General Security in your life and proper QA data testing

I've been thinking about writing this topic for a while and needed inspiration of sorts. I guess today would be it. I happen to watch the Netflix series "Ashely Madison: Sex, Lies, & Scandal" and figured this would definitely be a good point to get this blog written out.

At this current moment, scammers and hackers are on a whole new level of game and is so prevalent that regular folks, or more like EVERYONE needs to almost be an amateur security analyst and know what steps you can take to ensure the safety of your data and minimize / eliminate your data exposure.

So full disclosure: I am not compensated in any way, shape, or form, and these recommendations are my own based on my own usage experience and preferences which seems to be working quite well. 

• Web browsers: Duck Duck Go, Vivaldi, and Brave. 
• Credit Cards: any with the pause / freeze usage feature (Chase & Discover has them). 
• Online email providers: Proton, Duck Duck Go email alias, and other temporary / disposable email providers.
• VoIP providers: TextNow, Google Voice, MagicJack, & various other disposable VoIP which may have the ability to forward calls and / or text to your main phone
• VPN: Virtual Private Networking (ExpressVPN)
• Password Managers: Bitwarden, LastPass

General Personal Security

Some Background Introduction:

For your daily life, there is a huge data hoarding by all kinds of large technology companies. Let's just say, from my personal experience, I have had a Google email account which I had use extensively that I had to completely delete and get rid of. You'd be surprised how fast data related to that account & the persona behind it started disappearing from both Google Search Engine results and others who use their search aggregate. Not only that, whenever companies get hacked, a lot of your personal information gets sold off into the dark web; everything from email to phone numbers, address, birthdays and (US) social security number. That's why your cell phone number and your email is getting more and more spam / junk messages.

Your metadata a.k.a. the new Texas tea / black tea of digital data that represents you in the digital world is the newest commodity which all of these technology companies trade and sell so that they can continue to sell you more things via targeted advertising through profiling you. Worst still, all these data are readily available to law enforcement agencies and all they need to do is get a court subpoena and they can know everything and anything about you as long as you email it or post it without proper anonymity.

So first things first, shy of living off of the land and completely getting rid of all of your digital footprint, it is inevitable that we do shop online and have social media accounts. We do not necessarily need to chase all of the latest trends, however at the same time it is important to have some semblance of social media. It's no secret that Facebook and other social media have your metadata even if you don't have an account with them. 

To put it into perspective, all of the big tech and credit card companies are trading your metadata with each other, and have a full profile of who you are and what your purchasing power & preferences are when it comes to online shopping and things that you are interested in. There have been numerous cases of unsavory characters who have established social media accounts with your images, masquerading as you. Both existing users of social media and those without, have found duplicate accounts masquerading as the original owner / person.

So, here are my recommendations to remedy this: 

Step 1: Uninstall native social media & check-in apps from your smart phone. Unless you truly need the native app for marketing and advertising, and sharing your business related products / services, you really do not need it & I would strongly advocate to delete the native apps, and use the web & mobile web version. I personally have not used the Facebook nor Instagram app on my personal smart phone. My recommended web browsers are: DuckDuckGo, Vivaldi, and Brave. Why I mention these is because they seem to be more privacy centric while still having a strong JavaScript core & HTML5 capabilities. 

DuckDuckGo is also available for your smart phones and I'd highly suggest to get them and disable the onboard default mobile web browser. For social media like FB, you will get the mobile web experience  (m.facebook.com else touch.facebook.com, or if you really want a retro bare basics feel, faster loading but a lot less functionality go for mbasic.facebook.com FB already disabled the mbasic URL by the time I'm posting this). Do note that FB Groups and some other areas seems to behave better using the forced desktop view mode while using the mobile web browsers.

Step 2: Use a paid VPN. 

One of the crucial things that companies (and the PATRIOT act) scrape for is IP address which tells them a lot of information everything from geolocation and timing, to being able to tie it back to your buying habits and search history through... wait for it.... METADATA. Think of it this way: Google, Amazon, and Facebook combined with the use of cookies can actually paint a pretty accurate trend of what you buy / purchase, where you are located during said activities, and infer on what's going on in your life.  

Example: purchasing the services of a family / divorce lawyer or purchasing dating apps even though you are in a committed relationship / domestic partnership: these are signs that there's potential trouble in paradise (unless you're in an open relationship / marriage / practice ENM) which is also related to potential damage to your credit score.

My go to is ExpressVPN, very reasonable at $99 per year. They even have for sale wifi routers which come with ExpressVPN baked in so that all devices connecting to the ISP is automatically routing all of your packet traffic through their VPN server.  Just a note of caution, it might take a bit of tinkering and setting up certain VPN bypass if there are services which do not play well with VPN.

Step 3: Less selfies, censor out critical facial features, watermark your images and less check-ins

All of the fun "then & now age photograph" challenges just helps social media profile you as you age.  Even more so, you're handing over your facial biometrics key to the NSA and other governmental agencies should they need to ID you. Even though it's more of women's photographs that get stolen and reused for scams, it affects men also as these pictures are used in fake dating profiles to boast fake membership numbers, lure men in to click & flirt / chat with these scammers. You'd be better off taking a lot less selfies & perhaps more sceneries and location photos and if you really need / want to, it's perfectly fine to blot out certain areas of your facial features. I would also highly recommend disabling GPS / geotagging capabilities of smart phone camera apps in settings so that the exact date, time & coordinates aren't stored in the image's EXIF metadata when it is saved by your smartphones. You do not always have to share your pictures of locations in Google Maps, after all they're not paying you and all you're doing is free advertising and content generation for them.

To help cut down stolen pictures, you'd be better off using watermarks on your photos, unpleasant as it may be but at least you know the exact place / source of picture should scammers decide to lift your picture to use. More often than not, they'll move on to easier & ignorant targets of selfies of those who do not think twice, are vain, & narcissistic enough to post unedited  / unprotected pictures of themselves. 

Another critical safety for yourself is to ensure that you only upload your vacation images after you come home. Why broadcast and / or boast of your away from home status and make your property a target of burglars & vandals? As fun as it is to overshare, I would highly advise to skip all those social media & app check-ins to restaurants and other attractions constantly, unless if you're an influencer that's vying for attention & are basically an attention seeking, narcissistic monkey with a video camera. There's no reason to supply all these big corporations more metadata than is needed.

As usual, always be careful of what picture you share. I'm not fully convinced from the article about doing the peace sign and if phone cameras are able to capture the details of the fingerprint (higher resolution shots by expensive cameras, maybe so). Same goes for sharing debit card numbers & keys, just don't, as people with less than honorable intentions will duplicate them and use it to gain access financially and physically respectively.

Step 4: Disposable emails / emails with a purpose

So more and more when shopping online and subscribing to other things, there is always the privacy clause and potential sale of data. Even if not, when these companies suffer data breaches (sooner or later) that's when your main / primary email becomes a statistic for stolen data. What I would suggest is to establish purposeful emails specifically for online shopping, one for subscriptions of newsletters etc, and then your main personal email. Keep in mind, there are times when companies need to reach back out due to product recalls so it may be prudent to keep that email address that you use for shopping.

As I had mentioned earlier in the article, for privacy purposes also, Proton mail serves well as its data servers are located in Switzerland and is client side encrypted, giving you a little more peace of mind & privacy and for the most part US agencies have no jurisdiction to pry upon it. My other favorite recommendation is DuckDuckGo temporary / privacy email alias generation which sends all the received alias emails back to wherever your primary & official duck.com email gets forwarded to. 

All DuckDuckGo emails strip off any trackers before it is forwarded to your primary email, hence lending an extra hand to keep tracking at bay from emails. All of the email aliases are easily destroyed as needed, so as soon as you create an address for the purpose of subscribing to an email list, or other places where an email is "required" but you do not foresee keeping it long term, as soon as you unsubscribe from the email list, you can request DuckDuckGo to terminate that email alias so that you no longer receive anything from that address. There are plentiful temporary, on demand email addresses which you can tap into if some sites need to send a temporary verification number or recovery links etc that you don't care to keep for long term. GMail does have something similar where you can have your primary email do an alias extension by using the "+" after your username. Example: JohnSmith+mailMeGarbage@gmail.com with the downside that some sites do not accept / recognize the "+" in the email, and you need to filter these aliases to automatically delete, and as scammers are getting smarter, they know your actual base gmail id to send spam directly instead of the alias.

In a nutshell, think of it this way, the only way to almost get ahead of data leaks, compromised emails (and phone numbers) and breaches is to just get rid of your alias email (or phone) as soon as you see spam, phishing, & other suspicious mails coming in. That's how Credit & Debit Card companies (sadly) are doing it, that as soon as your 16 digits are compromised, they just turn it off & generate a new set for you and mail you the new physical card, however the effects are much greater to you because all of your auto pay capabilities and other conveniences of using the card gets turned off.

You could call me paranoid or uncomfortable, but do keep in mind that government or official public businesses can and have published your personal identifiable information like name, address, and phone numbers on something as innocuous as an email petition to request the city to consider voting for certain initiatives and because of the public record disclosure, they cannot censor out your contact information, so do keep this in mind when you're sharing contact information for petitions and other reasons of contact with government officials / entities, etc.

Step 5: Disposable VoIP numbers

Probably by now you are tired of me talking (preaching) about data being compromised & sold by malicious actors, it is not any different for your phone number. Back in the day of land lines / POTS (plain old telephone service) and white pages, there used to be known numbers which are printed in  the phone book, and then unlisted numbers where you actually request and / or pay the publishers of the white pages aka telephone book to not post your unlisted phone number. Then came unscrupulous telemarketing and of course with the power of computers, autodialing, & robocalling, all numbers are now meticulously curated & called in rapid succession incrementally whether we like it or not.

Some of these services are also used by scammers sadly, so to a certain degree, we're going to use their tools against them per se. textNow is one of the apps that I use to give to online shopping, strangers or people whom I am not familiar with and until I've known them long enough to trust them that I'd eventually give them my actual cell / Google Voice number. Mobile / cellular numbers are people's primary contact number, and once again, if you are using these disposable phone numbers when you're shopping and / or using when reaching out to strangers / new acquaintances when you're dating etc, you are not exposing a valuable & private resource of your own phone number. It's easy to mark texts and calls as spam in these disposable phone numbers like textMe, and worst case scenario, go for the nuclear option and delete / request a new number if the phone number has been severely compromised.

I have heard of someone telling me that they had themselves blackmailed from shady scammers who were able to search from their Google Voice number / WhatsApp and figure out potential ties and record / catch them in a compromising situation and threatened to expose them to known associates (family members etc) and in exchange, a ransom of bitcoin / other financial blackmail strategies.

To a certain degree, Google Voice can serve as a secondary & alternative phone number which can be use when performing purchases online and to give to others who are acquaintances or strangers. It's easy to block & mark as spam of unwanted texts and calls, however the more you use it and the more it gets tied to your name, the more it becomes identifiable / can be associated with you. You could pay to maintain  your textMe number, else just make sure you send & receive texts and calls once a week to keep the textMe number alive for you to use exclusively and consistently.

One other service that I'd recommend that's cost effective is actually MagicJack. Last I checked they are about $50 per year with all tax & fees included. This is a full service VoIP with E911 capability, call & text forwarding, and just nice to have as an additional phone number. You can even purchase an additional line for families outside of the US to have a US number and be able to call them.

Step 6: Multi Factor authentication.

More and more people have seen articles about making sure that your social media accounts, emails, banking and financial sites, and other important, high encryption sites require you to have multi factor authentication. My go to is Symantic VIP as they have been pretty universal and versatile. 

A word of caution about phone sms as an MFA (Multi Factor Authentication) is the fact that it is possible to do sim hacking / illegal porting of phone numbers where the attacker goes ahead and ports out your phone number at the phone store etc to their own phone and can then start receiving your sms MFAs, especially once when they already have your username & password compromised at hand.

Some companies and potentially guaranteed / forced migration in the near future are the use of physical hardware keys that are inserted into your USB port and only needs the use of your pin (Personal Identification Number) associated with your physical MFA key, on top of your username. YubiKey and other companies are poised to make a boatload of money from these hardware key implementation once it becomes mandatory and even more mainstream. An alternative, instead of purchasing these standalone, USB plug in key is to already have it encrypted on your smartphone, be it Android or iOS. They do come built in as your physical 2FA hardware key. There's always a caveat: with the advent of smart phone and its widespread use and securing it with a pin / biometrics / passcode and ability to remotely wipe it, if you lose your phone, you could literally lose all your secure access. As Obiwan Kenobi once said to Anakin about his light saber: "This weapon is your life!"

Step 7:  Password Managers

I am sure corporations have already drilled it enough into our heads about using long, complicated passwords with special characters, mixed case, and numbers, and to not reuse/recycle passwords in multiple places.

This is no different of a practice in your private life and access to things that require a username and password. My go to are LastPass and BitWarden. Both of these companies have had pretty good track records of no data breaches that I am aware of, and are able to generate long complicated passwords. They have web browser plugins to make life easy, helps to fill username and passwords on your behalf (NEVER use the web browser to keep your username and passwords, ever!) and they even have integrated smart phone apps to work with your apps that require logging in and to also auto fill your mobile web browsing logins. All you need is a strong master password on these password manager apps, and there's no excuse for you to REUSE / RECYCLE known passwords for all of your logins as these apps / services do the heavy lifting and remembering for you.

Proper QA Data testing and setup

My apologies for going into such depth & details as it is necessary and my audience scope for this post is for the general public. As a closing of this blog, I'd like to add just one more fun read as I write this. At my most recent prior career adventure, I was actually pretty horrified (and had laughable moments) at the practices at a certain large corporation as they had rushed their testing for a major software app release.

The gist of it was that there was a target date where million dollar per second tv advertising commercials were already filmed for SuperBowl, the timeline is September the year before so barely 4 months to get all their ducks in a row of a super massive "one app to rule them all" behemoth to work. It was an almost 24/6 effort, no test case nor scenarios fleshed out (purely exploratory testing chaos with no ideas of what the actual desired outcome should be), chaotic & non-communicated proper Jira bug handling & filing protocol, potential "threat" of measuring individual QA's performance based on how many bugs are raised (hello tons of duplicate bugs & "Hunger Games" mentality), no proper redlines / design guides and business flows established (and even if they were, most of the guidelines were out of date or not applicable anymore). 

This definitely highlighted the jarring lack of coding standards & practices companywide upon the individual apps that were willy nilly developed at the whims of individual development teams both in house & outsourced. This definitely resulted in the added burden of this "one app to rule them all" to even begin to be able to cross authenticate internally. It also showcased the lack of proper leadership and QA practices. They did indeed start pulling in QA from every other project to "throw the kitchen sink at the problem" to help "solve" it.

The funny part about it was that for a large multi million dollar corporation, they "didn't have the budget / ability" to get all testers the needed smartphones and proper sim cards to fully test out the app and various account / customer types properly, nor was any effort spared to establish proper test usernames and passwords, so we promiscuously had to share and authenticate each other with the iOS and Google 2FA codes when we logged in to the limited test accounts. Many had even used their personal iOS devices to help the testing effort and little did they realize, both at present and from prior projects etc, that establishing the test login on their personal device, and not taking care of turning off the iCloud backup synchronization, caused all of us a little peek into their personal life.

Professionally speaking, I'd ignore these "accidental synchronization", but it's like a train wreck meets dumpster fire that you cannot look away. Let's just say I've seen the bad & the ugly, some brinjals / eggplants, blurred mammary glands with foreign words captioned on it (thanks Google Lens & Translate) from their personal WhatsApp album. On that same vein, you'd expect these QA folks to know technology well enough to avoid such faux pas. 

I do feel sorry for a few of the "sort of designated" QA leads trying to help all of the QA team on this "not even close to organized chaos". I would bet good money that they's rather be herding cats rather than trying to tackle this highly dysfunctional fools errand.

Thank you for taking the time to read & hopefully digest this blog post. I hope it brought enough detail and guidance, and that you enjoyed reading it as much as I enjoyed writing it to share & putting effort to making it palpable and fun to peruse.