IT. SECURITY. OPEN SOURCE.

Tag: Privacy

CCPA Logo

The California Consumer Privacy Act And The .US Domain

As I start this off I would be remiss to state that yes, I have a .us domain, however so do many Americans. You see, the .us top level domain (TLD) is only available to those who reside within the United States. There are other requirements too such as keeping your WHOIS records up to date. Ensuring that WHOIS records show that those who register a .us domain reside within the US. The major downfall to that is the fact that you cannot purchase privacy protections for your domain. So all of you who have purchased .com, .net, .org and so on have those privacy protections available. But not for .us domains. In fact, .at, .be, .ca, .cn, .cx, .de, .eu, .pl, .pro, and .tw TLD’s do not have those protections either – but that is different story for a different day. What makes the .us TLD so important?

The California Consumer Privacy Act of 2018, soon to go into affect on January 1, 2020 provides protections of personal information. You see, in order to maintain a .us domain one must accurately state their personal, or business, information in the WHOIS directory. Under the CCPA, personal information is defined as real name, signature, address, telephone number, insurance policy number, education, employment, employment history, bank account information, credit card number, debit card number, alias, postal address, unique personal identifier, online identifier such as an IP address, email address, account name, social security number, drivers license number, password number, or other similarities. Whew!

If you have never seen a WHOIS lookup on a domain before, it tends to look like:

Domain Name: JASONBROWN.US
Registry Domain ID: D20196051-US
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T13:04:07Z
Creation Date: 2009-05-31T22:47:12Z
Registrar Registration Expiration Date: 2019-05-30T23:59:59Z
Registrar: GoDaddy.com, LLCRegistrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: CR17632448
Registrant Name: Jason Brown
Registrant Organization:
Registrant Street:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jason@jasonbrown.us
Registry Admin ID: CR17632450
Admin Name: Jason Brown
Admin Organization:
Admin Street:
Admin City:
Admin State/Province:
Admin Postal Code:
Admin Country:
Admin Phone:
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID: CR17632449
Tech Name:
Tech Organization:
Tech Street:
Tech City:
Tech State/Province:
Tech Postal Code:
Tech Country: US
Tech Phone:
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: jason@jasonbrown.us
Name Server: ATHENA.NS.CLOUDFLARE.COM
Name Server: LOGAN.NS.CLOUDFLARE.COM
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

I obviously deleted a bunch of stuff but a simple Google search would show you the real results.

Do not get me wrong, California’s Consumer Privacy Act has provided guidelines that the rest of the country should follow. However, law makers continuously make decisions and place deadlines on mandates without fully understanding the impact. How long will it take for law makers to understand the nuances of how the internet works? I myself think its bullshit that one cannot purchase privacy protection for a particular TLD, but I see its reasons.

The amount of data mining, and the cost of providing that information to marketers is astronomical. CSO Online ran an article in 2018 which stated that records on an individual would cost around $141. Take someone 2 minutes to enumerate the entire .us TLD, compile that information and provide it to a marketing company; the amount of data retrieved is priceless.

As you can see, the CCPA has brought to light privacy implications that no one has thought of before. The collection of personal information, the sale of personal information to other companies, and even the disclosure of sale of information. However no one is looking at the information that we have to give up freely in order to do business. It is my hope that we shed a little California sunshine on this situation.

Facebook Exposes Millions of Passwords in Clear Text

Facebook has been under the spot light for quite some time now for its poor security and privacy practices. With this latest privacy blunder, its obvious that the company has not learned from its past. Last week it was uncovered that the company is storing passwords in clear text. This not only affects Facebook users, but InstaGram users too. It was not revealed as to why these passwords were stored in clear text, however what is known is that it affects millions of the company’s users.

In a Facebook blog post by Pedro Canahuati, VP Engineering, Security and Privacy mentioned that the company uncovered the error in January during a routine security review. Canahuati also stated that these clear text passwords were only viewed by those who worked for the company.

At least LinkedIn has your back… Oh nevermind.

Let’s not forget the many security breaches which affected passwords in the past. LinkedIn in 2012 had millions of passwords stolen from the company by hackers. In the breach, the passwords had been hashed, but with a low grade hashing algorithm. At least in LinkedIn’s case we can say the passwords were somewhat protected. In Facebook’s instance, they did not even bother to encrypt the passwords. If the passwords were ever stolen we would see another Yahoo! breach in the making.

Protecting Yourself Online

Canahuati did not mention in his post how to remedy the issue other than to say that the passwords are hashed and salted when an account is created. I would still suggest that everyone change their passwords anyway along with activating multifactor authentication for their account. This way even if someone were to have the password, they would not have the secret token generated by a smart app or hardware token like YubiKey. This also includes those who have InstaGram accounts as well since they were also affected.

One cannot trust the privacy and security that a service provider offers. We must take it upon ourselves to better protect our online identities from mishaps of the services we use. By using password managers to ensure we do not reuse the same password between services to ensuring multifactor authentication is used on every service that offers it is the only way to protect ourselves.

Powered by WordPress & Theme by Anders Norén