The sexual assault allegation against Supreme Court nominee Brett Kavanaugh is prompting members of Washington's private school community to look inward.
The recent theft and distribution of intimate celebrity photos has many of us wondering anew about security in the cloud. On a philosophical level, security is about weighing risks: losing valuable photos or documents if they’re not stored in more than one place versus more copies laying around for hackers to swipe. On a practical level, many experts says it’s time for everyone to turn on two-step verification for cloud storage and other online services. Tech Tuesday explores simple ways to boost security online and manage your digital photos.
- Ben Bederson Computer Science Professor, Associate Provost of Learning Initiatives, University of Maryland
- Matthew Barrick Professional Photographer; and Adjunct Professor, Catholic University
MR. KOJO NNAMDIMost of us don't store intimate photos in our iCloud account, but the recent theft and distribution of private celebrity photos has people asking again about how to protect the pictures and documents they store in the cloud. One answer is to tighten the digital locks on the sites we use. It may be time to enable two step verification on the sites and services you use to double the security of your data. Another answer is to rethink where you store your pictures and documents. Is the ease of cloud storage worth the risk?
MR. KOJO NNAMDI"Tech Tuesday" explores the questions to ask and the precautions you can take to boost the security of your data online. Joining us in studio is Ben Bederson, Computer Science Professor and Associate Provost of Learning Initiatives at the University of Maryland. Ben, good to see you again.
MR. BEN BEDERSONHi Kojo.
NNAMDIAlso in studio with us is Matthew Barrick. He's a professional photographer and an adjunct professor at Catholic University. Matthew, good to see you again.
MR. MATTHEW BARRICKGood to see you.
NNAMDIYou too can join the conversation. Give us a call. 800-433-8850. Do you use two step verification for any of the online services you use? 800-433-8850. Do your photos upload from your smart phone camera to the cloud automatically? Do you even know the answer to that question? You can also send us email to firstname.lastname@example.org or send us a tweet @kojoshow using the hashtag techtuesday. Ben, nothing is 100 percent secure, so how should we think about managing our risk online and in the cloud? What are the philosophical trade-offs, if you will?
BEDERSONI think it's really a matter of balancing various factors. What your -- features you need, what convenience you want, and how much protection you want? You know, for some people, the answer's going to fall on, I'm not willing to risk someone finding this information. So, I'm going to willing to, you know, reduce my convenience. Other people, you know, the convenience and the sharing and not having to worry about it trumps all. And so, really, it comes down to a personal choice, but something that you really do have to think about.
NNAMDIIt's something that you can compare it to our life in our non-virtual lives, such as whether we decide to put something in our glove compartment and leave it in our car or take it with us. Because it's more convenient to leave it in the car, but who wants to have your iPhone on the front seat of your car?
BEDERSONThat's right. And, you know, you think, well, this is my iPhone. It's in my pocket. But the reality is our phones, our Android phone, they get all over the place. In fact, sometimes you lend them to somebody. So maybe you would lend them to a, you know, someone who you weren't thinking was going to be looking through your photos, but they have a few minutes, and they do.
NNAMDIMatt, smart phones are ubiquitous today. We use them to take millions of photos. How do we balance the ease of storing those photos in the cloud and the fun of sharing them on Instagram, Pinterest, against the possibility that they'll be misused? How much thought do we give to the risks involved in storing and sharing photos online?
BARRICKI don't think we give as much thought to it as we should, in some instances. But, for me, what I do with mine is everything is directly connected to the computer. So, I'm not using a Wi-Fi connection for the cloud, for the photographs. Although, I do for some of the programs I use on my cell phone. And for that reason, it safeguards me from anything that gets out into the open. Whereas with some individuals, the ease of use, of being able to walk into your house and your photographs automatically upload via a program to a cloud account.
BARRICKWhether it's iCloud or another account through Google or something of that nature. It's an ease of use that they like. They don't want to have to think about it.
NNAMDIBen, you have said we have reached a tipping point, where we should all start using two step verification for the online services we use, from iCloud to Google to Facebook, to, well, the bank. How does two step verification work and how can one set it up?
BEDERSONIt's really a great concept and it's pretty straightforward, too. Passwords, the old way of doing things, is all about something that you know. The problem is, there are a lot of things that you have to know. A lot of passwords. So, we tend to come up with very simple passwords, in order to remember them. We tend to reuse passwords. And so, that means that other people are more likely to be able to guess them. The idea of two step verification is that you combine something that you know with something that you have.
BEDERSONAnd that's the key idea. It's a bit of a security by redundancy, right? Two different approaches to security. You have to have both of them. And what is something that we almost always have with us is our...
BEDERSONGood guess. So, two step verification means that whenever you need to authenticate yourself, whenever you need to prove that you are you and you have access -- you're supposed to have access to whatever it is that you're protecting, you provide the information you know, like your password. But you also, somehow, show that you have the thing with you that you're actually supposed to have. Your phone. And one way to do that is the service that you're dealing with, whether it's Dropbox or Apple or Google.
BEDERSONIs they might send you a text message with a code and that text message is only good for one time use for a short time and right then and there, you take that code that you received as a text message, or some other way. And enter it into the authentication mechanism. So enter your password, you enter your text message code, and now you've shown that you know something and you have something. And there's much higher confidence that you're really you.
NNAMDISo if someone happens to have either figured out or stolen your password, that person not having your phone in their possession would not be able to get that text and would not be able to use the temporary code that was assigned to you.
BEDERSONThat's exactly right. And, similarly, if somebody takes your phone, right, they can't get in either. And if you lose your phone, there's a backup plan. There is kind of a special, you know, recovery code that you print out on paper and then put in a secure place so that if you lose the thing that you have, you can back that -- you can still get back in.
NNAMDIWell, Google was the first of the big web companies to offer two step verification. And now, a lot of the others are adding it too. Which sites should I go to first to set up two step verification and how do I find it? It's got different names at different sites.
BEDERSONSo, Apple, Google and Dropbox, which I think are the three main, you know, sites that people use for automatically uploading their photos, all have two step verification and that's what they call it. Facebook and Twitter also have two step verification, although as you said, they go by different names. Facebook calls it login approvals and Twitter calls in login verification. But this important, because people want to hack your social media accounts for all kinds of reasons. Just cause someone wants to spoof you, or maybe they're gonna use it to, you know, even blackmail you or take over your business...
NNAMDIYou can find a guide to setting up two step verification at all your favorite sites, prepared by the Wall Street Journal. You can find that on our website at kojoshow.org. So if you go there, you can not only join the conversation, but you can find the guide to setting up two step verification. That's at our website, kojoshow.org. We're talking with Ben Bederson. He's a Computer Science Professor and Associate Provost of Learning Initiatives at the University of Maryland. Matthew Barrick is a professional photographer and a Professor at Catholic University. We go now to Ken in Gaithersburg, Maryland. Ken, you're on the air. Go ahead, please.
KENI'm a bit of a modern luddite, in that I don't like the idea of having much in the way of any information on my smart phone. So I don't take pictures with my smart phone. I take pictures with a small, high quality digital camera. And I download to an external hard drive on my computer. And I actually keep no files on my computer. Everything is on my external hard drive, which is password protected. And I don't share anything on Facebook that would be, in any way, giving away my location, my name, or personal information. And I'm always appalled that people share stuff so freely. I think it's more of a mindset matter.
NNAMDIWell, it has to do, as both of our panelists were indicating, with convenience.
KENWell, you can -- there's a price to pay for that convenience.
NNAMDIWell, I guess there is, which is why we're talking about two step verification today. Matthew, he doesn't take pictures with his phone. That is, Ken doesn't. But a whole lot of other people do, and some phones automatically back up pictures to the cloud, unless users actively disable that function. What's your advice about where to manage and store photos? What are the benefits of cloud storage versus backing everything up onto a computer hard drive or external drive that only you control?
BARRICKOne of the things I always tell my students is to have a three backup process. So that the first backup goes on to your desktop. The second one goes onto an external hard drive. And then the third one on a Blu-Ray disc or a DVD, so that you've got redundancy and you have the availability to get those photographs if a drive crashes, computer problem. Something of that nature. As far as the phone is concerned, I mean, that's really where photography has gone these days. Is photographs are taken with the phone. The phone is utilized as our camera more than anything else these days.
BARRICKAnd I think it's the availability to be able to share our experiences and what we want others to see and parts of our society. But again, it's a tradeoff. You know, if you want to back it up to the cloud, which I think, you know, is a very good idea, because a lot of people do not go through the process of backing up their images to the computer or to an external hard drive. And therefore, if they have the phone that, you know, becomes lost. It becomes damaged, and therefore, all those photographs they spent all that valuable time and all those wonderful memories are lost.
BARRICKThere's no backup, so the cloud allows you to do that. There are other programs that allow you to do that, but again, that two-step process, or that verification mode of having that in place so that you know your photographs are safe.
NNAMDIHere now, Mathilda in Baltimore, Maryland. Mathilda, you're on the air. Go ahead, please.
MATHILDAHi. I was going to talk about the two-step verification process...
MATHILDA...requiring adding another email address or a phone number to get a code.
MATHILDAThat gives the host, like particularly Outlook, that gives them connections to your other email accounts or your phone. So you lose some anonymity. But I just wanted to make a more universal point that even if everybody gets biometric readers, right? As soon as you put your fingerprint on that fingerprint reader, or as soon as you stare into the iris reader, as soon as anything is digitized, it's hackable. People don't understand this.
BEDERSONSo, I mean, you are essentially right on all fronts. But I think, again, it comes to a balance. So if you want to use two-step verification, absolutely, you need to tell the vendor your phone number, which means they now have more information about you. So you absolutely have to have a trusting relationship with this vendor. And if you have any concern -- and there's lots of reasons to have concerns -- then you should go, like the previous caller, and not use these services. But I will say that, if you remember back 10 years ago, there were millions of people with computers that would crash regularly and they would lose everything forever. Why? There were backup systems then and nobody used them.
BEDERSONAnd when Apple introduced Time Machine several years ago as an automated, automatic-on, single-button-press backup for everything on your computer, all of those users stopped having these problems. It's not that they couldn't have backed up before. It's that the reality is that they didn't. And so we're talking about this as a matter of convenience. But I think you want to go -- I would go one step further and say, this is actually human nature.
BEDERSONMost people will not back up. So Matt gave fantastic advice. That's a great thing to do. And if you're willing to do that, go for it. I know how to do this. I've done that for 15 years. And when I started having these, you know, essentially, automated zero-click services, I started using them. Because I was inconsistent about backing up myself.
NNAMDIGot to take a short break. If you have called, stay on the line. We will get to your calls when we come back. If you haven't yet, the number is 800-433-8850. What do you worry about most in terms of online or cloud storage security. 800-433-8850. Or you can send email to email@example.com. It's Tech Tuesday. We're talking about boosting security online and in the cloud. I'm Kojo Nnamdi.
NNAMDIIt's Tech Tuesday. We're discussing about boosting security online and in the cloud with Matthew Barrick. He's a professional photographer and a professor at the Catholic University. Ben Bederson is a computer science professor and associate provost of learning initiatives at the University of Maryland. Ben, whether we use iCloud or Instagram or Dropbox, online storage also brings up the question of how best to manage our passwords for those sites. Are we also at a tipping point where we should all use a digital password manager, rather than trying to remember a different password for every site we use. And how do those systems work?
BEDERSONSo the answer is yes. And again, it is a set of tradeoffs. If you want the best security, just to preempt some callers, you should have fantastic passwords and use different passwords for every site and remember them yourself. For the rest of us, we should use a password manager. And the idea of a password manager is it is a service, you know, cloud-based website that stores all of your passwords entirely encrypted. And the only way to access them is with a master password. The service doesn't have that master password, so they actually cannot get access to your passwords. But you have your master password.
BEDERSONAnd so you get to use that service in combination with the one thing you know, the one password that you do create and remember, so that you can then easily get access to each of your site passwords and use them as you log into each site. And then you can have a 12-character password that's completely random with special symbols and you don't have to remember them. So I actually use -- we've been using this for several years. And I no longer know my passwords. But they're good ones.
NNAMDICould hackers get into your password manager and thus gain access to all your accounts?
BEDERSONIt is scary. And that is possible, conceivably. But in practice, who has a better motivation to keep the password secure? A company whose entire business model is based on keeping them secure and they have professionals and they do nothing but 24/7 build the best systems and monitor them? Or me, where I more or less ignore -- I mean, I'm pretty savvy, but still I'm not going to be following my systems day by day.
BEDERSONAnd then the second thing is, even if their system does get hacked, they're only going to get access to your encrypted passwords and they won't actually be able to use them. And furthermore, that company will know that they got hacked, because that's their business. They'll immediately notify you and they'll help you to change your passwords.
NNAMDIIndeed, another security precaution that we haven't heard much about -- at least I haven't. You said it's easy and worthwhile to turn on the encryption on your laptop computer. How does that work? Why do you recommend it?
BEDERSONSo if you use something like Apple Photo Stream from your iPhone, your photos get synched up to that cloud. And then they might get synched back down to your laptop. And so all of your photos are sitting on your laptop. And if you lose your laptop and you haven't encrypted the disk, then people can just access all your photos. And you say, well, I have an account. You need a password to log in. That's not encryption. That means you need that to log into your system. But if someone has your physical laptop, they can physically remove your hard disk, put it into another computer and, boom, they have access to it.
BEDERSONSo on Mac, you turn on a feature called FileVault. It's very simple. Again, it's like one-click option under system preferences, security and privacy. And you wait a day. And, boom, everything is encrypted. And even if someone steals that hard disk without your password, they will not be able to access it. On Windows, there's a similar feature called BitLocker, which I admittedly have not used myself because I've been a Mac guy for a while. But I understand it works similarly and...
NNAMDIWhat's it called? What's this called on Windows?
BEDERSONOn Windows, it's called BitLocker. On Mac, it's called FileVault.
NNAMDILocker and on Mac, FileVault. On now to Kirk in Cobb Island, Md. Kirk, you're on the air. Go ahead, please.
KIRKHi, guys. Thanks for taking my call.
KIRKI wanted to relate a tip that I learned at a federal agency the hard way. We had been transitioning from time-share to network PCs. And they got a tape drive and they backed up religiously every day. And about three months down the road, somebody said, "Oh, by the way. I screwed up this file. Could I have it from yesterday?" And something went horribly wrong and the entire department lost the last three weeks of their work.
KIRKSo the tip is, whenever you change anything about your backup system -- whether it's starting it initially or changing the schedule or the hardware or the personnel -- be sure to do at least a partial trial restore to make sure that you can at least pull back some of the files. If it's an important set of files, do a complete trial restore.
BEDERSONA hundred percent agree. I actually do that myself. And I would go one step further, which is, if this is data that you care about, don't rely on a single backup system. You know, Matt gave good advice of always have three backups. I don't like the optical media because it's so inconvenient that almost no one ever does that reliably.
BEDERSONBut if you're using iCloud, then also use Dropbox. If you're using Dropbox, also use, you know, Google Drive or use multiple vendors. Because whoever it is, at some point they're going to have a failure. And if you have two completely independent systems, the likelihood that they'll have the same -- a similar failure at the same time, you know, is dramatically reduced.
NNAMDI800-433-8850. Thank you for your call, Kirk. Do you use two-step verification for any of the online services you use? Give us a call, 800-433-8850. Matt, a lot of people like to share photos with family and friends.
NNAMDIWhat's the best way to share pictures? And what risks are you assuming when you do?
BARRICKWell, one of the ways that people use, they, you know, you have Dropbox, you have AppleShare, you have some different programs that allow you, you know, Facebook. Most people use Facebook, Instagram accounts, those sorts of things, where they're not having to necessarily organize them and think about them. They can instantly upload those and drop those to other people. You know, again, you're going to have instances where those are not going to be as safe, per se. One of the ways I do it is through email and FTP sites. If I'm using that for a client, Dropbox is a great way of encrypting the files and putting them out there.
BARRICKSo it just depends on what it is that you want to share, how you want to share it and again, thinking about sort of that security issue. And one of the things I always tell my students is, when in doubt, throw it out. You know, if it's something you don't want somebody to see, you know, just go ahead and get rid of it.
NNAMDIBen, the recent celebrity photo, which appears to have happened in the cloud, speaking about throwing stuff out. Is it possible or advisable to add encryption to our cloud storage?
BEDERSONYou know, this is sort of the, you know, the advanced feature. So the things we've talked about so far -- two-step verification, password manager and encrypting your laptop or all of your disks, are all now, you know, easy to do and I think everybody should do them. An additional step is that you can actually encrypt your data before it gets to the cloud. Then the cloud service will encrypt it again. It'll be doubly encrypted and that will be really, really secure.
BEDERSONSo if you really want to have the redundancy of a cloud backup and don't want to risk even a small chance of someone accessing it, then using a service like Boxcryptor, B-O-X-C-R-Y-P-T-O-R.com, which is about $50 a year, allows you to encrypt all of your files on your machine before it gets sent up to your cloud. So that is an option. However it does come out with an disadvantage, which is that you won't be able to use the cloud service's viewers. So if you go to Dropbox, you can actually view your files on the website, even though they're encrypted, because they get decrypted just in time for you to watch them -- for you to look at them.
BEDERSONIf you use something like Boxcryptor, then you won't be able to because the cloud service won't be able to fully decrypt the files. Only you will be able to download them and access. So it won't be good for viewing or sharing.
NNAMDI800-433-8850. Do your photos upload from your Smartphone camera to the cloud automatically? Do you even know the answer to that question? What do you worry about most, in terms of online or cloud storage security? 800-433-8850. We move on now to Mike in Rockville, Md. Mike, you're on the air. Go ahead, please.
MIKEHi. Thanks for taking my call. My question is related to the security of health providers storing private information on the cloud, if your guests could comment on that. And related to that, there's the HIPAA guidelines. But are there guidelines in other industries that might be as good or even better to follow? I'll take your call off the air. Thanks.
NNAMDIThank you very much for your call, Mike. Ben?
BEDERSONYou know, if the big companies are losing our information -- our credit card information -- Home Depot is in the news this week -- how long is it going to take before our health records or our tax records or someone else -- some other, you know, more valuable data is going to be compromised. You know, the good news is that hasn't really happened yet, you know, because those companies have a lot more at stake, right? So they really, you know, have a huge risk if they lose that information. So they follow better practices. So it hasn't happened. It's not too likely to happen. But I won't say it'll never happen. Because there is a huge value to getting access to that information.
BEDERSONI was recently reading about some kinds of health information that -- not your personal health information, but just your insurance ID number can get hacked. Then that information can get sold, because people can use that, on a one-time use, to go, you know, get services in the emergency room under your health ID, until it gets noticed that it's the wrong thing. But someone's gotten some free health care. And they get thousands of dollars of free health care on one ID. So this stuff is happening. I think we do have to be cautious about it. But I'm afraid that's a little bit beyond the scope of today, because we don't have control over how those companies are managing that information.
NNAMDISpeaking of which and speaking of companies, here is Charlotte in Washington, D.C., who wants to address that issue. Charlotte, you're on the air. Go ahead, please.
CHARLOTTEHi. Good morning to you. I think it's still morning. Oh, no, it's afternoon. Good afternoon to you.
CHARLOTTEYes. My comment is really getting back to the hacking of the photographs. Now, I'm a mother of three teenagers. And what they know is how to put a password on their phones to keep their mother out of their phone. What they don't understand is every photograph that they take on their phone doesn't stay on their phone. When it goes to the cloud, they, in their naivety, think well it stays in the cloud. Even my 18-year-old always likes to tell me, she was raised on Mac, thinks that everything is super protected. Now to a certain extent, she has the right to think that, because it's password protected. She puts her password in. That makes her think that it's safe.
CHARLOTTENow when you think about these photographs that were just lost by these movie stars, it slams it into the public eye. Okay, well there are very sophisticated people that can hack in and get your things. And then you go to the next level and everyone's screaming and shouting, well these are indecent photographs. No, they were private pictures on somebody's private phone that somebody else got access to. And now look where we are. There's a gallery in Florida that's actually putting on a show -- I think it's called Upload -- where they're going to make life-size images of all the nude pictures that they got off the Internet.
NNAMDIWho do you think should ultimately bear responsibility for all of this, Charlotte?
CHARLOTTEI think that some -- quite a lot of it has to lay at the door of the manufacturers of these products. When you're putting out there a false sense of security for a generation, quite frankly, that is growing up with it. My generation put pictures on a Polaroid, hid them in jewelry box (unintelligible)
NNAMDIAnd you think it is entirely where the -- you think it is entirely within their capacity to provide and be responsible for 100 percent security, right?
CHARLOTTEI think it has to be. Otherwise it has to come with a massive caveat. You can't sell a product or put a product out there to a generation that's growing up in a digital age without guaranteeing some protection.
NNAMDIWill companies ever do that, Ben Peterson, absolutely guarantee protection so you can take them to court if you are hacked and they can pay you millions of dollars.
BEDERSONWell, I think from a legal perspective, they're going to work their very, very hardest to avoid that. But I think they already are significantly increasing their security. And the two-step verification is a huge part of that. It sounds like the current hack of these actresses came from hacking security questions. And of course if you're famous, your security questions are not actually very secure. So if they had had two-step verification, this may very well have solved them.
NNAMDIAfraid we're out of time. Matthew Barrick, you didn't get to show me the gizmo you brought for me to see today. In ten seconds or less, what is it?
BARRICKThis is made by Motrr and it's called the Galileo. So it allows you to do 360 degree panoramics. It allows you to do time-lapse motion photography.
BARRICKSomething that we can talk about at a later time.
NNAMDIMatthew Barrick is a professional photographer and a professor at Catholic University. Always a pleasure, Matt.
NNAMDIBen Bederson is computer science professor and associate provost of learning initiatives at the University of Maryland. Good to see you, Ben. Thank you all for listening. I'm Kojo Nnamdi.
Most Recent Shows
New proposed legislation threatens some of the power D.C. Mayor Muriel Bowser exercises over education in the District. Rep. Jamie Raskin is running for a second term in Congress, pledging to protect Maryland's air and federal workers. They both join us in studio.
A WAMU series explores gun violence and aggressive policing in the nation's capital.
Kojo interviews WHUR's former general manager on how his technical experience informed his leadership, and how he turned one station into a network of six.