data and our only incentive is to protect your privacy.
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.
The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns about the threat of phishing – a common scam hackers use to trick people into sharing sensitive data or downloading malware that can lead to identity theft, credit card fraud, or other cybercrime.
In this article, we will explore what you need to know about the attack on France Travail and ways you can protect yourself and your private data from potential phishing scams.
When it happened: On March 13, France Travail announced it had fallen victim to a cyberattack that unfolded sometime between February 6 and March 5.
How many people were impacted: The National Commission for Information Technology and Liberties (CNIL) estimated that the attack led to the theft of personal data tied to nearly 43 million citizens. Passwords and bank details were not stolen in the breach, according to CNIL, but other sensitive information about job seekers was compromised.
What data was exposed: First and last names, social security numbers, dates of birth, email addresses, postal addresses, phone numbers.
How to know whether you were impacted: You may have been affected in the France Travail cyberattack if you are currently registered as a job seeker on France Travail, you have registered in the last 20 years, or you have a candidate page on their website.
Context: The recent attack on France Travail came a few weeks after a cybersecurity breach targeted third-party payment providers for mutual insurance companies in France. Hackers seized very similar data in a breach that impacted as many as 33 million people.
Every piece of personal information has a use in the toolbox of a hacker looking to commit cybercrime. The first step in defending yourself from such attacks is understanding how your own data can be used against you.
If you have fallen victim to a data breach, don’t panic. Having the right frame of mind and following a few simple tips can help reduce the risks of further damage.
When you receive an email, the sender’s name that appears in the “From” field is not always information you can trust. In the example below, the sender’s email address is suspicious.
The gibberish Gmail address is a red flag that the intentions behind this email could be malicious, aiming to steal your data or money.
When you have the option to click on a link in an email, the URL is usually hidden behind a button or a phrase that links to a web page.
If you’re using a computer, however, you can hover your cursor over the link without clicking to check the URL. You can also right-click on the link and select “Copy link address” to paste it elsewhere.
You might notice, for example, that the URL in the email you received regarding an urgent delivery problem is www.post.fr/probleme/livraison instead of the official URL www.laposte.fr/outil/ used to track shipments. This is another warning signal that someone is targeting you in a scam.
Proton Mail makes this even easier on the web, your iPhone, and Android devices with a built-in link confirmation tool, which displays the full URL of links and asks you for confirmation before opening them.
An effective way to defend against email attacks is to limit the number of people who know your real email addresses.
Proton Mail has launched hide-my-email aliases to help you keep your real email address private. A hide-my-email alias is simply another address that will automatically forward all emails sent to it to your main mailbox. You receive all messages, but your real email address and identity remain hidden.
If you buy something online and need to create an account or provide an email address to complete the order, you can use an alias instead of your real email address. If the alias is ever exposed in a data leak, you will be able to disable it while sparing your real email address. You might even use a different alias for each online service or account, so you can pinpoint exactly which ones have been compromised.
Proton started as a crowdfunded project led by scientists who met at CERN (European Organization for Nuclear Research) and agreed their mission would be to create a better internet where privacy and freedom come first and everyone has control over their digital lives.
Proton uses end-to-end encryption to protect your emails, calendar, files stored in the cloud, passwords and login credentials, and your internet connection. Our security architecture is designed to keep your data invisible even to us, as our business model gives you more privacy, not less.
By migrating to an email service you can trust, you can help build a better internet where privacy is the default.
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sharing.
No, when you share a folder in Google Drive, the people you share it with cannot see your other folders or what’s in them. Google Drive links only display the file or folder they link to, nothing else.
However, you should be aware that the link will display any and all files and subfolders in the folder you shared. If there’s anything in that folder you don’t want to share, you need to move it to an unshared folder. Google Drive doesn’t let you exclude files or subfolders from folders you share.
This is why you double-check your Google Drive links before you share them. If you send a link to the wrong folder or parent folder, the recipient can see all its contents. When you share a folder, always make sure you’re not accidentally sharing its parent and double-check its contents.
If you do make a mistake and share a folder you shouldn’t have, Google Drive makes it easy to unshare it. To revoke permissions to a Google Drive folder, all you need to do is go into the sharing settings and change the share settings back to Restricted.
Revoking access to a shared folder this way is great, but having more control over who can access your folders makes collaborating much easier. With this in mind, we developed Proton Drive, a secure Google Drive alternative with features built into our file-sharing links that let you control who can access your files and when.
For example, in Proton Drive, you can set expiration dates on all links, meaning you decide when your files will no longer be accessible; Google Drive does not allow this. You can also password protect links, further restricting access and making sure no unauthorized person has access to your folders.
Proton Drive further distinguishes itself from Google Drive with its focus on security and privacy. Google Drive encrypts your files in such a way that Google always has access to them, meaning you must trust Google not to violate your privacy. (Something it doesn’t have the greatest record with.)
Proton Drive, on the other hand, uses end-to-end encryption, a type of security that ensures all data is encrypted at all times. All of Proton’s services have it as a default, meaning that nobody, not even us, can see your files.
We can protect your information in this way because we’re entirely funded by you, our community. Unlike tech giants like Google, who receive funding from third parties with their own interests, the only interest we represent is that of our users. If this kind of customer-first approach sounds like something you’d want to be a part of, create a free Proton Account today and get up to 5 GB of storage for free.
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy.
Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail desktop app for Windows and macOS, with a Linux version in beta.
These new additions complement our existing web and mobile applications, ensuring you can keep your emails private across all your devices without being confined to a web browser.
You can get the app right now. And if you’re on a free Proton plan, you’ll receive a 14-day free trial to get started
At Proton, we believe you should be able to access your email however you want to without compromising your privacy. If you use Outlook, you’re potentially sharing your data with Microsoft’s 801 external partners. Or, if you prefer accessing your emails from Chrome, you risk exposing your browsing history to advertisers or having your data exploited by malicious browser extensions.
In addition to privacy concerns, accessing your email from a browser can make it hard to focus on the task at hand. You use your browser for much more than email, so it’s easy to miss new messages or reminders in between all the open tabs for social media, online shopping, and more. With this in mind, we wanted to give you the best email experience that’s not only safe but distraction free.
With the new Proton Mail desktop apps, you get a dedicated email experience, allowing you to enjoy all the productivity innovations of our web app, allowing you to go through your emails and events faster without the potential distractions that pop up anytime you open your browser. And, of course, your privacy remains protected at all times.
The Proton Mail desktop apps are optimized to work with your device, meaning they can sync themes with your desktop’s light or dark mode, display notifications natively, and offer instant switching between mail and calendar. Despite these new additions, our desktop apps remain recognizably Proton. Anyone who has used our web app before will instantly feel at home.
If you’re not already using Proton, it’s easy to switch, no matter which email service you’re currently with. With our Easy Switch tool accessible right from the Proton Mail app, you can import your messages from Outlook or Gmail, forward any new messages you get on Gmail, and more.
The new Proton Mail desktop app inherits from a decade of security enhancements we built for our web application. That means Proton Mail for Windows and macOS maintains our commitment to security and privacy with several key features: zero-access encryption and end-to-end encryption, protection against trackers and phishing attempts, and our high-security account protection program, Proton Sentinel.
The ability to use a separate app from your browser for your email and calendar offers additional security benefits, such as protecting your emails or events from rogue browser extensions and allowing automatic updates without relying on your browser.
We can now deliver new features to you on Windows, Linux (now in beta), macOS, and our web app at the same time — starting with the new Security Center. It lets you easily create hide-my-email aliases to protect your identity, from the Proton Mail web and desktop apps.
Anyone can now try our dedicated desktop app on Windows and macOS. If you have a free Proton Mail plan, you can try it for 14 days for free. The Linux app is also available in beta at the link below.
As always, please let us know what you think and what you’d like to see next. A desktop email app has been one of the most popular requests from the Proton community, so we hope you enjoy it and look forward to your feedback.
What you do online isn’t private. Everything you do leaves behind some kind of mark. This trail is often referred to as a digital footprint, and it’s used to track you in many different ways. In this article, we go over what a digital footprint is, how you can avoid leaving one, and even show you how you can make it into something that can benefit you.
A digital footprint is a trail of data formed by somebody’s online activity. Surfing the web is like walking in sand: Wherever you step, you leave behind a visible mark of your presence. When you browse a site, when you log into an account, or click on a link, your actions are recorded in some way.
All these bits of data together form your digital footprint, creating a map of where you’ve been and what you’ve done online. When put together, data brokers can use your digital footprint to create a profile of you that can predict who you are, what you like, and what you may be interested in seeing pop up on your feed in the future.
Roughly speaking, there are two kinds of data which can be gathered for your digital footprint.
Your active footprint is made up of the things you do online, such as signing into accounts, signing up for newsletters, making purchases, and anything else that requires your actively clicking or typing.
Your passive footprint is a lot more subtle. It’s usually gathered while you’re browsing by trackers like cookies or methods like browser fingerprinting. It’s a hidden type of data gathering that could even be recording how long you looked at an ad — something Facebook does.
All these data points could be linked to something that directly identifies you, like an online account you created (with Facebook or another social media platform), your IP address, and, probably the most common, your email address. With all this information in a neat little package, it goes to the next step.
With all this data, marketers can then turn your digital footprint into something a lot more lucrative: namely a profile of who you are. Big Tech and other attention merchants have developed technologies that, based on the data from your digital footprint, can give a good assessment of who you are, what you like, and, more importantly, predict what you’ll do next.
A profile is worth money: According to our research, the average US resident is worth about $600 per year to Google and Facebook, the two biggest companies in this space and each worth billions of dollars. While at first glance it may seem like your digital footprint is just tidbits, taken altogether and treated with the black magic of marketing math, it becomes a fortune.
Sadly, you can’t actually check your digital footprint yourself, or even make money off it — though some have tried. Ironically, your data isn’t yours, it has been taken by Big Tech and made their product, placing it out of your reach. Best you can do is hope privacy laws like the EU’s GDPR will help protect you, but legislation often lags behind the latest data-gathering tools Big Tech has developed.
The problem with your digital footprint is that it’s very hard to stop leaving a trail. The way the web is set up, sites have to know where you’re coming from and cookies are ubiquitous. What you can do, though, is remove the connection between you and your digital footprint. Your data is still harvested, sure, but at least it can’t be identified as yours any more.
There are two ways you can do this: First, you can hide your IP address using a virtual private network (VPN). This is a service that reroutes your traffic through a server under its control, letting you assume the IP address of that server instead of your own. As your IP address is a big part of how you can be identified online, changing it in this way makes it harder for data brokers to link information to you.
Of course, hiding your presence is only part of the solution. After all, you can’t hide everything you do online, and some things you may want to have known, like posting things on social media or a forum message. At Proton, we’ve created a way for you to empower yourself by giving you total control of your data on our platform.
Part of our strategy involves Proton VPN, our state-of-the-art VPN service, to cover your tracks as described. However, that only hides your IP address and allows data brokers to still identify you in other ways, most notably through email, which is usually required to create any online account.
This is where Proton Pass, our password manager, comes in. Like most password managers, it can help store your passwords and autofill them as you browse. It’s a huge upgrade to the quality of your online life, as well as protecting you from nasty cyberattacks like credential stuffing.
What sets Proton Pass apart, however, is that it can also help hide your email address through hide-my-email aliases. These are randomly generated email addresses you can use when creating online accounts, so you can’t be identified through your real email address. You’ll still receive all your mail, but the service won’t know who you are.
Between our VPN and Proton Pass, you have everything you need to make your digital footprint something you have control over, a digital identity you determine, rather than one that is dictated by marketers. If that kind of control is something you want more of, create a free Proton account today.
In February 2024, media reported that Indian authorities may decide to block Proton Mail. Proton Mail is still available in India despite any reports suggesting otherwise.
In response to hoax bomb threats that were sent through Proton Mail, some members of the Indian government suggested taking the extreme measure of blocking Proton. At Proton, we are resolutely against the use of Proton services for purposes that are contrary to Swiss law (Proton is a Swiss company). It would have been regrettable for Proton to have been blocked due to an issue in which we share a common interest with Indian authorities to eradicate illegal usage.
The issue has been raised to the attention of the Swiss federal authorities, who have been in contact with the relevant Indian authorities to prevent the blocking of Proton Mail in India. Thanks to this assistance, Proton Mail apps and other Proton products are available in India: You can access your email, download our apps, and sign up for an account.
We would like to express our gratitude to those in the Indian government and civil society who have spoken out against the suggested Proton Mail ban in order to defend the Indian public’s right to private and secure communications. Blocking access to Proton Mail simply prevents law-abiding citizens from communicating securely and does not prevent cybercriminals from sending threats with another email service, especially if the perpetrators are located outside of India.
We would like to reiterate that when it comes to abuse of our platform, we have a zero-tolerance policy. While end-to-end encryption means users’ emails, files, calendar entries, and passwords have strong privacy protections, it is not permissible to use Proton Mail for purposes that are contrary to Swiss law.
Under Swiss law, Proton is not allowed to transmit any data to foreign authorities, and we are therefore required by law to reject all requests from foreign authorities that are addressed directly to us. However, Proton is legally obligated to respond to orders from Swiss authorities, who do not tolerate illegal activities conducted through Switzerland and may assist foreign authorities in cases of illegal activity, provided they are valid under international assistance procedures and determined to be in compliance with Swiss law.
At Proton, we remain committed to the widespread availability of privacy globally and will engage responsibly with all stakeholders to ensure this remains the case, without compromising our core values. This includes continued investment in anti-censorship technologies such as Proton VPN, alternative routing, and our onion site, which ensures that Proton continues to be accessible even in highly censored locations like Russia and Iran.
If the situation changes, we will update this article. Feel free to reach out to our support team if you have any questions or concerns.
Your email address is like your digital passport, a unique identifier for all the services you use online. But unlike a real passport, your email address is often publicly available for anyone to send you malware, bombard you with spam, or track your behavior.
Today we’re introducing a new way to protect your identity, control spam, and prevent phishing with hide-my-email aliases in Proton Mail. These are unique, randomly generated email addresses you can give out instead of your real email address, which stays private. Additionally, hide-my-email aliases are already available in Proton Pass.
You can create up to 10 hide-my-email aliases with the Proton Free plan, or upgrade to Proton Unlimited to create as many as you need. You’ll find your hide-my-email aliases in our new Security Center in Proton Mail.
Read below to learn more about this new privacy feature and situations where you might want to use it.
If you use the same email address for every account, you’re putting your online identity at risk. Most online services are vulnerable to cyberattacks, and hackers are becoming more relentless. Once your email address is in the wild, it can be added to spam lists or sold to marketers. You could also be targeted with spear phishing attacks.
Hide-my-email aliases are unique, randomly generated email addresses you can provide instead of your real email address. You can receive emails to these aliases within your Proton Mail account and reply without revealing your identity.
Unlike your primary email address, you can easily deactivate aliases if they’re ever revealed in a data breach or start receiving spam.
Plus, aliases help you organize your inbox. You can filter, sort, and label emails sent to your aliases in specific folders.
It’s easy to create and use email aliases in Proton Mail:
You can also generate email addresses instantly when creating new online accounts using Proton Pass. Visit our Pass email aliases page to learn more.
The new Security Center is the home of hide-my-email aliases, but it doesn’t stop there. It’s also where you can take simple steps to secure your account, whether it’s setting up two-factor authentication or a recovery phrase. And the Security Center gives you instant access to our Proton Sentinel account protection program, which monitors for suspicious account activity and blocks account takeover attacks.
Since Proton is 100% funded by our community, we prioritize your security and privacy above all. This new addition to Proton Mail is another step toward giving you total control over your email and building a future where privacy is the default.
HAFTUNGSAUSSCHLUSS:
Have you been waiting to try the DuckDuckGo browser? Maybe you’re using our browser on your phone but haven’t tried the Windows or Mac version? Now is the perfect time to make DuckDuckGo the default browser on all your devices, thanks to our latest improvement: Sync & Backup. You could already import bookmarks and passwords from other browsers into DuckDuckGo, but now you can privately sync those bookmarks and passwords between DuckDuckGo browsers on multiple devices.
When you use Chrome, there’s a good chance you’re signed in with your Google account – because they’re constantly pressuring you to do so! There is a convenience in that; all your bookmarks, passwords, and favorites follow you wherever you browse, whether you’re using your computer, phone, or tablet. But there’s a problem. This also gives Google implicit permission to collect even more data about your browsing activity than they would otherwise have and use it for targeted advertising that can follow you around.
At DuckDuckGo, we don’t track you; that’s our privacy policy in a nutshell. We’ve developed our privacy-respecting import and sync functions without requiring a DuckDuckGo account – and without compromising your personal data.
Our built-in password manager stores and encrypts your passwords locally on your device. Our private sync is end-to-end encrypted. (When you use private sync, your data stays securely encrypted throughout the syncing process, because the unique key needed to decrypt it is stored only on your devices.) Your passwords are completely inaccessible to anyone but you. That includes us: DuckDuckGo cannot access your data at any time.
The first step is to download our free browser on one or more devices. (The feature works across most Windows, Mac, Android, and iPhone devices – if you’ve got our browser, you can use Sync & Backup!) If you’re already using the browser, check that it’s up to date. Next, head to the browser’s Settings, choose Sync & Backup > Sync With Another Device and follow the instructions under Begin Syncing.
If you’re on a mobile phone or tablet, you can link devices with a QR code; on desktop computers, you’ll manually enter an alphanumeric code.
Sync passwords and bookmarks between devices by scanning a QR code or manually entering a unique alphanumeric code – no signing in necessary.
Only working with one device? Choose Sync and Back Up This Device from the “Single-Device Setup” section. Once your sync is complete, you can see a list of all your synced devices, edit device nicknames, and fine-tune your settings.
See a list of your synced devices – and add new ones! – under your browser’s Settings > Sync & Back Up.
Once you’re set up, you’ll want to save your Recovery PDF in a secure place. This document contains your Recovery Code, a unique code that will let you access your synced data if your devices are lost or damaged. This is especially important because of our secure end-to-end encryption; your Recovery Code contains the unique, locally generated encryption key that keeps your data private from everyone – including us! If you lose your devices, your Recovery Code is the only way to access your data from a new phone or computer.
With your Recovery Code, you can restore bookmarks, favorites, and other DuckDuckGo settings on a replacement device if yours is lost or damaged.
The DuckDuckGo browser comes with the features you expect from a go-to browser – it even banishes any ads we find that run on creepy trackers, without the need for an outside ad blocker. It also handles cookie pop-ups for you where we can. Plus, over a dozen powerful privacy protections not offered in most popular browsers by default. This uniquely comprehensive set of privacy protections helps protect your online activities, from searching to browsing, emailing, and more.
Our privacy protections work without you having to know anything about the technical details or deal with complicated settings. Just switch your browser to DuckDuckGo across all your devices, and you’ll get privacy by default.
For more detailed instructions on how to use the new sync function – or to peek under the hood of any of DuckDuckGo’s privacy protections! – you can find more information on our Help Pages.
2023 marks DuckDuckGo's thirteenth year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. This year, we're proud to donate to a diverse selection of organizations across the globe that strive for better privacy, digital rights, greater competition in online markets, and access to information free from algorithmic bias.
This year, we’re donating $1,100,000, bringing the total donations since 2011 to $5,850,000. Everyone using the Internet deserves simple and accessible online protection; these organizations are all pushing to make that a reality. We encourage you to check out their valuable work below, alongside details about how our funds were allocated this year.
“EFF’s mission is to ensure that technology supports freedom, justice, and innovation for all people of the world. EFF has been defending civil liberties in the digital world for over thirty years.”
"The Markup challenges technology to serve the public good by producing investigative journalism, unique tools, and accessible resources to inspire action and agency."
"Public Knowledge promotes freedom of expression, an open internet, and access to affordable communications tools and creative works. We work to shape policy on behalf of the public interest."
"Established in 1987, ARTICLE 19 is an international non-profit organization that defends freedom of expression, fights against censorship, protects dissenting voices, and advocates against laws and practices that silence individuals, both online and offline."
“The Common Crawl Foundation was founded with the goal of democratizing access to web information by producing and maintaining an open repository of web crawl data that is universally accessible and analyzable. Our vision is of a truly open web that allows open access to information and enables greater innovation in research, business, and education. We level the playing field by making wholesale extraction, transformation, and analysis of web data cheap and easy.”
"European Digital Rights (EDRi) is the biggest European network defending rights and freedoms online - currently 50+ NGOs are members of EDRi and dozens of observers closely contribute to its work. In 2023, EDRi celebrates its 20th anniversary of existence - 20 years of impact and efforts to build a people-centered, democratic, digital society."
“Founded in 2011, Fight has organized some of the largest and most effective online campaigns in history, with a focus on ensuring that marginalized communities have equitable access to the Internet and technology that is free of surveillance, abuse of personal data, and censorship.”
“Signal Technology Foundation protects free expression and enables secure global communication through open source privacy technology.”
“The Surveillance Technology Oversight Project (S.T.O.P.) advocates and litigates for privacy, working to abolish local governments’ systems of discriminatory mass surveillance."
"Through engaging with lawmakers, exposing false narratives and bad actors, and pushing for landmark legislation, The Tech Oversight Project seeks to hold tech giants accountable for their anti-competitive, corrupting, and corrosive influence on our society and the levers of power."
“As a grassroots-to-global organization, Access Now defends and extends the digital rights of people and communities at risk by fighting for human rights in the digital age through direct technical support, strategic advocacy, grassroots grantmaking, and convenings such as RightsCon.”
“AJL’s harms reporting platform aims to capture people's lived experiences with AI harms, connect them with resources, and identify areas where there are no or few resources.”
“Bits of Freedom shapes tech policy in order to facilitate an open and just society, in which people can hold power accountable and effectively question the status quo.”
"The Competition Law Forum is a centre of excellence for European competition and antitrust policy and law at the British Institute of International and Comparative Law (BIICL)."
“UCLA Center for Critical Internet Inquiry (C2i2), housed in the UCLA Division of Social Sciences, is a critical internet studies community committed to reimagining technology, championing social justice, and strengthening human rights through research, culture, and public policy.”
“Creative Commons (CC) is an international nonprofit organization dedicated to building and sustaining a thriving commons of shared knowledge and culture that serves the public interest.”
"Digital Rights Watch is Australia's leading digital rights organisation. They defend and promote privacy, democracy, fairness and fundamental rights in the digital age."
“The Society for Civil Rights e.V. (Gesellschaft für Freiheitsrechte e.V. or "GFF") is a donor-funded organization from Germany that defends fundamental and human rights by legal means. The organization promotes democracy and civil society, protects against disproportionate surveillance and advocates for equal rights and social participation for everyone.”
"OpenMedia is a community-driven organization that works to keep the Internet open, affordable, and surveillance-free. We operate as a civic engagement platform to educate, engage, and empower Internet users to advance digital rights around the world."
“Open Rights Group (ORG) is the UK’s largest grassroots digital rights campaigning organisation, working to protect everyone’s rights to privacy and free speech online.”
“Open Source Technology Improvement Fund directly helps critical open source projects with their security needs and is extremely grateful for the continued support from DuckDuckGo. This funding is pivotal to ongoing operations and growth, as it is one of our only donation sources that is not tied to any deliverable or project. Over the past year, we have been able to sustainably help critical open source projects improve their security posture, and in the process have found and fixed over 100 significant bugs and vulnerabilities.”
“Privacy Rights Clearinghouse focuses on increasing access to information, policy discussions, and meaningful rights so that data privacy can be a reality for everyone.”
“Restore the Fourth opposes mass government surveillance, and organizes locally and nationally to defend privacy and the Fourth Amendment.”
“Tactical Tech is an international NGO that, for over 20 years, has engaged with citizens and civil society organisations to explore and mitigate the impacts of technology on society.”
“At the Tor Project, we believe everyone should be able to explore the internet with privacy. We advance human rights and defend your privacy online through free, open source software and the decentralized Tor network.”
Founder and CEO, Gabriel Weinberg, celebrates DuckDuckGo's past, present, and future:
Fifteen years ago, I launched DuckDuckGo from my basement in Valley Forge, Pennsylvania, hoping to offer a user-centric alternative to Google. This was 2008 – years before Snowden, a decade before Cambridge Analytica, and more broadly before the world had started to realize the scary power and creepy surveillance of companies like Google and Facebook.
Growth was very slow at first. It was just me behind the scenes for quite a while, putting together the search engine and asking people for feedback. I realized DuckDuckGo was resonating with people when things really started to pick up in 2011, so I started building out the team (many of whom are still at the company today) and we established our company vision to raise the standard of trust online.
Today, that vision remains the same. Fifteen years later we've built something truly rare in tech: a healthy, profitable company that protects user privacy, instead of exploiting it.
People care about their online privacy. That's what fuels our growth. According to a recent Forrester study, 87% of US online adults “use at least one privacy- or security-protecting tool online.”
While our product started as a search engine, today it’s a free, mobile and desktop browser with our private search engine built-in, along with more than a dozen other tracking protections, many that are unique to DuckDuckGo (if you want to know more about them, I’ve added a list below). This is combined with the simple promise laid out in our Privacy Policy: we don’t track you.
We design our product so that this uniquely comprehensive and overlapping set of privacy protections is seamless to users: it just works without having to know anything about the technical details or deal with complicated settings. All you have to do is switch your browser to DuckDuckGo across all your devices and you get privacy by default.
I’ve always believed that the easier we can make getting online privacy, the more people will switch to DuckDuckGo. That’s why our browser and browser extensions have been downloaded more than 250 million times. This has propelled our search engine to hold the #2 position in mobile market share and #3 overall in the U.S. and over 20 other major markets including the UK, Germany, France, India, Australia, and Canada. Over the past three years alone, people have made more than 100 billion private searches on DuckDuckGo.
I want to thank everyone who has and continues to use and support DuckDuckGo. We appreciate you!
And, to those who aren't users, we'd love for you to give us a try, or another try if it’s been a while since the last time. We’ve been continually improving our core search, browse, and email experiences. Looking forward, you’ll see DuckDuckGo introduce new product experiences that similarly work together to help you protect even more of what you do online.
I continue to believe there remains huge, pent-up demand for privacy-respecting alternatives to Google if it were easier to switch search and browser defaults across devices. That is, I believe we’d be much bigger, perhaps as much as ten times bigger, if it wasn’t for Google’s anticompetitive tactics.
In any case, with ever-increasing exploitation of personal data by Google, Facebook, and others, we believe our work is as important as ever. That’s why we’ll remain laser-focused on our product vision of being the “easy button” for privacy.
Now that you know more about what we do and why we do it, I thought I’d also share some things you might not know from our past 15 years:
Your privacy is constantly under threat by companies using your personal data, leaking it, or even selling it to others and then using it to try to manipulate you with creepy ads, discriminate against you, and more. To help prevent this from happening, DuckDuckGo browsers offer the most comprehensive privacy protection by default without breaking your online experience. Because trackers are always working to get around privacy protections, we’ve layered on many types of unique and innovative protections by default that don’t exist in most browsers or browser extensions. We’re continually working to improve these protections while also introducing new protections to address emerging threats.
For those interested, here’s some more info on our various privacy protections:
You get all of this with one download, and more is coming – stay tuned!
DuckDuckGo for Windows is available now at duckduckgo.com/windows! Making the switch is easy; new users can import bookmarks and passwords from other browsers and password managers.
Banish cookie consent pop-ups with Cookie Pop-up Management.
Windows users, this one’s for you! Starting today, our desktop browser for Windows is officially in public beta – no invite codes, no waiting list, just a fast, lightweight browser that makes the Internet less creepy and less cluttered. DuckDuckGo for Windows is already equipped with nearly all the privacy protections and everyday features that users know and trust from our iOS, Mac, and Android browsers – and it’s getting closer to parity with those browsers every day. (More info in the “What’s Next” section below.)
DuckDuckGo for Windows comes with these best-in-class privacy protections switched on by default, leading to a better everyday user experience. By blocking trackers before they load, for example, our desktop browsers use about 60% less data than Chrome. Switching is easy, too; you can import passwords and bookmarks from another browser or password manager in just a few clicks.
Relative to Mac users, Windows users work across a wider variety of hardware and software configurations. During our brief closed beta period, we’ve been gathering testers’ feedback and making improvements to meet as many of those needs as possible, but we haven’t tested every configuration yet, so if you do see any issues, please send feedback!
The browser doesn’t have extension support yet, but we plan to add it in the future. In the meantime, we’ve built the browser to include features that meet the same needs as the most popular extensions: ad-blocking and secure password management.
“This is fast and smooth for performance. It appears to be light on resources—well done!”
“For a beta version, I am extremely impressed thus far with everything about the Windows app. I often forget it is a beta at times, given how well it performs and how protected I feel.”
“I love the cookie manager. It is a wow moment. Keep up the good work, buddies!”
“Wow, this is incredible! Very, very smooth. Excellent browsing experience.”
“Want to know the best feature in DuckDuckGo browsers? It is Duck Player. Install the browser and open a YouTube video. No ads...it plays the video directly. Bye bye, YouTube ads.”
DuckDuckGo for Windows was built with your privacy, security, and ease of use in mind. It’s not a “fork” of any other browser code; all the code, from tab and bookmark management to our new tab page to our password manager, is written by our own engineers. For web page rendering, the browser uses the underlying operating system rendering API. (In this case, it's a Windows WebView2 call that utilizes the Blink rendering engine underneath.)
Our default privacy protections are stronger than what Chrome and most other browsers offer, and our engineers have spent lots of time addressing any privacy issues specific to WebView2, such as ensuring that crash reports are not sent to Microsoft. (For a more private Windows experience overall, we recommend that you disable optional diagnostic data in Windows under Settings > Privacy & security > Diagnostics & feedback > Send optional diagnostic data.)
DuckDuckGo for Windows has come a long way in this short time, and it will only keep improving from here. We’re hard at work right now on achieving full parity with the Mac browser, including improvements like faster startup performance, the ability to pin tabs, HTML bookmark import, more options for the Fire Button, and additional privacy features like Fingerprinting Protection, Link Tracking Protection, and Referrer Tracking Protection. As mentioned above, private password and bookmark syncing is also coming soon.
In the meantime, please keep the feedback coming; it helps a lot! There’s an anonymous feedback form in the app's three-dot menu, right under the Fire Button. DuckDuckGo believes in open sourcing our apps and extensions whenever possible; we ultimately plan to do so for DuckDuckGo for Windows, too.
Visit duckduckgo.com/windows to get the browser today, and stay tuned for more!
Update April 12, 2023: We're very proud of DuckAssist and the great feedback it received from users. Unfortunately, DuckAssist is no longer available on DuckDuckGo Private Search.
Generative artificial intelligence is hitting the world of search and browsing in a big way. At DuckDuckGo, we’ve been trying to understand the difference between what it could do well in the future and what it can do well right now. But no matter how we decide to use this new technology, we want it to add clear value to our private search and browsing experience.
Today, we’re giving all users of DuckDuckGo’s browsing apps and browser extensions the first public look at DuckAssist, a new beta Instant Answer in our search results. If you enter a question that can be answered by Wikipedia into our search box, DuckAssist may appear and use AI natural language technology to anonymously generate a brief, sourced summary of what it finds in Wikipedia — right above our regular private search results. It’s completely free and private itself, with no sign-up required, and it’s available right now.
This is the first in a series of generative AI-assisted features we hope to roll out in the coming months. We wanted DuckAssist to be the first because we think it can immediately help users find answers to what they are looking for faster. And, if this DuckAssist trial goes well, we will roll it out to all DuckDuckGo search users in the coming weeks.
DuckAssist is available to try right now through our browsing apps and browser extensions
DuckAssist is a new type of Instant Answer in our search results, just like News, Maps, Weather, and many others we already have. We designed DuckAssist to be fully integrated into DuckDuckGo Private Search, mirroring the look and feel of our traditional search results, so while the AI-generated content is new, we hope using DuckAssist feels second nature.
DuckAssist answers questions by scanning a specific set of sources — for now that’s usually Wikipedia, and occasionally related sites like Britannica — using DuckDuckGo’s active indexing. Because we’re using natural language technology from OpenAI and Anthropic to summarize what we find in Wikipedia, these answers should be more directly responsive to your actual question than traditional search results or other Instant Answers.
For this initial trial, DuckAssist is most likely to appear in our search results when users search for questions that have straightforward answers in Wikipedia. Think questions like “what is a search engine index?” rather than more subjective questions like “what is the best search engine?”. We are using the most recent full Wikipedia download available, which is at most a few weeks old. This means DuckAssist will not appear for questions more recent than that, at least for the time being. For those questions, our existing search results page does a better job of surfacing helpful information.
As a result, you shouldn’t expect to see DuckAssist on many of your searches yet. But the combination of generative AI and Wikipedia in DuckAssist means we can vastly increase the number of Instant Answers we can provide, and when it does pop up, it will likely help you find the information you want faster than ever.
DuckAssist joins many other Instant Answers on DuckDuckGo’s private search results
Generative AI technology is designed to generate text in response to any prompt, regardless of whether it “knows” the answer or not. However, by asking DuckAssist to only summarize information from Wikipedia and related sources, the probability that it will “hallucinate” — that is, just make something up — is greatly diminished. In all cases though, a source link, usually a Wikipedia article, will be linked below the summary, often pointing you to a specific section within that article so you can learn more.
Nonetheless, DuckAssist won’t generate accurate answers all of the time. We fully expect it to make mistakes. Because there’s a limit to the amount of information the feature can summarize, we use the specific sentences in Wikipedia we think are the most relevant; inaccuracies can happen if our relevancy function is off, unintentionally omitting key sentences, or if there’s an underlying error in the source material given. DuckAssist may also make mistakes when answering especially complex questions, simply because it would be difficult for any tool to summarize answers in those instances. That’s why it’s so important for our users to share feedback during this beta phase: there’s an anonymous feedback link next to all DuckAssist answers where you can let us know about any problems, so we can identify where things aren’t working well and take quick steps to make improvements.
DuckAssist is anonymous, with no logging in required. It’s a fully integrated part of DuckDuckGo Private Search, which is also free and anonymous. We don’t save or share your search or browsing history when you search on DuckDuckGo or use our browsing apps or browser extensions, and searches with DuckAssist are no exception. We also keep your search and browsing history anonymous to our search content partners — in this case, OpenAI and Anthropic, used for summarizing the Wikipedia sentences we identify. As with all other third parties we work with, we do not share any personally identifiable information like your IP address. Additionally, our anonymous queries will not be used to train their AI models. And anything you share via the anonymous feedback link goes to us and us alone.
If DuckAssist has already answered a question on the same topic, its response will appear automatically
We’ve used Wikipedia for many years as the primary source for our “knowledge graph” Instant Answers, and, while we know it isn’t perfect, Wikipedia is relatively reliable across a wide variety of subjects. Because it’s a public resource with a transparent editorial process that cites all the sources used in an article, you can easily trace exactly where its information is coming from. Finally, since Wikipedia is always being updated, DuckAssist answers can reflect recent understanding of a given topic: right now our DuckAssist Wikipedia index is at most a few weeks old, and we have plans to make it even more recent. We also have plans to add more sources soon; you may already see some signs of that in your results!
• Phrasing your search query as a question makes DuckAssist more likely to appear in search results.
• If you’re fairly confident that Wikipedia has the answer to your query, adding the word “wiki” to your search also makes DuckAssist more likely to appear in search results.
• For now, the DuckAssist beta is only available in English in our browsing apps (iOS, Android, and Mac) and browser extensions (Firefox, Chrome, and Safari). If the trial goes well, we plan to roll it out to all DuckDuckGo search users soon.
• If you don’t want DuckAssist to appear in search results, you can disable “Instant Answers” in search settings. (Note: this will disable all Instant Answers, not just DuckAssist.)
• If DuckAssist has generated an answer for a given topic before, the answer will appear automatically. Otherwise, you can click the ‘Ask’ button to have an answer generated for you in real time.
2022 marks DuckDuckGo's twelfth year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. This year, we're proud to donate to a diverse selection of organizations across the globe that strive for better privacy, digital rights, greater competition in online markets, and access to information free from algorithmic bias.
This year, we've been able to increase our donation amount to $1,100,000, bringing the total over the past decade to $4,750,000. Everyone using the Internet deserves simple and accessible online protection; these organizations are all pushing to make that a reality. We encourage you to check out their valuable work below, alongside details about how our funds were allocated this year.
$125,000 to the Electronic Frontier Foundation (EFF)
"EFF is an essential champion of user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development--and has been since our founding in 1990."
$125,000 to Fight for the Future
"Fight for the Future harnesses the power of the Internet to channel outrage into action, defending our most basic rights in the digital age. They fight to ensure that technology is a force for empowerment, free expression, and liberation rather than tyranny, corruption, and structural inequality."
$125,000 to The Markup
"The Markup is a nonprofit newsroom that investigates how powerful institutions are using technology to change our society."
$125,000 to Public Knowledge
"Public Knowledge promotes freedom of expression, an open internet, and access to affordable communications tools and creative works. We work to shape policy on behalf of the public interest."
$125,000 to Signal
"Signal Technology Foundation develops open source privacy technology that protects free expression and enables secure global communication."
$25,000 to Access Now
"Access Now defends and extends the digital rights of people and communities at risk by combining direct technical support, strategic advocacy, grassroots grantmaking, and convenings such as RightsCon."
$25,000 to Algorithmic Justice League
"AJL's current mission is to raise public awareness about the impacts of AI, equip advocates with resources to bolster campaigns, build the voice and choice of the most impacted communities, and galvanize researchers, policymakers, and industry practitioners to prevent AI harms."
$25,000 to Article19
"Established in 1987, ARTICLE 19 is an international think-do organization that defends freedom of expression, fights against censorship, protects dissenting voices, and advocates against laws and practices that silence individuals, both online and offline."
$25,000 to the Australia Institute's Centre for Responsible Technology
"The Australia Institute’s Centre for Responsible Technology develops public policy and research that advocate for a fairer and healthier online experience and gives back agency to individuals in our networked world."
$25,000 to Bits of Freedom
"Bits of Freedom shapes internet policy in the Netherlands and Brussels through advocacy, campaigning and litigation, because we believe in an open and just society, in which people can hold power accountable and effectively question the status quo."
$25,000 to the British Institute for International and Comparative Law
"The Competition Law Forum is a centre of excellence for European competition and antitrust policy and law at the British Institute of International and Comparative Law (BIICL)."
$25,000 to the Center for Critical Internet Inquiry
“C2i2 is a critical internet studies research center and community, committed to social justice, policy and human rights.”
$25,000 to the Detroit Community Technology Project (DCTP)
"Detroit Community Technology Project builds healthy digital ecosystems by training Digital Stewards and supporting the development of community governed internet networks."
$25,000 to European Digital Rights (EDRi)
"The EDRi network is a dynamic and resilient collective of NGOs, experts, advocates and academics working to defend and advance digital rights across the continent - for almost two decades, it has served as the backbone of the digital rights movement in Europe."
$25,000 to Freiheitsrechte (GFF)
"The GFF (Gesellschaft für Freiheitsrechte / Society for Civil Rights) is a Berlin-based non-profit NGO founded in 2015. Its mission is to establish a sustainable structure for successful strategic litigation in the area of human and civil rights in Germany and Europe."
$25,000 to the Internet Economy Foundation (IE.F)
"The IE.F is an independent think-tank based in Berlin that is dedicated to ensuring fair competition in the Internet economy and fostering a vibrant European digital ecosystem."
$25,000 to OpenMedia
"OpenMedia works to keep the Internet open, affordable, and surveillance-free. We create community-driven campaigns to engage, educate, and empower people to safeguard the Internet."
$25,000 to the Open Rights Group
"Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect our rights to privacy and free speech online."
$25,000 to the Open Source Technology Improvement Fund (OSTIF)
"OSTIF, or The Open Source Technology Improvement Fund, is a corporate non-profit dedicated to improving the security of critical open-source projects. This is done mainly by facilitating and managing security reviews and associated work for projects and organizations. In the last year, OSTIF was responsible for the identifying and fixing of more than 50 critical and high severity vulnerabilities and 250 more bug fixes in widely adopted projects."
$25,000 to Privacy Rights Clearinghouse
"Privacy Rights Clearinghouse works to make data privacy more accessible to all by empowering people and advocating for positive change."
$25,000 to Restore the Fourth
"Restore the Fourth is a grassroots, volunteer-run, nonpartisan civil liberties group that opposes mass government surveillance, protects privacy, and promotes the Fourth Amendment."
$25,000 to the Surveillance Technology Oversight Project (STOP)
"The Surveillance Technology Oversight Project (S.T.O.P.) advocates and litigates for privacy, working to abolish local governments’ systems of discriminatory mass surveillance."
$25,000 to the Technology Oversight Project
"Through engaging with lawmakers, exposing false narratives and bad actors, and pushing for landmark legislation, The Tech Oversight Project seeks to hold tech giants accountable for their anti-competitive, corrupting, and corrosive influence on our society and the levers of power."
$25,000 to the Tor Project
"At the Tor Project, we believe everyone should be able to explore the internet with privacy. We advance human rights and defend your privacy online through free, open source software and the decentralized Tor network."
Update: As of December 14, 2023 App Tracking Protection for Android is out of beta.
App Tracking Protection for Android is launching into open beta today. It's a free feature in the DuckDuckGo Android app that helps block 3rd-party trackers in the apps on your phone (like Google snooping in your weather app) – meaning more comprehensive privacy and less creepy targeting.
With the App Tracking Protection 'Activity Report', you can see which 3rd-parties are trying to track you.
You may have heard of Apple’s App Tracking Transparency (ATT), a feature for iPhones and iPads that asks users whether they want to allow third-party app tracking or not in each of their apps (with the majority of people choosing “not”). But most smartphone users worldwide actually use Android. So, we’re offering Android users something even more powerful: enable our App Tracking Protection and we'll automatically block all the hidden trackers we can identify as blockable across your apps.
App Tracking Protection beta users have been surprised to see how many tracking attempts the feature is blocking.
The average Android user has 35 apps on their phone. Through our testing, we’ve found that a phone with 35 apps can experience between 1,000-2,000 tracking attempts every day and contact 70+ different tracking companies.
Imagine you’re spending a lazy Sunday afternoon playing around with apps on your phone; keeping an eye on flight prices for a getaway (Southwest Airlines app), checking out a house your friend has been raving about (Zillow app), seeing if those concert tickets have gone on sale yet (SeatGeek app), and checking the weather (Weather Network app).
Within these four apps alone, 45+ tracking companies are known to collect personal data like your precise location, email address, phone number, time zone, and a fingerprint of your device (like screen resolution, device make and model, language, local internet provider, etc.) that can be used to identify you. With App Tracking Protection, you can now see exactly what the trackers are typically trying to collect, which we're helping block from happening.
In the Android app, when you use App Tracking Protection, you can see the personal data we're blocking 3rd-party trackers from getting.
But what are they doing with all that information? Personal data companies like Facebook and Google use that information to build a profile that advertisers and content-targeting companies use to influence what you see online.
You could get ads about your mom’s toothpaste brand after spending time at her house (no, not a coincidence – check out this thread), be bombarded with pregnancy-related ads and content after pregnancy loss or see drug-related ads or articles about diseases you learned about on WebMD. The examples are endless. It can feel like you're being listened to, but in reality it’s not that someone is listening to your conversations, it's that your activity is being relentlessly tracked and analyzed!
The problems with all this information collection go way beyond so-called “relevant” (aka creepy) advertising and targeting. Tracking networks can sell your data to other companies like data brokers, advertisers, and governments, resulting in more substantial harms like ideological manipulation, discrimination, personal price manipulation, polarization, and more.
DuckDuckGo for Android, our all-in-one privacy solution, can help. Our app was already protecting you across search, browsing, and email. Now, with App Tracking Protection, you’re getting a lot of protection from 3rd-party app trackers, too.
When App Tracking Protection is enabled, it will detect when other apps on your phone are about to send data to any of the 3rd-party tracking companies in our app tracker dataset, and block most of those requests. And that’s it! You can continue to use your apps as usual, and App Tracking Protection works in the background to block trackers whenever it finds them, even while you sleep.
The DuckDuckGo app on Android also offers a real-time view of App Tracking Protection’s results, including which tracking network is associated with each app and what data they're known to collect. If you have notifications on, you’ll also get automatic summaries if you want them.
To keep you up-to-date, we send automatic summaries about the app tracker blocking happening behind the scenes.
App Tracking Protection uses a local “VPN connection,” which means that it works its magic right on your smartphone and without sending app data to DuckDuckGo or other remote servers. That is, App Tracking Protection does not route your app data through external companies (including ours).
As we work through the beta phase, there are a small number of apps being excluded because they rely on tracking to work properly, like browsers and apps with in-app browsers. Throughout the waitlist period, we've reduced this number by half and also dropped the exclusion for games. We look forward to reducing this list even more.
To send us general feedback or report issues with the DuckDuckGo app: open Settings > Share Feedback (in the Other section). If you run into issues with another app on your smartphone as a result of App Tracking Protection, you can disable protection for just that app under "Having Problems With An App". You'll then be asked to give details of the problem you experienced. Your feedback greatly helps our team continue improving App Tracking Protection and we appreciate it!
To get access to the beta of App Tracking Protection, find it in your settings.
Signing up is easy! Here are four of the simple steps to automatic app tracker blocking.
Forget going “incognito” with other browsers that don’t actually deliver substantive web tracking protection; you deserve privacy all the time, with built-in protections that make the Internet less creepy and less cluttered. Equipped with new and improved features for everyday use, DuckDuckGo for Mac is here to clean up the web as you browse. (And yes, you can import all your passwords and bookmarks from other browsers and password managers – so switching is quick and easy!)
The privacy protections built into DuckDuckGo for Mac add up to a better user experience; by blocking trackers before they load, for example, DuckDuckGo for Mac uses about 60% less data than Chrome. The desktop app includes the built-in privacy protections you know and trust from our mobile apps – which now see over 50M downloads a year – including multiple layers of defense against third-party trackers, secure link upgrading with Smarter Encryption, and our Fire Button to instantly clear recent browsing data. An all-in-one app that aims to be the “easy button” for privacy, DuckDuckGo for Mac has no fiddly privacy settings to adjust – our foundational protections are on by default, so you can get back to browsing.
Since announcing the waitlist beta in April, we’ve been listening to beta testers’ feedback and making even more improvements to meet your needs. We added a bookmarks bar, pinned tabs, and a way to view your locally stored browsing history. Our Cookie Consent Pop-Up Manager can now handle cookie pop-ups on significantly more sites, automatically choosing the most private option and sparing you from annoying interruptions.
Keep pop-ups at bay with our automatic cookie consent manager
The app also lets you activate DuckDuckGo Email Protection on desktop, protecting your inbox with email tracker blocking and private @duck.com addresses. While we work on browser extension support that meets our high standards of privacy and quality, we’re building in more features that meet the same needs as the most popular extensions: ad-blocking and secure password management. These new features will become available across our other platforms in the near future.
Cleaning up YouTube with Duck Player – fewer creepy ads, fewer distractions: Want a more-private way to watch YouTube videos in peace? Duck Player protects you from targeted ads and cookies with a distraction-free interface that incorporates YouTube’s strictest privacy settings for embedded video. Any ads you see within Duck Player will not be personalized; in our testing, this prevented ads on most videos altogether. YouTube still registers your views, so it’s not totally anonymous, but none of the videos you watch in Duck Player contribute to your YouTube advertising profile or suggest distracting personalized recommendations. The feature can be always-on, ready to go whenever you click a YouTube link, or you can opt in on specific videos – perfect for when you’re sharing your screen, using a shared device, or just trying to stay focused. It’s equally easy to get back to the default version of YouTube whenever you want.
Open YouTube links in Duck Player for more-private viewing
Eliminating invasive ads as you browse: DuckDuckGo for Mac has always blocked invasive trackers before they load, effectively eliminating the ads that rely on that creepy tracking. (Because so many ads work that way, you’ll see way fewer ads.) Today, we’ve made another big improvement: we’re cleaning up the whitespace left behind by those ads for an efficient, distraction-free look without the need for a separate ad blocker.
More choices for secure password management: Our browser includes our own secure and easy-to-use password manager that can automatically remember and fill in login credentials and suggest random passwords for new logins. (It can also securely save addresses and payment methods.) Our autofill experience is continually improving and will roll out on our mobile apps soon.
This works for most users, especially since you can import passwords. But we understand some folks want to continue using third-party password management across browsers and devices. So, we’ve teamed up with Bitwarden, the accessible open-source password manager, in the first of what we hope to be several similar integrations. In the coming weeks, Bitwarden users will be able to activate this seamless two-way integration in their browser settings. DuckDuckGo for Mac is also compatible with 1Password’s new universal autofill feature.
Easily autofill your Bitwarden passwords in DuckDuckGo for Mac
“The DuckDuckGo browser has been a breath of fresh air, a lightweight and snappy browser that isn't a gamified gimmick and doesn’t sell my browsing history to advertisers. Its clean and familiar UI allowed me to switch with no hassle. I would definitely recommend more people switching as soon as they can.”
“The automatic cookie settings feature is awesome!!!”
“I love the UI of this app! Very clean and minimalist. Also, it really is blazing fast. I appreciate the careful consideration into design and performance with the use of the internal rendering engine. Thank you for all your work!”
“DuckDuckGo is replacing Google Chrome on my Mac and I love it.”
“I’ve been using [DuckDuckGo for Mac] for several months and I have to say, I love the simplicity and privacy. We’ve tossed a lot of stuff into browsers over the years to get privacy and speed. This achieves both with much less.”
We built DuckDuckGo for Mac with privacy, security, and simplicity in mind. Our default privacy settings are stronger than what most other browsers offer, and you don’t need to sift through obscure menus to turn them on. DuckDuckGo for Mac is not a “fork” of Chromium, or any other browser code. All the app code – tab and bookmark management, our new tab page, our password manager, etc. – is written by our own engineers. For rendering, it uses a public macOS API, making it super compatible with Mac devices. DuckDuckGo believes in open sourcing our apps and extensions whenever possible, and we plan to do so for DuckDuckGo for Mac before it moves out of beta.
We’re proud of how far DuckDuckGo for Mac has come in this short time, and it will only get better from here! Users will soon be able to sync DuckDuckGo bookmarks and passwords across devices. We’ll also be adding more built-in features that offer native alternatives to more popular extensions. Please keep the feedback coming; we're listening! (You can find the feedback form in the app's three-dot menu, right under the Fire Button.)
Before you ask, yes, our Windows browser is still on the way! DuckDuckGo for Windows is in an early friends and family beta, with a private waitlist beta expected in the coming months. (Right now, Mac and Windows are the only desktop platforms we’re focusing on.) Stay tuned for updates. And if you’re interested in working on our desktop apps, we’re hiring remotely, worldwide.
On Tuesday September 13th, 13 privacy-focused technology companies representing more than 100 million users in the United States published a letter to U.S. Congressional Leadership imploring them to support the American Innovation and Choice Online Act (AICOA) and bring it to a floor vote as soon as possible.
Incessant data collection and tech monopolies are inherently linked: the more data they collect and use to influence user decision making, the stronger their grip on industry becomes, leaving users feeling like they have no option but to accept a lack of privacy to use the Internet. However, users do have choices when it comes to the services they use, and they do not have to accept services that have made it their business to abuse user privacy. If the American Innovation and Choice Online Act (AICOA) becomes law, millions of Americans will have better access to Internet services with more privacy and less data-driven targeting and manipulation.
U.S. Senator Chuck Schumer U.S. Senator Mitch McConnell
Senate Majority Leader Senate Minority Leader
U.S. Senator Dick Durbin U.S. Senator John Thune
Senate Majority Whip Senate Minority Whip
U.S. Representative Nancy Pelosi U.S. Representative Kevin McCarthy
Speaker of the House House Minority Leader
U.S. Representative Steny Hoyer U.S. Representative Steve Scalise
House Majority Leader House Minority Whip
RE: Support for S. 2992/H.R. 3816, The American Innovation and Choice Online Act.
Dear U.S. Congressional Leadership:
We, the undersigned privacy companies and organizations, urge Congress to schedule floor votes for the American Innovation and Choice Online Act (AICOA) as soon as possible. This bill has been delayed for far too long and the American public deserves the kind of innovative online ecosystem it would create.
Our companies and organizations offer privacy protective alternatives to the services provided by dominant technology companies. While more and more Americans are embracing privacy-first technologies, some dominant firms still use their gatekeeper power to limit competition and restrict user choice. We implore you to pass AICOA as it would remove barriers for consumers to freely select privacy protective services.
Massive tech platforms can exert influence over society and the digital economy because they ultimately have the power to collect, analyze, and monetize exorbitant amounts of personal information. This is not by accident, as some of the tech giants have intentionally abused their gatekeeper positions to lock users into perpetual surveillance while simultaneously making it difficult to switch to privacy-protective alternatives. These monopolist firms: use manipulative design tactics to steer individuals away from rival services; restrict the ability of competitors to interoperate on the platform; use non-public data to benefit their services or products; and make it impossible or complicated for users to change their default settings or uninstall apps. Such tactics deprive consumers of the innovative offerings an open and vibrant market would yield.
Passage of AICOA is critical to protecting the privacy of American consumers. These self-preferencing tactics keep consumers stuck in an ecosystem of constant tracking by making it needlessly difficult for users to choose alternative privacy-respecting products and services. This is not how a truly free market operates, which is why commonsense reforms are necessary to combat the most egregious anticompetitive tactics and spur innovation that will increase the options available to American consumers. That’s why we support the AICOA and ask that it be scheduled for a vote. The AICOA will improve the internet in many ways and, most importantly, remove barriers that have been erected to block Americans from enjoying more privacy online.
Sincerely,
Andi
Brave
Disconnect
DuckDuckGo
Efani Secure Mobile
Fathom Analytics
Malloc
Mozilla
Neeva
Proton
Skiff
Thexyz Inc.
Tutanota
You.com
[Post updated December 19th, 2022 to reflect the addition of Skiff.]
Have you ever entered your email for a loyalty program or coupon and started getting emails from companies you didn’t subscribe to? Or noticed ads following you around after clicking on an email link? You’re not alone! There are multiple ways companies can use your email to track you, target you with ads, and influence what you see online. They can even share your personal information with third parties – all without your knowledge.
Companies embed trackers in images and links within email messages, letting them collect information like when you’ve opened a message, where you were when you opened it, and what device you were using. In our closed Email Protection beta, we found that approximately 85% of beta testers’ emails contained hidden email trackers! Very sneaky. Companies can use this information to build a profile about you.
And because your email addresses are connected to so much of what you do online – making purchases, using social media, and more – tracking companies can also effectively use your personal email address as a profiling identifier. In fact, many companies are so hungry for your personal email address that they’ll actually pull it from online forms you haven’t even submitted yet! Beyond sending you more emails, companies often upload your email address to Facebook and Google to target you with creepy ads across apps and websites.
DuckDuckGo Email Protection is a free email forwarding service that removes multiple types of hidden email trackers and lets you create unlimited unique private email addresses on the fly. You can use Email Protection with your current email provider and app – no need to update your contacts or juggle multiple accounts. Email Protection works seamlessly in the background to deliver your more-private emails right to your inbox.
Signing up for Email Protection gives you the ability to create Duck Addresses. There are two types that help protect your email privacy:
Many users have loved the Email Protection beta so far, with millions of more-private emails being forwarded weekly. It’s email privacy, simplified – and we’re thrilled to open the beta for everyone to try it out!
Since launching DuckDuckGo Email Protection into private waitlist beta, we’ve been continuously making improvements based on feedback.
Link Tracking Protection: In addition to blocking trackers in images, scripts, and other media directly embedded in emails, we can now detect and remove a growing number of the trackers embedded in email links.
Smarter Encryption: We’ve started using the same Smarter Encryption (HTTPS Upgrading) that’s at work in our search engine and apps to upgrade insecure (unencrypted, HTTP) links in emails to secure (encrypted, HTTPS) links when they’re on our upgradable list.
Replying from your Duck Addresses: You can now reply to emails from all your Duck Addresses. When you get an email to a Duck Address, you can just hit ‘Reply,’ type your message, and send it off. Your email will then be delivered from your Duck Address instead of your personal address.
Self-Service Dashboard: Want to update your forwarding address? Or even delete your account? You can now make changes to your Duck account whenever you want, saving you time and effort.
Wondering how this feature works in the real world? Here’s what our beta testers had to say:
Email Protection is supported in the DuckDuckGo Privacy Browser for iOS and Android, DuckDuckGo for Mac (beta), and DuckDuckGo Privacy Essentials browser extensions for Firefox, Chrome, Edge, and Brave.
Once you follow the steps to create your personal Duck Address, you’re all set to start using it right away! And while browsing, look for Dax the Duck (our mascot) to help you autofill your personal Duck Address or generate a private Duck Address for you on the fly.
Like all our features, DuckDuckGo Email Protection will never track you. We believe that your emails are none of our business! When your Duck Addresses receive an email, we immediately apply our tracking protections and then forward it to you, never saving it on our systems. Sender information, subject lines...we don’t track any of it. (Learn more in our Email Protection Privacy Policy and Terms of Service.)
Additionally, we are committed to Email Protection for the long term, so you can feel confident about using your Duck Addresses. During the private beta, we’ve been shoring up our backend systems to support millions of users. And as we move out of beta, we'll also be incorporating our email tracker dataset into our open source Tracker Radar.
So give Email Protection a try and let us know what you think! We look forward to helping you protect your inbox.
Our vision at DuckDuckGo is to raise the standard of trust online. Raising that standard means maximizing the privacy we offer by default, being transparent about how our privacy protections work, and doing our best to make the Internet less creepy. Recently, I’ve heard from a number of users and understand that we didn’t meet their expectations around one of our browser’s web tracking protections. So today we are announcing more privacy and transparency around DuckDuckGo’s web tracking protections.
Over the next week, we will expand the third-party tracking scripts we block from loading on websites to include scripts from Microsoft in our browsing apps (iOS and Android) and our browser extensions (Chrome, Firefox, Safari, Edge and Opera), with beta apps to follow in the coming month. This expands our 3rd-Party Tracker Loading Protection, which blocks identified tracking scripts from Facebook, Google, and other companies from loading on third-party websites, to now include third-party Microsoft tracking scripts. This web tracking protection is not offered by most other popular browsers by default and sits on top of many other DuckDuckGo protections. We explain how this works differently with DuckDuckGo advertising below.
Websites often embed scripts from other companies (commonly called “third-party scripts”) that automatically load when you visit their site. For example, the most prevalent third-party script is Google Analytics, which helps websites understand how their sites are being used. But typically Google can also use this information to profile you outside of the site where the information originated. Most browsers’ default tracking protection focuses on cookie and fingerprinting protections that only restrict third-party tracking scripts after they load in your browser. Unfortunately, that level of protection leaves information like your IP address and other identifiers sent with loading requests vulnerable to profiling. Our 3rd-Party Tracker Loading Protection helps address this vulnerability, by stopping most 3rd-party trackers from loading in the first place, providing significantly more protection.
Previously, we were limited in how we could apply our 3rd-Party Tracker Loading Protection on Microsoft tracking scripts due to a policy requirement related to our use of Bing as a source for our private search results. We’re glad this is no longer the case. We have not had, and do not have, any similar limitation with any other company.
Microsoft scripts were never embedded in our search engine or apps, which do not track you. Websites insert these scripts for their own purposes, and so they never sent any information to DuckDuckGo. Since we were already restricting Microsoft tracking through our other web tracking protections, like blocking Microsoft’s third-party cookies in our browsers, this update means we’re now doing much more to block trackers than most other browsers.
Advertising on DuckDuckGo is done in partnership with Microsoft. Viewing ads on DuckDuckGo is anonymous, and Microsoft has committed to not profile our users on ad clicks: “when you click on a Microsoft-provided ad that appears on DuckDuckGo, Microsoft Advertising does not associate your ad-click behavior with a user profile. It also does not store or share that information other than for accounting purposes.”
To evaluate whether an ad on DuckDuckGo is effective, advertisers want to know if their ad clicks turn into purchases (conversions). To see this within Microsoft Advertising, they use Microsoft scripts from the bat.bing.com domain. Currently, if an advertiser wants to detect conversions for their own ads that are shown on DuckDuckGo, 3rd-Party Tracker Loading Protection will not block bat.bing.com requests from loading on the advertiser’s website following DuckDuckGo ad clicks, but these requests are blocked in all other contexts. For anyone who wants to avoid this, it's possible to disable ads in DuckDuckGo search settings.
To eventually replace the reliance on bat.bing.com for evaluating ad effectiveness, we’ve started working on an architecture for private ad conversions that can be externally validated as non-profiling. DuckDuckGo isn’t alone in trying to solve this issue; Safari is working on Private Click Measurement (PCM) and Firefox is working on Interoperable Private Attribution (IPA). We hope these efforts can help move the entire digital ad industry forward to making privacy the default. We think this work is important because it means we can improve the advertising-based business model that countless companies rely on to provide free services, making it more private instead of throwing it out entirely.
Our browser extensions and non-beta apps are already open source, as is our Tracker Radar – the data set of trackers and other third-party web activity we identify through crawling. We’ve now also made our tracker protection list publicly available, so folks can see for themselves what we’re blocking and report any issues. We’ve also updated the Privacy Dashboard within our apps and extensions to show more information about third-party requests. Using the updated Privacy Dashboard, users can see which third-party requests have been blocked from loading and which other third-party requests have loaded, with reasons for both when available.
To further deliver on our commitment to transparency, we’ve posted a new help page that offers a comprehensive explanation of all the web tracking protections we provide across platforms. Users now have one place to look if they want to understand the different kinds of web privacy protections we offer on the platforms they use. This page also explains how different web tracking protections are offered based on what is technically possible on each platform, as well as what’s in development for this part of our product roadmap.
I’ve been building DuckDuckGo as an independent company for almost 15 years. After all this time, I believe more than ever that the majority of people online would choose to be more private if they could press a privacy “easy button.” That’s why our product vision is to pack as much privacy as we can into one package. We’re committed for the long haul to make simple privacy protection available to all, and will continue striving to strengthen the quality, understanding, and confidence in our product.
Governments, researchers, and policy makers need accurate market share data to evaluate search engine market diversity (or lack thereof). As explained by our series of posts on search engine choice screens (also known as preference menus), a well-designed choice screen could significantly increase competition and give users meaningful choice and control. However, without accurate search market share data, it is difficult to assess whether a particular choice screen is effective overall or to ensure consumers are presented with the search engines they want to use.
Common sources of search market share data, like the often-cited comScore and Statcounter, vary significantly for non-Google search engines which creates confusion around search engine market share. Additionally, both these and other commonly cited sources have significant methodological deficiencies. In short, comScore suffers from panel selection bias, e.g., privacy-conscious users are unlikely to agree to be surveilled by comScore and Statcounter’s core flaw is that it uses trackers, which are often blocked by tracker-blocking tools, either by search engine apps and extensions (like ours) or by other common apps and browser extensions. And both comScore and Statcounter reports are further flawed because they either do not report and/or do not have a sufficiently large and representative sample of users across all major markets and platforms.
Recently, two new market share reports were released by Cloudflare and Wikipedia respectively. Unlike comScore, Cloudflare’s and Wikipedia’s reports do not suffer from panel selection bias since they are not based on panels but instead based on traffic referred to Cloudflare-hosted websites and Wikipedia, respectively. And unlike Statcounter, this method also means Cloudflare’s and Wikipedia’s data is not affected by tracker-blocking tools. While Wikipedia is just one site, Cloudflare’s report is based on a large swath of the global Internet (25% of the top million websites use Cloudflare) so sample size isn’t a problem.
For these reasons, we recommend Cloudflare's report as currently the best source for baseline assessments of search engine market share and for assessing the effect of competition interventions like search preference menus. Wikipedia’s report is also useful because it can be analyzed in unique ways (more on both reports below). However, despite the methodological differences between all these reports, all still show that Google dominates the search engine market.
Cloudflare’s search market share report
Cloudflare's report is based on referrer data from search engine link clicks. When you click on a link from a search engine and visit that website, the site will know which search engine domain the user came from (using referrer information, e.g., duckduckgo.com). This report is made possible through Cloudflare Radar, a free public tool that lets anyone view global traffic as well as security trends and insights across the Internet as they happen. Cloudflare Radar is powered by the aggregated traffic flowing through the Cloudflare network. Radar insights like these are created by looking at patterns derived from aggregated data that has been anonymized, and so does not contain any search queries or personal information. (To be clear, that means that if you click on a link for a Cloudflare-supported site from DuckDuckGo, your referrer information does not reveal your search query or any personal information about you.)
Cloudflare’s report is updated quarterly, and the report can be split by operating system, device type, country, and month.
Wikipedia’s search market report
Wikipedia also recently published their search engine traffic data using a similar methodology. Every day Wikipedia counts link clicks from search engines and aggregates them into the search market share dashboard (also using direct referral data in a private manner).
We recommend Wikipedia’s data for more granular insights because their dashboard can be split in more ways, including by language, operating system, device type, and country, down to the day.
However, we recommend Cloudflare’s data to support higher-impact decisions because Wikipedia is just one site, whereas Cloudflare is based on millions of sites. While Wikipedia’s data is dependent on to what extent search engines include Wikipedia in their knowledge panels and in their search engine results, Cloudflare’s sample is so large that per-site effects are minimized.
In fact, we now believe Cloudflare’s report is by far the most accurate one of all search engine market share reports out there. With it, governments, researchers, and policy makers can better understand the search engine market and the effect of tools like search choice screens.
The search engine and browser you use should be a personal choice, but right now it's often too complicated to switch away from gatekeeper defaults. So in an open letter to the companies, consumer organizations, and regulators with the power to create effective user choice screens, the CEOs of DuckDuckGo and Ecosia, and Qwant's President published a set of common-sense principles to improve this user experience online. This letter coincides with the final adoption of the EU's Digital Markets Act by the European Parliament this week.
Open Letter from DuckDuckGo, Ecosia, and Qwant
Choice screens and effective switching mechanisms are crucial tools that empower users and enable competition in the search engine and browser markets. The European Union (EU) has taken an important first step by adopting the Digital Markets Act (DMA), which includes obligations to implement such tools. However, the effectiveness of the EU’s mandates and related regulatory efforts across the globe will depend on how gatekeepers implement changes to comply with these new rules.
Without strict adherence to both clear rules and principles for fair choice screens and effective switching mechanisms, gatekeeping firms could choose to circumvent their legal obligations. We suggest regulators make clear their enforcement should adhere to the following ten essential principles for fair choice screens and effective switching mechanisms:
Gatekeeping firms should globally roll out fair choice screens and effective switching mechanisms now, using these principles. We are ready to work collaboratively towards this end, honoring the users‘ desire to choose the services they want to use, and not having those choices decided for them by default.
SIGNATORIES
In case you missed it: Find our series of blogs on search choice here.
If you're a Google Chrome user, you might be surprised to learn that you may soon be automatically entered into Google's new tracking and ad targeting methods called Topics and FLEDGE. Topics uses your Chrome browsing history to automatically collect information about your interests to share with other businesses, tracking companies and websites without your knowledge. FLEDGE enables your Chrome browser to target you with ads based on your browsing history. These new methods enable creepy advertising and other content targeting without third-party cookies. While Google is positioning this as more privacy respecting, the simple fact is tracking, targeting, and profiling, still is tracking, targeting, and profiling, no matter what you want to call it.
1. Don't use Google Chrome! Google Topics and FLEDGE will only exsist in Google Chrome. On iOS or Android we suggest you use our DuckDuckGo mobile browser, which offers best-in-class privacy protection by default when searching and browsing. Plus, we recently launched more app features into beta that will better protect your online privacy, like Email Protection and App Tracking Protection for Android. On desktop, we just launched the DuckDuckGo app for Mac into beta (Windows coming soon) so you can skip the Chrome headache completely and use ours by joining our waitlist (which is moving quickly).
2. Install the DuckDuckGo Chrome extension. In response to Google automatically turning on Topics and FLEDGE in Chrome, we've enhanced our Chrome extension to block Topics and FLEDGE interactions on websites, stopping these new forms of targeting. This is in addition to the all-in-one privacy protection that our extension offers, including private search, tracker blocking, Smarter Encryption, and Global Privacy Control. The Topics and FLEDGE blocking addition is included as of version 2022.4.18 which should auto-update, though you can also check the version you have installed from the extensions list within Chrome. For non-Chrome desktop browsers, you can get our extension here.
3. Change your Chrome and Google settings, which we recommend you do regardless if you continue to use Chrome or Google.
Note that even if you change these settings, we also recommend installing the DuckDuckGo Chrome extension to get more privacy protection than possible using Chrome settings alone.
In 2021, Google reluctantly signaled it would follow other browsers to forbid the use of third-party cookies by default, though it recently delayed doing so to at least 2023. Unlike other browsers, however, instead of just dropping third-party cookies, they are trying to replace them with alternative tracking mechanisms that are just as creepy and privacy invasive.
They first implemented a new tracking method in Chrome called Federated Learning of Cohorts (FLoC). FLoC was automatically turned on for millions of Google users who were not even given the chance to opt-out. This was understandably met with widespread criticism from privacy experts. To address the situation, we voiced our concerns and immediately enhanced our tracker blocking so that our Chrome extension would protect you from FLoC.
In response, Google announced it's ending FLoC and replacing it with yet another tracking method called Topics. Like FLoC, Topics will automatically use your browsing history to infer your interests in topics (e.g., “Child Internet Safety”, “Personal Loans”, etc.). While FLoC automatically shared a cohort identifier (for a group of people with correlated interests or demographics) with websites and tracking companies, Topics will automatically share a subset of your inferred interests, which these companies can then use to target ads and content at you.
While some suggest that Topics is a less invasive way of ad targeting, we don't agree. Why not? Fundamentally it’s because, by default, Google Chrome will still be automatically surveilling your online activity and sharing information about you with advertisers and other parties so they can behaviorally target you without your consent. This targeting, regardless of how it's done, enables manipulation (ex. exploiting personal vulnerabilities), discrimination (ex. people not seeing job opportunities based on personal profiles), and filter bubbles (ex. creating echo chambers that can divide people) that many people would like to avoid. Google says that users will be able to go in and delete “Topics” they don’t want shared, but Google knows full well that people rarely change default settings, plus the company routinely puts “dark patterns” in the way of users changing these settings, and is therefore making it needlessly difficult for people to take control over their privacy. Privacy should be the default.
In addition, the implementation of Topics presents a bunch of other privacy problems, including:
You know those ads that seem to follow you around onto every website you visit, long after looking something up online? Known as “re-targeting”, these ads are shown to you based on your browsing history from other websites, stored in third-party cookies. With the planned removal of third-party cookies Google decided to also introduce FLEDGE, a new method of re-targeting that similarly moves Google ad technology directly into the Chrome browser.
When you visit a website where the advertiser may want to later follow you with an ad, the advertiser can tell your Chrome browser to put you into an interest group. Then, when you visit another website which displays ads, your Chrome browser will run an ad auction based on your interest groups and target specific ads at you. So much for your browser working for you!
People are, by and large, vehemently against ad re-targeting and find it invasive and creepy. Because your browsing history is used to target you, just like Topics it opens you up to the same type of manipulation, discrimination, and potential embarrassment from highly personal ads being shown via your browser, and also operates without your consent.
For all of the above reasons and more, DuckDuckGo has enhanced the tracker blocking for our Privacy Essentials Chrome extension to block Google Topics and FLEDGE. This is directly in line with the extension's purpose of protecting your privacy holistically as you use Chrome, without any of the complicated settings. It's privacy, simplified.
Privacy isn’t something you only need in certain situations or in partial amounts, and it’s a myth that you can’t have the same Internet you like and need, but with more privacy. At DuckDuckGo, we make privacy simple.
For example, our mobile apps make privacy the default, with no complicated settings, no need to understand the ins and outs of the technology, just built-in privacy protections that work, like private search, tracker blocking, website encryption (HTTPS upgrading), and email protection. You've downloaded them over 150M times since their launch in 2018, and we’ve heard your feedback that you want this same “privacy, simplified” experience on your desktops and laptops.
So today we’re excited to announce the beta launch of DuckDuckGo for Mac, with DuckDuckGo for Windows coming soon. Like our mobile app, DuckDuckGo for Mac is an all-in-one privacy solution for everyday browsing with no complicated settings, just a seamless private experience. Plus, we’re excited to share some new features we think you’ll love.
Using an app designed to protect your privacy by default not only reduces invasive tracking, it also speeds up browsing and eliminates many everyday annoyances like cookie consent pop-ups. Here’s what you need to know:
DuckDuckGo for Mac isn't simply a replacement for “Incognito mode” (which isn't actually private!) – instead DuckDuckGo for Mac is designed to be used as an everyday browser that truly protects your privacy. We have the features you expect from a browser like password management, tab management, bookmarks, and more, plus privacy features you’ll love.
Our initial testers love it!
To get access to the beta of DuckDuckGo for Mac, all you need to do is join the private waitlist. We're letting new people off the waitlist today, maybe even as you read this sentence, so the sooner you join, the sooner you'll get it. Please be patient with us though! We'll be inviting people in waves and improving the app as feedback comes in.
You won’t need to share any personal information to join. Instead, you’ll secure your place in line with a date and time that exists solely on your device, and we’ll notify you when we’re ready for you to join.
Here’s how you can join the private waitlist:
Mac only please! Windows is coming -- Follow us on Twitter for updates.
If you try the new app, we’d love to hear from you! You can submit feedback and report issues by clicking on the settings menu in the top right corner of the window and selecting “Send Feedback”.
Note that during this beta period, DuckDuckGo for Mac is not available in the Mac App Store and is not to be confused with our DuckDuckGo Privacy Essentials Safari Extension that is currently available in the Mac App Store.
DuckDuckGo for Mac being in beta means that the experience is still evolving.
For example, you may notice we don't yet support extensions. Turns out the most popular extensions are password managers and those that protect you from creepy ads. So, we built these features right into our app, which has benefits for privacy, security, speed, and simplicity. We're working on how to provide additional extension functionality without compromising those critical elements, but in the meantime we’re confident our built-in features can meet your needs.
Blocking Creepy Ads
Our built-in tracker blocker isn’t a general “ad blocker”, but it does have the effect of blocking most creepy ads. Let me explain. Using our best-in-class tracker data set we block invasive trackers, which then typically blocks the invasive ads themselves. In other words, if you use an ad blocker to avoid creepy ads and tracking, you should like DuckDuckGo for Mac.
Password Manager
Using a new browsing app doesn’t mean you have to lose your saved usernames and passwords. Our built-in password manager helps you import passwords from other browsers and browser extensions like 1Password or LastPass. We’re still in the process of building password management into our mobile apps and plan to offer private sync of passwords and bookmarks for a cohesive cross-device experience.
At DuckDuckGo our mission is to show the world that protecting privacy is simple. We know that in order to do this we must build apps that are a pleasure to use and provide as comprehensive privacy protection as possible, whether you're on your phone, at your desk, in a hammock, or somewhere else that is even nicer than a hammock, DuckDuckGo for Mac is a major step in this direction, and we thank you in advance for helping us make it even better!
What makes DuckDuckGo for Mac unique is more than just what you see, it’s also how it is built. A traditional browser is made up of two parts: a rendering engine that translates web code into the websites you see, and then everything else that surrounds and supports that interface like bookmarks, tabs, settings, password management, tracker blocking, etc.
Over the past decade, the most common way new browsers have been developed is through a process known as “forking”. Developers copy (“fork”) a browser like Chrome (technically the project they fork is called Chromium) – and start with both the rendering engine and all the pieces that surround it. Then they build new stuff on top of it (and/or delete/change some of the Chromium code) to create the new browser.
DuckDuckGo for Mac does not fork Chromium (or anything else). Instead, we use the rendering engine that comes with macOS, which is created by Apple and the same rendering engine Safari uses. By building off the macOS rendering engine, our browser should also be most compatible with the Mac system (the same as Safari). Technically, we don’t have to “fork” any code to do this – we just call an API provided by macOS.
We are building everything else from scratch. So beyond rendering, all the code is ours – written by DuckDuckGo engineers with privacy, security, and simplicity front of mind. This means we don’t have the cruft and clutter that has accumulated in browsers over the years, both in code and design, giving you a modern look and feel and a faster speed. We plan to open source our Mac app after the beta period, like we’ve done for our iOS & Android app, and many of our built-in privacy protections are already open sourced.
We are taking a similar approach to Windows (more on that later this year). Ultimately, we’d love to support Linux as well, but we are focused on Mac and Windows for now. Follow us on Twitter if you'd like to stay up to date on our latest product announcements and how we're continuing to make "Privacy, simplified" a reality.
HAFTUNGSAUSSCHLUSS:
To consolidate all of our security intelligence and news in one location, we have migrated Naked Security to the Sophos News platform.
It took six months for notifications to start, and we still don't know exactly what went down... but here's our advice on what to do.
Latest episode - listen now! Full transcript inside...
Imagine if you clicked on a harmless-looking image, but an unknown application fired up instead...
Cryptography isn't just about secrecy. You need to take care of authenticity (no imposters!) and integrity (no tampering!) as well.
WYSIWYG is short for "what you see is what you get". Except when it isn't...
Celebrating the true crypto bros. Listen now (full transcript available).
Apps on your iPhone must come from the App Store. Except when they don't... we explain what to look out for.
The rise of tap-to-pay and chip-and-PIN hasn't rid the world of ATM card skimming criminals...
The site was running from 2014 and allegedly raked in more than $20m, which the DOJ is seeking to claw back...
HAFTUNGSAUSSCHLUSS:
Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a recent thread hijacking attack in which a journalist was copied on a phishing email from the unwilling subject of a recent scoop.
In Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a wealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including Rep. Lloyd Smucker (R-Pa).
The LancasterOnline story about Adam Kidan.
Several months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of which contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a colleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from Kidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the attached.”
Sholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly like a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted credentials at the real Microsoft website, and return an error if the user entered bogus account information. A successful login would record the submitted credentials and forward the victim to the real Microsoft website.
But Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to LancasterOneline’s IT team, which quickly flagged them as phishing attempts.
LancasterOnline’s Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows in the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.
“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would come from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know what else to do with it other than to send it to the FBI.”
The phishing lure attached to the thread hijacking email from Mr. Kidan.
In 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with Jack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence peddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.
The FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails addresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went unreturned.
No doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his Microsoft Outlook account compromised and used to send malicious email to people in his contacts list.
Thread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how to identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in the last five years that leverage this attack method.
One key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes most phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences should you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going through.
In contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.
Ryan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread hijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email from a senior executive into wiring millions of dollars to fraudsters overseas.
But Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people off-guard.
“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just registers a lot differently when people start reading, because you think you’re observing a private conversation between two different people.”
Some thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying — but not addressing — the recipient.
“We call these mutli-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s basically a way to build a little more affinity than just copying people on an email. And the longer the conversation goes on, the higher their success rate seems to be because some people start replying to the thread [and participating] psycho-socially.”
The best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.
Some of the many notifications Patel says he received from Apple all at once.
Parth Patel is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the target’s device(s) with alerts to approve a password change or login.
“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”
Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a user’s Apple watch if they have one.
But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).
“I pick up the phone and I’m super suspicious,” Patel recalled. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”
All of it, that is, except his real name. Patel said when he asked the fake Apple support rep to validate the name they had on file for the Apple account, the caller gave a name that was not his but rather one that Patel has only seen in background reports about him that are for sale at a people-search website called PeopleDataLabs.
Patel said he has worked fairly hard to remove his information from multiple people-search websites, and he found PeopleDataLabs uniquely and consistently listed this inaccurate name as an alias on his consumer profile.
“For some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,” Patel said. “I asked them to verify my name and they said Anthony.”
Patel said the goal of the voice phishers is to trigger an Apple ID reset code to be sent to the user’s device, which is a text message that includes a one-time password. If the user supplies that one-time code, the attackers can then reset the password on the account and lock the user out. They can also then remotely wipe all of the user’s Apple devices.
Chris is a cryptocurrency hedge fund owner who asked that only his first name be used so as not to paint a bigger target on himself. Chris told KrebsOnSecurity he experienced a remarkably similar phishing attempt in late February.
“The first alert I got I hit ‘Don’t Allow’, but then right after that I got like 30 more notifications in a row,” Chris said. “I figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.”
Chris says the attackers persisted hitting his devices with the reset notifications for several days after that, and at one point he received a call on his iPhone that said it was from Apple support.
“I said I would call them back and hung up,” Chris said, demonstrating the proper response to such unbidden solicitations. “When I called back to the real Apple, they couldn’t say whether anyone had been in a support call with me just then. They just said Apple states very clearly that it will never initiate outbound calls to customers — unless the customer requests to be contacted.”
Massively freaking out that someone was trying to hijack his digital life, Chris said he changed his passwords and then went to an Apple store and bought a new iPhone. From there, he created a new Apple iCloud account using a brand new email address.
Chris said he then proceeded to get even more system alerts on his new iPhone and iCloud account — all the while still sitting at the local Apple Genius Bar.
Chris told KrebsOnSecurity his Genius Bar tech was mystified about the source of the alerts, but Chris said he suspects that whatever the phishers are abusing to rapidly generate these Apple system alerts requires knowing the phone number on file for the target’s Apple account. After all, that was the only aspect of Chris’s new iPhone and iCloud account that hadn’t changed.
“Ken” is a security industry veteran who spoke on condition of anonymity. Ken said he first began receiving these unsolicited system alerts on his Apple devices earlier this year, but that he has not received any phony Apple support calls as others have reported.
“This recently happened to me in the middle of the night at 12:30 a.m.,” Ken said. “And even though I have my Apple watch set to remain quiet during the time I’m usually sleeping at night, it woke me up with one of these alerts. Thank god I didn’t press ‘Allow,’ which was the first option shown on my watch. I had to scroll watch the wheel to see and press the ‘Don’t Allow’ button.”
Ken shared this photo he took of an alert on his watch that woke him up at 12:30 a.m. Ken said he had to scroll on the watch face to see the “Don’t Allow” button.
Ken didn’t know it when all this was happening (and it’s not at all obvious from the Apple prompts), but clicking “Allow” would not have allowed the attackers to change Ken’s password. Rather, clicking “Allow” displays a six digit PIN that must be entered on Ken’s device — allowing Ken to change his password. It appears that these rapid password reset prompts are being used to make a subsequent inbound phone call spoofing Apple more believable.
Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. The engineer assured Ken that turning on an Apple Recovery Key for his account would stop the notifications once and for all.
A recovery key is an optional security feature that Apple says “helps improve the security of your Apple ID account.” It is a randomly generated 28-character code, and when you enable a recovery key it is supposed to disable Apple’s standard account recovery process. The thing is, enabling it is not a simple process, and if you ever lose that code in addition to all of your Apple devices you will be permanently locked out.
Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.
KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. Visiting Apple’s “forgot password” page — https://iforgot.apple.com — asks for an email address and for the visitor to solve a CAPTCHA.
After that, the page will display the last two digits of the phone number tied to the Apple account. Filling in the missing digits and hitting submit on that form will send a system alert, whether or not the user has enabled an Apple Recovery Key.
The password reset page at iforgot.apple.com.
What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?
Apple has not yet responded to requests for comment.
Throughout 2022, a criminal hacking group known as LAPSUS$ used MFA bombing to great effect in intrusions at Cisco, Microsoft and Uber. In response, Microsoft began enforcing “MFA number matching,” a feature that displays a series of numbers to a user attempting to log in with their credentials. These numbers must then be entered into the account owner’s Microsoft authenticator app on their mobile device to verify they are logging into the account.
Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he’s convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed “AirDoS” because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop — a file-sharing capability built into Apple products.
Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple’s fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple’s rate limit on how many of these password reset requests can be sent in a given timeframe.
“I think this could be a legit Apple rate limit bug that should be reported,” Bagaria said.
Apple seems requires a phone number to be on file for your account, but after you’ve set up the account it doesn’t have to be a mobile phone number. KrebsOnSecurity’s testing shows Apple will accept a VOIP number (like Google Voice). So, changing your account phone number to a VOIP number that isn’t widely known would be one mitigation here.
One caveat with the VOIP number idea: Unless you include a real mobile number, Apple’s iMessage and Facetime applications will be disabled for that device. This might a bonus for those concerned about reducing the overall attack surface of their Apple devices, since zero-click zero-days in these applications have repeatedly been used by spyware purveyors.
Also, it appears Apple’s password reset system will accept and respect email aliases. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account.
For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder. In this case, however, perhaps a less obvious alias than “+apple” would be advisable.
Update, March 27, 5:06 p.m. ET: Added perspective on Ken’s experience. Also included a What Can You Do? section.
The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years.
Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.
On March 14, KrebsOnSecurity published a story showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.
But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 — around the same time he launched Onerep.
Shelest maintained that Nuwber has “zero cross-over or information-sharing with Onerep,” and said any other old domains that may be found and associated with his name are no longer being operated by him.
“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).
Onerep CEO and founder Dimitri Shelest.
In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product.
“Though customer data was never at risk, the outside financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla wrote. “We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.”
KrebsOnSecurity also reported that Shelest’s email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.
Shelest denied ever being associated with Spamit. “Between 2010 and 2014, we put up some web pages and optimize them — a widely used SEO practice — and then ran AdSense banners on them,” Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). “As we progressed and learned more, we saw that a lot of the inquiries coming in were for people.”
Shelest also acknowledged that Onerep pays to run ads on “on a handful of data broker sites in very specific circumstances.”
“Our ad is served once someone has manually completed an opt-out form on their own,” Shelest wrote. “The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep.”
Reached via Twitter/X, HaveIBeenPwned founder Troy Hunt said he knew Mozilla was considering a partnership with Onerep, but that he was previously unaware of the Onerep CEO’s many conflicts of interest.
“I knew Mozilla had this in the works and we’d casually discussed it when talking about Firefox monitor,” Hunt told KrebsOnSecurity. “The point I made to them was the same as I’ve made to various companies wanting to put data broker removal ads on HIBP: removing your data from legally operating services has minimal impact, and you can’t remove it from the outright illegal ones who are doing the genuine damage.”
Playing both sides — creating and spreading the same digital disease that your medicine is designed to treat — may be highly unethical and wrong. But in the United States it’s not against the law. Nor is collecting and selling data on Americans. Privacy experts say the problem is that data brokers, people-search services like Nuwber and Onerep, and online reputation management firms exist because virtually all U.S. states exempt so-called “public” or “government” records from consumer privacy laws.
Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, and bankruptcy filings. Data brokers also can enrich consumer records with additional information, by adding social media data and known associates.
The March 14 story on Onerep was the second in a series of three investigative reports published here this month that examined the data broker and people-search industries, and highlighted the need for more congressional oversight — if not regulation — on consumer data protection and privacy.
On March 8, KrebsOnSecurity published A Close Up Look at the Consumer Data Broker Radaris, which showed that the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.
On March 20, KrebsOnSecurity published The Not-So-True People-Search Network from China, which revealed an elaborate web of phony people-search companies and executives designed to conceal the location of people-search affiliates in China who are earning money promoting U.S. based data brokers that sell personal information on Americans.
It’s not unusual for the data brokers behind people-search websites to use pseudonyms in their day-to-day lives (you would, too). Some of these personal data purveyors even try to reinvent their online identities in a bid to hide their conflicts of interest. But it’s not every day you run across a US-focused people-search network based in China whose principal owners all appear to be completely fabricated identities.
Responding to a reader inquiry concerning the trustworthiness of a site called TruePeopleSearch[.]net, KrebsOnSecurity began poking around. The site offers to sell reports containing photos, police records, background checks, civil judgments, contact information “and much more!” According to LinkedIn and numerous profiles on websites that accept paid article submissions, the founder of TruePeopleSearch is Marilyn Gaskell from Phoenix, Ariz.
The saucy yet studious LinkedIn profile for Marilyn Gaskell.
Ms. Gaskell has been quoted in multiple “articles” about random subjects, such as this article at HRDailyAdvisor about the pros and cons of joining a company-led fantasy football team.
“Marilyn Gaskell, founder of TruePeopleSearch, agrees that not everyone in the office is likely to be a football fan and might feel intimidated by joining a company league or left out if they don’t join; however, her company looked for ways to make the activity more inclusive,” this paid story notes.
Also quoted in this article is Sally Stevens, who is cited as HR Manager at FastPeopleSearch[.]io.
Sally Stevens, the phantom HR Manager for FastPeopleSearch.
“Fantasy football provides one way for employees to set aside work matters for some time and have fun,” Stevens contributed. “Employees can set a special league for themselves and regularly check and compare their scores against one another.”
Imagine that: Two different people-search companies mentioned in the same story about fantasy football. What are the odds?
Both TruePeopleSearch and FastPeopleSearch allow users to search for reports by first and last name, but proceeding to order a report prompts the visitor to purchase the file from one of several established people-finder services, including BeenVerified, Intelius, and Spokeo.
DomainTools.com shows that both TruePeopleSearch and FastPeopleSearch appeared around 2020 and were registered through Alibaba Cloud, in Beijing, China. No other information is available about these domains in their registration records, although both domains appear to use email servers based in China.
Sally Stevens’ LinkedIn profile photo is identical to a stock image titled “beautiful girl” from Adobe.com. Ms. Stevens is also quoted in a paid blog post at ecogreenequipment.com, as is Alina Clark, co-founder and marketing director of CocoDoc, an online service for editing and managing PDF documents.
The profile photo for Alina Clark is a stock photo appearing on more than 100 websites.
Scouring multiple image search sites reveals Ms. Clark’s profile photo on LinkedIn is another stock image that is currently on more than 100 different websites, including Adobe.com. Cocodoc[.]com was registered in June 2020 via Alibaba Cloud Beijing in China.
The same Alina Clark and photo materialized in a paid article at the website Ceoblognation, which in 2021 included her at #11 in a piece called “30 Entrepreneurs Describe The Big Hairy Audacious Goals (BHAGs) for Their Business.” It’s also worth noting that Ms. Clark is currently listed as a “former Forbes Council member” at the media outlet Forbes.com.
Entrepreneur #6 is Stephen Curry, who is quoted as CEO of CocoSign[.]com, a website that claims to offer an “easier, quicker, safer eSignature solution for small and medium-sized businesses.” Incidentally, the same photo for Stephen Curry #6 is also used in this “article” for #22 Jake Smith, who is named as the owner of a different company.
Stephen Curry, aka Jake Smith, aka no such person.
Mr. Curry’s LinkedIn profile shows a young man seated at a table in front of a laptop, but an online image search shows this is another stock photo. Cocosign[.]com was registered in June 2020 via Alibaba Cloud Beijing. No ownership details are available in the domain registration records.
Listed at #13 in that 30 Entrepreneurs article is Eden Cheng, who is cited as co-founder of PeopleFinderFree[.]com. KrebsOnSecurity could not find a LinkedIn profile for Ms. Cheng, but a search on her profile image from that Entrepreneurs article shows the same photo for sale at Shutterstock and other stock photo sites.
DomainTools says PeopleFinderFree was registered through Alibaba Cloud, Beijing. Attempts to purchase reports through PeopleFinderFree produce a notice saying the full report is only available via Spokeo.com.
Lynda Fairly is Entrepreneur #24, and she is quoted as co-founder of Numlooker[.]com, a domain registered in April 2021 through Alibaba in China. Searches for people on Numlooker forward visitors to Spokeo.
The photo next to Ms. Fairly’s quote in Entrepreneurs matches that of a LinkedIn profile for Lynda Fairly. But a search on that photo shows this same portrait has been used by many other identities and names, including a woman from the United Kingdom who’s a cancer survivor and mother of five; a licensed marriage and family therapist in Canada; a software security engineer at Quora; a journalist on Twitter/X; and a marketing expert in Canada.
Cocofinder[.]com is a people-search service that launched in Sept. 2019, through Alibaba in China. Cocofinder lists its market officer as Harriet Chan, but Ms. Chan’s LinkedIn profile is just as sparse on work history as the other people-search owners mentioned already. An image search online shows that outside of LinkedIn, the profile photo for Ms. Chan has only ever appeared in articles at pay-to-play media sites, like this one from outbackteambuilding.com.
Perhaps because Cocodoc and Cocosign both sell software services, they are actually tied to a physical presence in the real world — in Singapore (15 Scotts Rd. #03-12 15, Singapore). But it’s difficult to discern much from this address alone.
Who’s behind all this people-search chicanery? A January 2024 review of various people-search services at the website techjury.com states that Cocofinder is a wholly-owned subsidiary of a Chinese company called Shenzhen Duiyun Technology Co.
“Though it only finds results from the United States, users can choose between four main search methods,” Techjury explains. Those include people search, phone, address and email lookup. This claim is supported by a Reddit post from three years ago, wherein the Reddit user “ProtectionAdvanced” named the same Chinese company.
Is Shenzhen Duiyun Technology Co. responsible for all these phony profiles? How many more fake companies and profiles are connected to this scheme? KrebsOnSecurity found other examples that didn’t appear directly tied to other fake executives listed here, but which nevertheless are registered through Alibaba and seek to drive traffic to Spokeo and other data brokers. For example, there’s the winsome Daniela Sawyer, founder of FindPeopleFast[.]net, whose profile is flogged in paid stories at entrepreneur.org.
Google currently turns up nothing else for in a search for Shenzhen Duiyun Technology Co. Please feel free to sound off in the comments if you have any more information about this entity, such as how to contact it. Or reach out directly at krebsonsecurity @ gmail.com.
A mind map highlighting the key points of research in this story. Click to enlarge. Image: KrebsOnSecurity.com
It appears the purpose of this network is to conceal the location of people in China who are seeking to generate affiliate commissions when someone visits one of their sites and purchases a people-search report at Spokeo, for example. And it is clear that Spokeo and others have created incentives wherein anyone can effectively white-label their reports, and thereby make money brokering access to peoples’ personal information.
Spokeo’s Wikipedia page says the company was founded in 2006 by four graduates from Stanford University. Spokeo co-founder and current CEO Harrison Tang has not yet responded to requests for comment.
Intelius is owned by San Diego based PeopleConnect Inc., which also owns Classmates.com, USSearch, TruthFinder and Instant Checkmate. PeopleConnect Inc. in turn is owned by H.I.G. Capital, a $60 billion private equity firm. Requests for comment were sent to H.I.G. Capital. This story will be updated if they respond.
BeenVerified is owned by a New York City based holding company called The Lifetime Value Co., a marketing and advertising firm whose brands include PeopleLooker, NeighborWho, Ownerly, PeopleSmart, NumberGuru, and Bumper, a car history site.
Ross Cohen, chief operating officer at The Lifetime Value Co., said it’s likely the network of suspicious people-finder sites was set up by an affiliate. Cohen said Lifetime Value would investigate to determine if this particular affiliate was driving them any sign-ups.
All of the above people-search services operate similarly. When you find the person you’re looking for, you are put through a lengthy (often 10-20 minute) series of splash screens that require you to agree that these reports won’t be used for employment screening or in evaluating new tenant applications. Still more prompts ask if you are okay with seeing “potentially shocking” details about the subject of the report, including arrest histories and photos.
Only at the end of this process does the site disclose that viewing the report in question requires signing up for a monthly subscription, which is typically priced around $35. Exactly how and from where these major people-search websites are getting their consumer data — and customers — will be the subject of further reporting here.
The main reason these various people-search sites require you to affirm that you won’t use their reports for hiring or vetting potential tenants is that selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).
These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically don’t include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).
But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.
The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.
The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.
The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.
There are a growing number of online reputation management companies that offer to help customers remove their personal information from people-search sites and data broker databases. There are, no doubt, plenty of honest and well-meaning companies operating in this space, but it has been my experience that a great many people involved in that industry have a background in marketing or advertising — not privacy.
Also, some so-called data privacy companies may be wolves in sheep’s clothing. On March 14, KrebsOnSecurity published an abundance of evidence indicating that the CEO and founder of the data privacy company OneRep.com was responsible for launching dozens of people-search services over the years.
Finally, some of the more popular people-search websites are notorious for ignoring requests from consumers seeking to remove their information, regardless of which reputation or removal service you use. Some force you to create an account and provide more information before you can remove your data. Even then, the information you worked hard to remove may simply reappear a few months later.
This aptly describes countless complaints lodged against the data broker and people search giant Radaris. On March 8, KrebsOnSecurity profiled the co-founders of Radaris, two Russian brothers in Massachusetts who also operate multiple Russian-language dating services and affiliate programs.
The truth is that these people-search companies will continue to thrive unless and until Congress begins to realize it’s time for some consumer privacy and data protection laws that are relevant to life in the 21st century. Duke University adjunct professor Justin Sherman says virtually all state privacy laws exempt records that might be considered “public” or “government” documents, including voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.
“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman said.
The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.
Onerep’s “Protect” service starts at $8.33 per month for individuals and $15/mo for families, and promises to remove your personal information from nearly 200 people-search sites. Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.
A testimonial on onerep.com.
Customer case studies published on onerep.com state that it struck a deal to offer the service to employees of Permanente Medicine, which represents the doctors within the health insurance giant Kaiser Permanente. Onerep also says it has made inroads among police departments in the United States.
But a review of Onerep’s domain registration records and that of its founder reveal a different side to this company. Onerep.com says its founder and CEO is Dimitri Shelest from Minsk, Belarus, as does Shelest’s profile on LinkedIn. Historic registration records indexed by DomainTools.com say Mr. Shelest was a registrant of onerep.com who used the email address dmitrcox2@gmail.com.
A search in the data breach tracking service Constella Intelligence for the name Dimitri Shelest brings up the email address dimitri.shelest@onerep.com. Constella also finds that Dimitri Shelest from Belarus used the email address d.sh@nuwber.com, and the Belarus phone number +375-292-702786.
Nuwber.com is a people search service whose employees all appear to be from Belarus, and it is one of dozens of people-search companies that Onerep claims to target with its data-removal service. Onerep.com’s website disavows any relationship to Nuwber.com, stating quite clearly, “Please note that OneRep is not associated with Nuwber.com.”
However, there is an abundance of evidence suggesting Mr. Shelest is in fact the founder of Nuwber. Constella found that Minsk telephone number (375-292-702786) has been used multiple times in connection with the email address dmitrcox@gmail.com. Recall that Onerep.com’s domain registration records in 2018 list the email address dmitrcox2@gmail.com.
It appears Mr. Shelest sought to reinvent his online identity in 2015 by adding a “2” to his email address. The Belarus phone number tied to Nuwber.com shows up in the domain records for comversus.com, and DomainTools says this domain is tied to both dmitrcox@gmail.com and dmitrcox2@gmail.com. Other domains that mention both email addresses in their WHOIS records include careon.me, docvsdoc.com, dotcomsvdot.com, namevname.com, okanyway.com and tapanyapp.com.
Onerep.com CEO and founder Dimitri Shelest, as pictured on the “about” page of onerep.com.
A search in DomainTools for the email address dmitrcox@gmail.com shows it is associated with the registration of at least 179 domain names, including dozens of mostly now-defunct people-search companies targeting citizens of Argentina, Brazil, Canada, Denmark, France, Germany, Hong Kong, Israel, Italy, Japan, Latvia and Mexico, among others.
Those include nuwber.fr, a site registered in 2016 which was identical to the homepage of Nuwber.com at the time. DomainTools shows the same email and Belarus phone number are in historic registration records for nuwber.at, nuwber.ch, and nuwber.dk (all domains linked here are to their cached copies at archive.org, where available).
Update, March 21, 11:15 a.m. ET: Mr. Shelest has provided a lengthy response to the findings in this story. In summary, Shelest acknowledged maintaining an ownership stake in Nuwber, but said there was “zero cross-over or information-sharing with OneRep.” Mr. Shelest said any other old domains that may be found and associated with his name are no longer being operated by him.
“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).
Original story:
Historic WHOIS records for onerep.com show it was registered for many years to a resident of Sioux Falls, SD for a completely unrelated site. But around Sept. 2015 the domain switched from the registrar GoDaddy.com to eNom, and the registration records were hidden behind privacy protection services. DomainTools indicates around this time onerep.com started using domain name servers from DNS provider constellix.com. Likewise, Nuwber.com first appeared in late 2015, was also registered through eNom, and also started using constellix.com for DNS at nearly the same time.
Listed on LinkedIn as a former product manager at OneRep.com between 2015 and 2018 is Dimitri Bukuyazau, who says their hometown is Warsaw, Poland. While this LinkedIn profile (linkedin.com/in/dzmitrybukuyazau) does not mention Nuwber, a search on this name in Google turns up a 2017 blog post from privacyduck.com, which laid out a number of reasons to support a conclusion that OneRep and Nuwber.com were the same company.
“Any people search profiles containing your Personally Identifiable Information that were on Nuwber.com were also mirrored identically on OneRep.com, down to the relatives’ names and address histories,” Privacyduck.com wrote. The post continued:
“Both sites offered the same immediate opt-out process. Both sites had the same generic contact and support structure. They were – and remain – the same company (even PissedConsumer.com advocates this fact: https://nuwber.pissedconsumer.com/nuwber-and-onerep-20160707878520.html).”
“Things changed in early 2016 when OneRep.com began offering privacy removal services right alongside their own open displays of your personal information. At this point when you found yourself on Nuwber.com OR OneRep.com, you would be provided with the option of opting-out your data on their site for free – but also be highly encouraged to pay them to remove it from a slew of other sites (and part of that payment was removing you from their own site, Nuwber.com, as a benefit of their service).”
Reached via LinkedIn, Mr. Bukuyazau declined to answer questions, such as whether he ever worked at Nuwber.com. However, Constella Intelligence finds two interesting email addresses for employees at nuwber.com: d.bu@nuwber.com, and d.bu+figure-eight.com@nuwber.com, which was registered under the name “Dzmitry.”
PrivacyDuck’s claims about how onerep.com appeared and behaved in the early days are not readily verifiable because the domain onerep.com has been completely excluded from the Wayback Machine at archive.org. The Wayback Machine will honor such requests if they come directly from the owner of the domain in question.
Still, Mr. Shelest’s name, phone number and email also appear in the domain registration records for a truly dizzying number of country-specific people-search services, including pplcrwlr.in, pplcrwlr.fr, pplcrwlr.dk, pplcrwlr.jp, peeepl.br.com, peeepl.in, peeepl.it and peeepl.co.uk.
The same details appear in the WHOIS registration records for the now-defunct people-search sites waatpp.de, waatp1.fr, azersab.com, and ahavoila.com, a people-search service for French citizens.
A search on the email address dmitrcox@gmail.com suggests Mr. Shelest was previously involved in rather aggressive email marketing campaigns. In 2010, an anonymous source leaked to KrebsOnSecurity the financial and organizational records of Spamit, which at the time was easily the largest Russian-language pharmacy spam affiliate program in the world.
Spamit paid spammers a hefty commission every time someone bought male enhancement drugs from any of their spam-advertised websites. Mr. Shelest’s email address stood out because immediately after the Spamit database was leaked, KrebsOnSecurity searched all of the Spamit affiliate email addresses to determine if any of them corresponded to social media accounts at Facebook.com (at the time, Facebook allowed users to search profiles by email address).
That mapping, which was done mainly by generous graduate students at my alma mater George Mason University, revealed that dmitrcox@gmail.com was used by a Spamit affiliate, albeit not a very profitable one. That same Facebook profile for Mr. Shelest is still active, and it says he is married and living in Minsk [Update, Mar. 16: Mr. Shelest’s Facebook account is no longer active].
Scrolling down Mr. Shelest’s Facebook page to posts made more than ten years ago show him liking the Facebook profile pages for a large number of other people-search sites, including findita.com, findmedo.com, folkscan.com, huntize.com, ifindy.com, jupery.com, look2man.com, lookerun.com, manyp.com, peepull.com, perserch.com, persuer.com, pervent.com, piplenter.com, piplfind.com, piplscan.com, popopke.com, pplsorce.com, qimeo.com, scoutu2.com, search64.com, searchay.com, seekmi.com, selfabc.com, socsee.com, srching.com, toolooks.com, upearch.com, webmeek.com, and many country-code variations of viadin.ca (e.g. viadin.hk, viadin.com and viadin.de).
Domaintools.com finds that all of the domains mentioned in the last paragraph were registered to the email address dmitrcox@gmail.com.
Mr. Shelest has not responded to multiple requests for comment. KrebsOnSecurity also sought comment from onerep.com, which likewise has not responded to inquiries about its founder’s many apparent conflicts of interest. In any event, these practices would seem to contradict the goal Onerep has stated on its site: “We believe that no one should compromise personal online security and get a profit from it.”
Max Anderson is chief growth officer at 360 Privacy, a legitimate privacy company that works to keep its clients’ data off of more than 400 data broker and people-search sites. Anderson said it is concerning to see a direct link between between a data removal service and data broker websites.
“I would consider it unethical to run a company that sells people’s information, and then charge those same people to have their information removed,” Anderson said.
Last week, KrebsOnSecurity published an analysis of the people-search data broker giant Radaris, whose consumer profiles are deep enough to rival those of far more guarded data broker resources available to U.S. police departments and other law enforcement personnel.
That story revealed that the co-founders of Radaris are two native Russian brothers who operate multiple Russian-language dating services and affiliate programs. It also appears many of the Radaris founders’ businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.
KrebsOnSecurity will continue investigating the history of various consumer data brokers and people-search providers. If any readers have inside knowledge of this industry or key players within it, please consider reaching out to krebsonsecurity at gmail.com.
Update, March 15, 11:35 a.m. ET: Many readers have pointed out something that was somehow overlooked amid all this research: The Mozilla Foundation, the company that runs the Firefox Web browser, has launched a data removal service called Mozilla Monitor that bundles OneRep. That notice says Mozilla Monitor is offered as a free or paid subscription service.
“The free data breach notification service is a partnership with Have I Been Pwned (“HIBP”),” the Mozilla Foundation explains. “The automated data deletion service is a partnership with OneRep to remove personal information published on publicly available online directories and other aggregators of information about individuals (“Data Broker Sites”).”
In a statement shared with KrebsOnSecurity.com, Mozilla said they did assess OneRep’s data removal service to confirm it acts according to privacy principles advocated at Mozilla.
“We were aware of the past affiliations with the entities named in the article and were assured they had ended prior to our work together,” the statement reads. “We’re now looking into this further. We will always put the privacy and security of our customers first and will provide updates as needed.”
Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple’s new macOS Sonoma addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.
Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in iOS 17.4, iPadOS 17.4, and iOS 16.7.6.
Apple’s macOS Sonoma 14.4 Security Update addresses dozens of security issues. Jason Kitka, chief information security officer at Automox, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages [full disclosure: Automox is an advertiser on this site].
On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.
Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). Satnam Narang, senior staff research engineer at Tenable, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.
Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).
Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in Microsoft Authenticator, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.
“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”
CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in Open Management Infrastructure (OMI), a Linux-based cloud infrastructure in Microsoft Azure. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.
CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said Ben McCarthy, lead cybersecurity engineer at Immersive Labs.
“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”
A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.
Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate. Adobe said it is not aware of active exploitation against any of the flaws.
By the way, Adobe recently enrolled all of its Acrobat users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.
Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.
An extortion message currently on the Incognito Market homepage.
In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.
“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”
Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.
“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”
The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.
The “Payment Status” page set up by the Incognito Market extortionists.
We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!
Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”
The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.
CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.
Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.
New Incognito Market users are treated to an ad for $450 worth of heroin.
The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.
Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.
The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.
“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”
If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But how much do we know about Radaris? Publicly available data indicates that in addition to running a dizzying array of people-search websites, the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.
Formed in 2009, Radaris is a vast people-search network for finding data on individuals, properties, phone numbers, businesses and addresses. Search for any American’s name in Google and the chances are excellent that a listing for them at Radaris.com will show up prominently in the results.
Radaris reports typically bundle a substantial amount of data scraped from public and court documents, including any current or previous addresses and phone numbers, known email addresses and registered domain names. The reports also list address and phone records for the target’s known relatives and associates. Such information could be useful if you were trying to determine the maiden name of someone’s mother, or successfully answer a range of other knowledge-based authentication questions.
Currently, consumer reports advertised for sale at Radaris.com are being fulfilled by a different people-search company called TruthFinder. But Radaris also operates a number of other people-search properties — like Centeda.com — that sell consumer reports directly and behave almost identically to TruthFinder: That is, reel the visitor in with promises of detailed background reports on people, and then charge a $34.99 monthly subscription fee just to view the results.
The Better Business Bureau (BBB) assigns Radaris a rating of “F” for consistently ignoring consumers seeking to have their information removed from Radaris’ various online properties. Of the 159 complaints detailed there in the last year, several were from people who had used third-party identity protection services to have their information removed from Radaris, only to receive a notice a few months later that their Radaris record had been restored.
What’s more, Radaris’ automated process for requesting the removal of your information requires signing up for an account, potentially providing more information about yourself that the company didn’t already have (see screenshot above).
Radaris has not responded to requests for comment.
Radaris, TruthFinder and others like them all force users to agree that their reports will not be used to evaluate someone’s eligibility for credit, or a new apartment or job. This language is so prominent in people-search reports because selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).
These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically do not include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).
But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and another people-search service Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.
An excerpt from the FTC’s complaint against TruthFinder and Instant Checkmate.
The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.
“All the while, the companies touted the accuracy of their reports in online ads and other promotional materials, claiming that their reports contain “the MOST ACCURATE information available to the public,” the FTC noted. The FTC says, however, that all the information used in their background reports is obtained from third parties that expressly disclaim that the information is accurate, and that TruthFinder and Instant Checkmate take no steps to verify the accuracy of the information.
The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.
The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.
According to Radaris’ profile at the investor website Pitchbook.com, the company’s founder and “co-chief executive officer” is a Massachusetts resident named Gary Norden, also known as Gary Nard.
An analysis of email addresses known to have been used by Mr. Norden shows he is a native Russian man whose real name is Igor Lybarsky (also spelled Lubarsky). Igor’s brother Dmitry, who goes by “Dan,” appears to be the other co-CEO of Radaris. Dmitry Lybarsky’s Facebook/Meta account says he was born in March 1963.
The Lybarsky brothers Dmitry or “Dan” (left) and Igor a.k.a. “Gary,” in an undated photo.
Indirectly or directly, the Lybarskys own multiple properties in both Sherborn and Wellesley, Mass. However, the Radaris website is operated by an offshore entity called Bitseller Expert Ltd, which is incorporated in Cyprus. Neither Lybarsky brother responded to requests for comment.
A review of the domain names registered by Gary Norden shows that beginning in the early 2000s, he and Dan built an e-commerce empire by marketing prepaid calling cards and VOIP services to Russian expatriates who are living in the United States and seeking an affordable way to stay in touch with loved ones back home.
In 2012, the main company in charge of providing those calling services — Wellesley Hills, Mass-based Unipoint Technology Inc. — was fined $179,000 by the U.S. Federal Communications Commission, which said Unipoint never applied for a license to provide international telecommunications services.
DomainTools.com shows the email address gnard@unipointtech.com is tied to 137 domains, including radaris.com. DomainTools also shows that the email addresses used by Gary Norden for more than two decades — epop@comby.com, gary@barksy.com and gary1@eprofit.com, among others — appear in WHOIS registration records for an entire fleet of people-search websites, including: centeda.com, virtory.com, clubset.com, kworld.com, newenglandfacts.com, and pub360.com.
Still more people-search platforms tied to Gary Norden– like publicreports.com and arrestfacts.com — currently funnel interested customers to third-party search companies, such as TruthFinder and PersonTrust.com.
The email addresses used by Gary Nard/Gary Norden are also connected to a slew of data broker websites that sell reports on businesses, real estate holdings, and professionals, including bizstanding.com, homemetry.com, trustoria.com, homeflock.com, rehold.com, difive.com and projectlab.com.
Domain records indicate that Gary and Dan for many years operated a now-defunct pay-per-click affiliate advertising network called affiliate.ru. That entity used domain name servers tied to the aforementioned domains comby.com and eprofit.com, as did radaris.ru.
A machine-translated version of Affiliate.ru, a Russian-language site that advertised hundreds of money making affiliate programs, including the Comfi.com prepaid calling card affiliate.
Comby.com used to be a Russian language social media network that looked a great deal like Facebook. The domain now forwards visitors to Privet.ru (“hello” in Russian), a dating site that claims to have 5 million users. Privet.ru says it belongs to a company called Dating Factory, which lists offices in Switzerland. Privet.ru uses the Gary Norden domain eprofit.com for its domain name servers.
Dating Factory’s website says it sells “powerful dating technology” to help customers create unique or niche dating websites. A review of the sample images available on the Dating Factory homepage suggests the term “dating” in this context refers to adult websites. Dating Factory also operates a community called FacebookOfSex, as well as the domain analslappers.com.
Email addresses for the Comby and Eprofit domains indicate Gary Norden operates an entity in Wellesley Hills, Mass. called RussianAmerican Holding Inc. (russianamerica.com). This organization is listed as the owner of the domain newyork.ru, which is a site dedicated to orienting newcomers from Russia to the Big Apple.
Newyork.ru’s terms of service refer to an international calling card company called ComFi Inc. (comfi.com) and list an address as PO Box 81362 Wellesley Hills, Ma. Other sites that include this address are russianamerica.com, russianboston.com, russianchicago.com, russianla.com, russiansanfran.com, russianmiami.com, russiancleveland.com and russianseattle.com (currently offline).
ComFi is tied to Comfibook.com, which was a search aggregator website that collected and published data from many online and offline sources, including phone directories, social networks, online photo albums, and public records.
The current website for russianamerica.com. Note the ad in the bottom left corner of this image for Channel One, a Russian state-owned media firm that is currently sanctioned by the U.S. government.
Many of the U.S. city-specific online properties apparently tied to Gary Norden include phone numbers on their contact pages for a pair of Russian media and advertising firms based in southern California. The phone number 323-874-8211 appears on the websites russianla.com, russiasanfran.com, and rosconcert.com, which sells tickets to theater events performed in Russian.
Historic domain registration records from DomainTools show rosconcert.com was registered in 2003 to Unipoint Technologies — the same company fined by the FCC for not having a license. Rosconcert.com also lists the phone number 818-377-2101.
A phone number just a few digits away — 323-874-8205 — appears as a point of contact on newyork.ru, russianmiami.com, russiancleveland.com, and russianchicago.com. A search in Google shows this 82xx number range — and the 818-377-2101 number — belong to two different entities at the same UPS Store mailbox in Tarzana, Calif: American Russian Media Inc. (armediacorp.com), and Lamedia.biz.
Armediacorp.com is the home of FACT Magazine, a glossy Russian-language publication put out jointly by the American-Russian Business Council, the Hollywood Chamber of Commerce, and the West Hollywood Chamber of Commerce.
Lamedia.biz says it is an international media organization with more than 25 years of experience within the Russian-speaking community on the West Coast. The site advertises FACT Magazine and the Russian state-owned media outlet Channel One. Clicking the Channel One link on the homepage shows Lamedia.biz offers to submit advertising spots that can be shown to Channel One viewers. The price for a basic ad is listed at $500.
In May 2022, the U.S. government levied financial sanctions against Channel One that bar US companies or citizens from doing business with the company.
The website of lamedia.biz offers to sell advertising on two Russian state-owned media firms currently sanctioned by the U.S. government.
In 2014, a group of people sued Radaris in a class-action lawsuit claiming the company’s practices violated the Fair Credit Reporting Act. Court records indicate the defendants never showed up in court to dispute the claims, and as a result the judge eventually awarded the plaintiffs a default judgement and ordered the company to pay $7.5 million.
But the plaintiffs in that civil case had a difficult time collecting on the court’s ruling. In response, the court ordered the radaris.com domain name (~9.4M monthly visitors) to be handed over to the plaintiffs.
However, in 2018 Radaris was able to reclaim their domain on a technicality. Attorneys for the company argued that their clients were never named as defendants in the original lawsuit, and so their domain could not legally be taken away from them in a civil judgment.
“Because our clients were never named as parties to the litigation, and were never served in the litigation, the taking of their property without due process is a violation of their rights,” Radaris’ attorneys argued.
In October 2023, an Illinois resident filed a class-action lawsuit against Radaris for allegedly using people’s names for commercial purposes, in violation of the Illinois Right of Publicity Act.
On Feb. 8, 2024, a company called Atlas Data Privacy Corp. sued Radaris LLC for allegedly violating “Daniel’s Law,” a statute that allows New Jersey law enforcement, government personnel, judges and their families to have their information completely removed from people-search services and commercial data brokers. Atlas has filed at least 140 similar Daniel’s Law complaints against data brokers recently.
Daniel’s Law was enacted in response to the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge (his mother). In July 2020, a disgruntled attorney who had appeared before U.S. District Judge Esther Salas disguised himself as a Fedex driver, went to her home and shot and killed her son (the judge was unharmed and the assailant killed himself).
Earlier this month, The Record reported on Atlas Data Privacy’s lawsuit against LexisNexis Risk Data Management, in which the plaintiffs representing thousands of law enforcement personnel in New Jersey alleged that after they asked for their information to remain private, the data broker retaliated against them by freezing their credit and falsely reporting them as identity theft victims.
Another data broker sued by Atlas Data Privacy — pogodata.com — announced on Mar. 1 that it was likely shutting down because of the lawsuit.
“The matter is far from resolved but your response motivates us to try to bring back most of the names while preserving redaction of the 17,000 or so clients of the redaction company,” the company wrote. “While little consolation, we are not alone in the suit – the privacy company sued 140 property-data sites at the same time as PogoData.”
Atlas says their goal is convince more states to pass similar laws, and to extend those protections to other groups such as teachers, healthcare personnel and social workers. Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states would limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminals charges against media outlets that publish the same type of public and governments records that fuel the people-search industry.
There are some pending changes to the US legal and regulatory landscape that could soon reshape large swaths of the data broker industry. But experts say it is unlikely that any of these changes will affect people-search companies like Radaris.
On Feb. 28, 2024, the White House issued an executive order that directs the U.S. Department of Justice (DOJ) to create regulations that would prevent data brokers from selling or transferring abroad certain data types deemed too sensitive, including genomic and biometric data, geolocation and financial data, as well as other as-yet unspecified personal identifiers. The DOJ this week published a list of more than 100 questions it is seeking answers to regarding the data broker industry.
In August 2023, the Consumer Financial Protection Bureau (CFPB) announced it was undertaking new rulemaking related to data brokers.
Justin Sherman, an adjunct professor at Duke University, said neither the CFPB nor White House rulemaking will likely address people-search brokers because these companies typically get their information by scouring federal, state and local government records. Those government files include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.
“These dossiers contain everything from individuals’ names, addresses, and family information to data about finances, criminal justice system history, and home and vehicle purchases,” Sherman wrote in an October 2023 article for Lawfare. “People search websites’ business pitch boils down to the fact that they have done the work of compiling data, digitizing it, and linking it to specific people so that it can be searched online.”
Sherman said while there are ongoing debates about whether people search data brokers have legal responsibilities to the people about whom they gather and sell data, the sources of this information — public records — are completely carved out from every single state consumer privacy law.
“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman wrote. “Tennessee’s consumer data privacy law, for example, stipulates that “personal information,” a cornerstone of the legislation, does not include ‘publicly available information,’ defined as:
“…information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”
Sherman said this is the same language as the carve-out in the California privacy regime, which is often held up as the national leader in state privacy regulations. He said with a limited set of exceptions for survivors of stalking and domestic violence, even under California’s newly passed Delete Act — which creates a centralized mechanism for consumers to ask some third-party data brokers to delete their information — consumers across the board cannot exercise these rights when it comes to data scraped from property filings, marriage certificates, and public court documents, for example.
“With some very narrow exceptions, it’s either extremely difficult or impossible to compel these companies to remove your information from their sites,” Sherman told KrebsOnSecurity. “Even in states like California, every single consumer privacy law in the country completely exempts publicly available information.”
Below is a mind map that helped KrebsOnSecurity track relationships between and among the various organizations named in the story above:
There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.
Image: Varonis.
In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.
On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.
The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.
“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”
Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.
Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.
On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.
BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.
However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.
The seizure notice now displayed on the BlackCat darknet website.
“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”
BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.
Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.
“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”
Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.
“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”
BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.
LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.
But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.
Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.
Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.
“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.
Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.
The ransomware group LockBit told officials with Fulton County, Ga. they could expect to see their internal documents published online this morning unless the county paid a ransom demand. LockBit removed Fulton County’s listing from its victim shaming website this morning, claiming the county had paid. But county officials said they did not pay, nor did anyone make payment on their behalf. Security experts say LockBit was likely bluffing and probably lost most of the data when the gang’s servers were seized this month by U.S. and U.K. law enforcement.
The LockBit website included a countdown timer until the promised release of data stolen from Fulton County, Ga. LockBit would later move this deadline up to Feb. 29, 2024.
LockBit listed Fulton County as a victim on Feb. 13, saying that unless it was paid a ransom the group would publish files stolen in a breach at the county last month. That attack disrupted county phones, Internet access and even their court system. LockBit leaked a small number of the county’s files as a teaser, which appeared to include sensitive and sealed court records in current and past criminal trials.
On Feb. 16, Fulton County’s entry — along with a countdown timer until the data would be published — was removed from the LockBit website without explanation. The leader of LockBit told KrebsOnSecurity this was because Fulton County officials had engaged in last-minute negotiations with the group.
But on Feb. 19, investigators with the FBI and the U.K.’s National Crime Agency (NCA) took over LockBit’s online infrastructure, replacing the group’s homepage with a seizure notice and links to LockBit ransomware decryption tools.
In a press briefing on Feb. 20, Fulton County Commission Chairman Robb Pitts told reporters the county did not pay a ransom demand, noting that the board “could not in good conscience use Fulton County taxpayer funds to make a payment.”
Three days later, LockBit reemerged with new domains on the dark web, and with Fulton County listed among a half-dozen other victims whose data was about to be leaked if they refused to pay. As it does with all victims, LockBit assigned Fulton County a countdown timer, saying officials had until late in the evening on March 1 until their data was published.
LockBit revised its deadline for Fulton County to Feb. 29.
LockBit soon moved up the deadline to the morning of Feb. 29. As Fulton County’s LockBit timer was counting down to zero this morning, its listing disappeared from LockBit’s site. LockBit’s leader and spokesperson, who goes by the handle “LockBitSupp,” told KrebsOnSecurity today that Fulton County’s data disappeared from their site because county officials paid a ransom.
“Fulton paid,” LockBitSupp said. When asked for evidence of payment, LockBitSupp claimed. “The proof is that we deleted their data and did not publish it.”
But at a press conference today, Fulton County Chairman Robb Pitts said the county does not know why its data was removed from LockBit’s site.
“As I stand here at 4:08 p.m., we are not aware of any data being released today so far,” Pitts said. “That does not mean the threat is over. They could release whatever data they have at any time. We have no control over that. We have not paid any ransom. Nor has any ransom been paid on our behalf.”
Brett Callow, a threat analyst with the security firm Emsisoft, said LockBit likely lost all of the victim data it stole before the FBI/NCA seizure, and that it has been trying madly since then to save face within the cybercrime community.
“I think it was a case of them trying to convince their affiliates that they were still in good shape,” Callow said of LockBit’s recent activities. “I strongly suspect this will be the end of the LockBit brand.”
Others have come to a similar conclusion. The security firm RedSense posted an analysis to Twitter/X that after the takedown, LockBit published several “new” victim profiles for companies that it had listed weeks earlier on its victim shaming site. Those victim firms — a healthcare provider and major securities lending platform — also were unceremoniously removed from LockBit’s new shaming website, despite LockBit claiming their data would be leaked.
“We are 99% sure the rest of their ‘new victims’ are also fake claims (old data for new breaches),” RedSense posted. “So the best thing for them to do would be to delete all other entries from their blog and stop defrauding honest people.”
Callow said there certainly have been plenty of cases in the past where ransomware gangs exaggerated their plunder from a victim organization. But this time feels different, he said.
“It is a bit unusual,” Callow said. “This is about trying to still affiliates’ nerves, and saying, ‘All is well, we weren’t as badly compromised as law enforcement suggested.’ But I think you’d have to be a fool to work with an organization that has been so thoroughly hacked as LockBit has.”
HAFTUNGSAUSSCHLUSS:
The UK's Office for Nuclear Regulation (ONR) has started legal action against the controversial Sellafield nuclear waste facility due to years of alleged cybersecurity breaches. Read more in my article on the Hot for Security blog.
Security researchers find a way to unlock millions of hotel rooms, the UK introduces cyberflashing laws, and Google's AI search pushes malware and scams. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by T-Minus's Maria Varmazis.
The Qilin ransomware group has targeted The Big Issue, a street newspaper sold by the homeless and vulnerable. Spost on Qilin's dark web leak site claimed the gang has stolen 550 GB of confidential data from the periodical's parent company. Read more in my article on the Hot for Security blog.
Hardware wallet manufacturer Trezor has explained how its Twitter account was compromised - despite it having sensible security precautions in place, such as strong passwords and multi-factor authentication. Read more in my article on the Hot for Security blog.
Nemesis Market, a notorious corner of the darknet beloved by cybercriminals and drug dealers, has been suddenly shut down after German police seized control of its systems. Read more in my article on the Tripwire State of Security blog.
In October 2023, the British Library suffered "one of the worst cyber incidents in British history," as described by Ciaran Martin, ex-CEO of the National Cyber Security Centre (NCSC). What lessons can other organisations learn from the ransomware attack? Read more in my article on the Exponential-e blog.
There's a Bing ding dong, after Microsoft (over?) enthusiastically encourages Chrome users to stop using Google, and silence hits the British Library as it shares its story of a ransomware attack. All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault. Plus: Don't miss our featured interview with Kolide founder Jason Meller about his firm's acquisition by 1Password.
The United States Federal Trade Commission (FTC) has warned the public to be cautious if contacted by people claiming to be... FTC staff. Read more in my article on the Tripwire State of Security blog.
Are you using the same passwords in multiple places online? Well, stop. Stop right now. And make sure that you've told your friends and family to stop being reckless too. Read more in my article on the Hot for Security blog.
Graham Cluley Security News is sponsored this week by the folks at Cynet. Thanks to the great team there for their support! Thorough, independent tests are a vital resource as cybersecurity leaders and their teams evaluate vendors’ abilities to guard against increasingly sophisticated threats to their organization. And perhaps no assessment is more widely trusted … Continue reading "How to interpret the MITRE Engenuity ATT&CK® Evaluations: Enterprise"
Fujitsu has warned that cybercriminals may have stolen files with personal and customer data after it discovering malware on its computer systems.
Two firms have been fined $26 million by the US Federal Trade Commission (FTC) for scaring consumers into believing their computers were infected by malware. Read more in my article on the Hot for Security blog.
An affiliate of the LockBit ransomware gang has been sentenced to almost four years in jail after earlier pleading guilty to charges of cyber extortion and weapons charges. Read more in my article on the Tripwire State of Security blog.
Roku users are revolting after their TVs are bricked by the company, we learn how to make money through conspiracy videos on TikTok, and just how much is your car snooping on your driving? All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Dave Bittner from "The Cyberwire" podcast.
The Philippines division of Taiwanese tech firm Acer has confirmed that information related to its employees has been leaked after a third-party vendor suffered a security breach. Read more in my article on the Hot for Security blog.
Streaming company Roku has revealed that over 15,000 customers' accounts were hacked using stolen login credentials from unrelated data breaches. Read more in my article on the Hot for Security blog.
Incognito Market, a darknet platform connecting sellers of narcotics to potential buyers, has turned out to be not entirely trustworthy.
If you have been optimistically daydreaming that losses attributed to cybercrime might have reduced in the last year, it's time to wake up. The FBI's latest annual Internet Crime Complaint Center (IC3) report has just been published, and makes for some grim reading. Read more in my article on the Tripwire State of Security blog.
I'm afraid that the people of Belgium are dealing with a national emergency.
Is there any truth behind the alleged data breach at Fortnite maker Epic Games? Who launched the ransomware attack that caused a fallout at pharmacies? And what's the latest on the heart-breaking hack of Finnish therapy clinic Vastaamo? All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.
HAFTUNGSAUSSCHLUSS:
A vulnerability has been discovered in the 'util-linux' library that could allow unprivileged users to put arbitrary text on other users' terminals using the 'wall' command. [...]
American retailer Hot Topic disclosed that two waves of credential stuffing attacks in November exposed affected customers' personal information and partial payment data. [...]
The Python Package Index (PyPI) has temporarily suspended user registration and the creation of new projects to deal with an ongoing malware campaign. [...]
Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. [...]
Penetration testing plays a critical role in finding application vulnerabilities before they can be exploited. Learn more from Outpost24 on the costs of Penetration-Testing-as-a-Service vs classic pentest offerings. [...]
A new phishing-as-a-service (PhaaS) named 'Darcula' uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries. [...]
Microsoft reminded customers today that the Windows 11 22H2 Home and Pro editions will continue to receive non-security preview updates until June 26. [...]
Google fixed seven security vulnerabilities in the Chrome web browser on Tuesday, including two zero-days exploited during the Pwn2Own Vancouver 2024 hacking competition. [...]
The INC Ransom extortion gang is threatening to publish three terabytes of data allegedly stolen after breaching the National Health Service (NHS) of Scotland. [...]
CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks. [...]
The U.S. Department of Justice (DoJ) has charged global cryptocurrency exchange KuCoin and two of its founders for failing to adhere to anti-money laundering (AML) requirements, allowing threat actors to use the platform to launder money. [...]
Ransomware is quickly changing in 2024, with massive disruptions and large gangs shutting down. Learn from Flare how affiliate competition is changing in 2024, and what might come next. [...]
HAFTUNGSAUSSCHLUSS:
Internet connections using the OpenVPN protocol can be easily identified by using DPI (Deep Packet Inspection) technologies and blocked with minor collateral damage. This result was presented in a technical paper published earlier this month by a team of researchers in the United States. The team performed a large-scale study involving a million users, demonstrating …
The post Study Shows OpenVPN Traffic Can Be Easily Identified and Blocked appeared first on RestorePrivacy.
Glassdoor users have been reporting lately that the platform has introduced changes in its privacy policy, which include publishing people’s real names and locations on their profiles without securing consent. Glassdoor is a website where current and former employees can anonymously submit reviews about their experiences working for a company, including details such as their …
The post Employer Review Site Glassdoor Deanonymized Users Without Consent appeared first on RestorePrivacy.
A threat actor has leaked over 73 million records allegedly containing information on AT&T customers on the ‘Breach’ hacking forums. AT&T is a multinational telecommunications service provider headquartered in Downtown Dallas, Texas. It’s the world’s fourth-largest telecom company by revenue and the largest wireless carrier in the United States. The database that was leaked today …
The post AT&T Investigating Potential Breach Following Leak of 73.4 Million Records appeared first on RestorePrivacy.
France Travail, the country’s public employment service, has fallen victim to a cyberattack that resulted in a major data breach. France Travail, previously known as Pôle emploi, is France’s public agency tasked with assisting job seekers in finding employment and providing relevant financial aid. The agency stated that the breach, which occurred between February 6 …
The post Massive Breach Exposed Data of 43 Million People in France appeared first on RestorePrivacy.
The Tor Project has announced the release of a new bridge called ‘WebTunnel,’ designed to help users bypass censorship in highly problematic regions where accessing the Tor network is particularly challenging. WebTunnel comes in addition to Tor browser‘s multiple censorship circumvention technologies, and its release coincides with the World Day Against Cyber Censorship. Tor bridges …
The post Tor Introduces New ‘WebTunnel’ Bridge to Help Bypass Censorship appeared first on RestorePrivacy.
Tuta Mail, the German end-to-end encrypted email service, has introduced TutaCrypt, a new protocol aiming to give the platform resistance to quantum computing threats. The problem TutaCrypt addresses is the risk of extremely powerful quantum computers enabling the decryption of data that is now considered secure. Tuta Mail’s algorithm of choice was AES 256, combined …
The post Tuta Mail Adds Quantum Resistant Encryption via TutaCrypt appeared first on RestorePrivacy.
A new Chrome extension named ‘Under New Management’ checks installed extensions periodically and displays a warning to the user when a change of ownership or malicious compromise is detected. Created by Google software engineer Matt Frisbie, the extension aims to plug a knowledge and potential security gap for users of Chrome extensions who are unaware …
The post New Chrome Extension Alerts User When Add-Ons Change Hands appeared first on RestorePrivacy.
Meta has announced that in the context of its efforts to align with EU’s new Digital Markets Act (DMA) legislation taking effect on March 7, 2024, it has rolled out significant updates to its messaging platforms, WhatsApp and Messenger. Those updates aim to ensure legal compliance, making Meta’s platforms interoperable with third-party messaging services while …
The post WhatsApp and Messenger Get Interoperable End-to-End Encryption appeared first on RestorePrivacy.
Secure, end-to-end encrypted, and zero-access email service Proton Mail has just introduced a new privacy feature called “hide-my-email aliases.” This new feature allows users to create and use randomly generated email addresses that can be used on top of their real email address as a masking layer, ensuring that the primary address stays private. The …
The post Proton Mail Introduces “Email Aliases” for Heightened Privacy appeared first on RestorePrivacy.
A cybercriminal using the nickname “hameraib” is attempting to sell what they claim to be 21.1 million records that were exfiltrated from EasyPark last December. EasyPark is a tech firm offering a mobile service for parking payments, allowing users to find, manage, and pay for parking spots and EV charging across Europe, North America, Australia, …
The post Hacker Sells Records Allegedly from 21.1 Million EasyPark Customers appeared first on RestorePrivacy.