Sunday, September 29, 2024

Cybersecurity FAQ

 


I regularly contribute to a subreddit named r/cybersecurity_help and a few others like r/scams, r/IdentityTheft, r/privacy, r/MacOS etc on Reddit, where I help answer questions on a wide range of topics, including online safety, identity theft, scams, extortion, malware, and viruses. I often encounter repeated questions in these forums, so I decided to consolidate all the frequently asked questions (FAQs) in one place. This way, cybercrime victims seeking help or advice can find answers and support for many of the frequently asked questions here. While this isn’t a comprehensive list, it covers many of the questions I’ve seen posted in these forums. This will be a living blog to which I will continually add as I find more of these repeated questions.

Feel free to provide any feedback or additional FAQs you’d like to see in this blog in the comment section. With that said, here are the FAQs in no particular order.

FAQs

1. Someone on the internet says they know my IP address, I am scared.

There is a common misconception among many internet users that knowing their IP address somehow gives someone the power to "hack" them. This myth has been spread by non-technical users, social media, and news outlets, among others. The fact is, every website you visit knows your IP address because it needs this information to send content (text, images, etc.) to your browser so that it can be displayed on your screen. This is how everything on the internet works, not just websites. In addition to your IP address, your internet browser provides much more information to the websites you visit than you may realize. Visit this link (https://myip.selvansoft.com) to see some (not all) of the details your browser shares with websites you visit. An IP address is just a number; only your Internet Service Provider (ISP) knows that it was assigned to you, and they will not disclose your information unless they receive a request from law enforcement accompanied by a proper court order. Being afraid that someone knows your IP address is like worrying that people saw your car’s license plate number while you were driving around the city. Unless you’ve committed a crime and are fleeing from law enforcement, this isn’t a problem. Similarly, if you haven’t done anything unlawful online, you have nothing to worry about if someone claims they have your IP address. They can’t do anything with it. With that said, and to be thorough on this FAQ answer, I wanted to add the following. If you intentionally expose a vulnerable service or, worse, enable UPnP (some do this for running a gaming server without fully understanding the impact), it is possible for someone to attack your machine. Last but not least, if someone with a deep understanding of TCP/IP networking is determined to attack you for some strange reason, they can always perform a DOS attack on your router using just your public IP (you don't need to expose anything) and knock it offline. But while this is possible, it is not probable.

2. I got an email mentioning Pegasus, is this real?

The Pegasus email scam is one of the most popular scams in circulation, and yes, it is 100% a scam. While it is true that Pegasus is a sophisticated spyware developed by the Israeli cyber-arms company NSO Group, it is used for surveillance purposes, often by government agencies and law enforcement for espionage and counter-espionage activities. Unless you are involved in espionage, a spy agency, terrorism, or are a powerful political figure, there is no ROI in spending money (the cost of the software can be $500k or more) on you to infect your devices with Pegasus! Ordinary citizens are not the target. The idea behind this scam email is to use scare tactics with bits and pieces of information like your address, name, email, phone number, a picture of your house from Google Maps etc. all of which are publicly available, to make you send them money. Whatever you do, never send money. Just delete and block this email as spam and move on with your life. No one is going to come after you.

3. Does VPN keep me safe online?

First, a VPN (Virtual Private Network) is a privacy tool that primarily focuses on your privacy by masking your IP address and encrypting your internet traffic. It is not a security tool. While privacy and security do overlap, they are distinct concepts. Privacy is about protecting your personal information and activities from being observed, while security involves protecting your data and device from unauthorized access and threats. That said, if you think running a VPN will protect you from all compromises, you are misinformed. You could run a VPN and still visit a malware site, install pirated software, or use a compromised network, and your device would be compromised just like anyone not using a VPN. Moreover, pretty much all data communication today is done in encrypted form. As long as you are using the HTTPS protocol, you are relatively safe, and you don’t necessarily need a VPN. See additional details at the blog (https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html).

4. My name, address, phone are listed on a website, what do I do?

While this is a problem, the short answer is that there isn’t much you can do other than ask them to remove it, which is not an easy task. You can follow this blog (https://blog.selvansoft.com/2022/07/how-much-of-your-info-is-freely.html) for guidance or try a paid service like Incogni or Optery. The reality is that many data aggregator sites collect your publicly available data, such as your name, address, and phone number, and sell it legally to anyone online. This is a big business, and these data aggregator sites are popping up all over and are here to stay.

5. I sent intimate photos to someone online, and now they are threatening to share them with my contacts if I don’t send them money. I am scared. What should I do?

There is nothing you can do at this point but block and ignore them. Most importantly, never send any money; if you do, that will only make them ask for more, and it will never stop. Likely, the scammer will move on to the next victim. However, be prepared for the possibility that they might get angry and send your pictures to your contacts if they have access to them. While it’s very unlikely this would happen, as they could be scamming someone else instead of wasting time on you, there’s a chance they might persist if they believe you’re a high-value target with the potential for a significant payout. In that case, they would likely continue with the charade. I hope you learned your lesson.

6. I see a lot of attempted logins on my Microsoft account. How do I stop it?

Though it may sound strange, the short answer is, it is normal these days to see multiple attempts daily or even hourly, as shown in the screenshot below.

With so many data breaches in the last decade or so, pretty much everyone’s email is leaked. You can check your email in HIBP (https://haveibeenpwned.com/). Scammers use automated scripts to attempt to login using your email with an attack technique called credential stuffing (i.e. using leaked passwords) and it will not stop. Just ignore it as long as you have your account well protected with unique and strong password, MFA with an authenticator app or better (hardware keys) or passwordless login etc, you have nothing to worry about. There is a way you can minimize these attempts by eliminating the number of email aliases you have that has login ability. The more you have, obviously the number of attempts will multiply by the alias count. You can restrict which alias can log in and remove login ability to others would reduce the attempts and lower the risk. Follow the link (https://account.live.com/SignInPreferences) when you are logged into your Microsoft account and check if you have multiple aliases with login privilege. Finally, by creating a brand-new alias and allowing only that alias login access you can stop these attempts altogether … well, until your new alias is leaked down the road 😁.

7. Is using public Wi-Fi safe? 

Public WiFi (airport, hotel, coffee shop, etc.), comes with inherent security risks. While complete safety is impossible to achieve, you can significantly improve your online security by following good cyber hygiene best practices. Avoid sensitive transactions like logging into bank accounts, credit card portals, or other financial platforms while connected. If the website you visit does not offer HTTPS transport, do not visit it. Make a habit of only visiting sites that offer HTTPS transport, even on private networks. Enable your firewall; most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private. Optionally, you can run a VPN for an additional layer of protection. However, it’s not strictly necessary. Contrary to popular belief, a VPN doesn’t make you invincible. Here is a blog (https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html) that outlines what a VPN is and is not, if you’re interested in reading it.

8. I opened a sketchy PDF file. Is my computer compromised?

While there are documented cases of malicious executable code being embedded in PDF files, malware cannot do anything on its own. It relies on exploiting vulnerabilities in your PDF reader software to run. Therefore, the security of your system depends on the PDF reader you use. If you keep your operating system, browser, and applications updated with the latest security patches, you should be fine. For example, if you opened the PDF with your browser, which is typically the case, as long as your browser is updated with all the recent updates, you should be fine even if the PDF is infected with malware. Finally, if you only downloaded the PDF and did not open it, it should not cause any damage whatsoever. Just delete the PDF and move on.

9. I was part of a data breach; how do I protect myself from identity theft? 

First, you are not alone. Given the numerous major data breaches in recent years, many people’s SSNs are unfortunately exposed. For instance, the AT&T breach in 2022 reportedly compromised the SSNs of between 50-100 million customers. Additionally, the recent National Public Data leak included a vast number of individuals. To prevent identity theft, you should freeze your credit reports. This restricts access to your credit information, making it difficult for criminals to open new accounts in your name. You can easily freeze and unfreeze your credit as needed, such as when applying for a loan or credit card. Here’s a simple blog (https://blog.selvansoft.com/2023/05/howto-credit-freeze.html) outlining how to freeze your credit.

10. I changed my password and enabled MFA, but an attacker still accessed my account. How?

It is likely that you have info-stealing malware on your device, which exfiltrated your authenticated session token. Alternatively, you may have visited a malware-laced site that ran a malicious script to read your authenticated session token. Either way, a remote attacker has your authenticated session token. This is a form of attack called Session Hijacking. Keep in mind that strong passwords, MFA, and hardware keys are irrelevant against session hijacking attacks, as the attacker can use the valid session token to log in as you until the session token expires, which can be hours, days, or even weeks, depending on how the session management is implemented on the website. To remove the access, you need to invalidate your sessions by logging out of all your accounts on all your devices. In case you find your device is infected with a virus or malware, follow FAQ#11 below to remove it. Also read FAQ#21 below on a new feature that will prevent Session Hijacking in the future.

11. My computer is infected with malware. How did it happen, and how do I recover?

The root cause could be anything from installing pirated software or game cheat codes to clicking on malicious links or visiting compromised websites (inadvertently or intentionally) which enabled malicious code running on your browser without the need to install anything (these are called fileless malware that scanners often miss). Run a full scan of your device with a malware scanner like Malwarebytes and/or a good VirusScan tool to remove/clean the infection. In most cases, that is all you need to do. However, while most virus/malware removal tools do a good job of removing infections, they may not be effective if you are infected with a persistent rootkit. In that case, you may have to do a complete wipe (wipe the hard drive, including the EFI partition) and reinstall the OS. This is quite different from the typical “Windows reset/reinstall” step most people are familiar with, which doesn’t remove things hiding in partitions outside the reach of a standard OS reset/reinstall. An explanation of how to do that is outside the scope of this answer, but you can consult an expert to help you accomplish it, or you can do it yourself by following the FAQ #13 below. Finally, to prevent future attacks, be cautious about the websites you visit, avoid clicking on random links, and refrain from downloading pirated software or crack codes, etc.

12. How do I backup my Google Authenticator secrets?

As a cybersecurity professional and practitioner, I would not advocate syncing authenticator secrets to any form of cloud storage; instead, keep them local. MFA is your second layer of protection and having the secrets for generating OTPs for MFA reside in the cloud makes you vulnerable in the event of future data leaks. Follow my instructions below to detach Authenticator from Google cloud sync and take responsibility for guarding your secrets under your control. 

First, export all your secrets. Google Authenticator allows you export all secrets to a giant QR code. Save this QR code image to your local drive and follow the steps.

  1. Enable google sync.
  2. Now delete all the secrets.
  3. Let google sync empty Authenticator.
  4. Now, disable google sync.
  5. Import everything back from the giant QR code you saved above.
  6. Keep the QR code in a safe place or better yet, print a paper copy to store it.
Ultimately, Authenticator cloud syncing boils down to the "convenience over security" argument. In the digital age, online security is your lifeline. Therefore, I generally advise everyone to never prioritize convenience over security.

Alternatively, if you are a command-line interface (CLI) user like me, the ultra-safe and secure way is to completely discard phone OTP apps and use a command-line tool called oathtool on your laptop/desktop (macOS or Linux) to generate OTPs. I have a shell script that I personally use that wrapps oathtool to make it secure by encrypting the secrets using GPG or OpenSSL on your laptop/desktop. You are welcome to use it, and it can be found on my GitHub (https://github.com/aselvan/scripts/blob/master/security/oathtool.sh)

How to use the oathtool.sh script:
Add secret (example: gmail):  oathtool.sh -k gmail -a "gmail_authenticator_secret"
Generate OTP (example: gmail):  oathtool.sh -k gmail

13. How do I completely wipe my hard drive to remove a rootkit or to dispose of it with no sensitive information?

Contrary to popular belief, deleting partitions and formatting a drive does not truly wipe data. While it renders the data inaccessible to the operating system, the actual data persists on the drive until overwritten by new information. Therefore, if your system was compromised with a rootkit (commonly hides in the EFI partition), repartitioning or formating does not guarantee its removal. To achieve a completely clean drive, every byte in every sector must be overwritten with zeros (or random byte) before partitioning and formatting to install fresh new OS. While numerous methods exist for wiping a drive clean, here's a straightforward approach if you know basic command-line skills in Linux.

First, download a Linux distribution (e.g., Ubuntu) to a USB drive, then shut down your machine and boot from it (adjust BIOS settings to prioritize USB boot). Once in Linux, open a terminal and type "sudo su" to gain root privileges. Identify the device file corresponding to your Windows hard drive/SSD. This will typically resemble /dev/sdc or /dev/sdd. For reference, the screenshot below shows a Windows hard drive at /dev/sdi. Ignore other details in the screenshot as they pertain to a different context.


You can determine your Windows drive's device file by running "fsdisk -l" without arguments and examining the output. Once you identify your windows drive device file, execute the following command, replacing "/dev/sdi" with your actual device file. 

shred -vf -n1 /dev/sdi 

Be prepared for a lengthy process (potentially hours) depending on the hard drive or SSD's size. Note: If you are disposing the hard drive, remove the -n1 argument to shred. It would not be a bad idea to perform a full scan of all the data you have backed up from the infected drive. In fact, it would be quite easy to do so in the step mentioned above while operating under Linux. You can install ClamAV (https://www.clamav.net/) using this command "apt install clamav". Then, identify the mount point of your USB drive that contains your backup data and run clamscan on it. This can be done simultaneously while you are wiping your hard drive as described in the previous step. Once your drive is completely wiped and your backup data has been scanned, install a fresh copy of Windows from read-only media. At this point, your Windows installation should be as clean as a whistle.

14. I run Minecraft server for my friends and notice random IPs are attempting to connect to my machine. What do I do to protect my machine?

Running a service publicly on your machine can attract attackers worldwide looking for vulnerable services to exploit. Although your firewall may block attempts to connect, you will soon notice the number of attempts will continue to grow. Eventually, they may succeed if they manage to exploit any known vulnerabilities in the service. It is bound to happen; it is not a question of if, but when. Keep in mind that all services have vulnerabilities (both known and zero-day), and Minecraft has its fair share of vulnerabilities. With that said, if you must run the gaming server while accepting the risks outlined above, you might consider disabling UPnP if it is enabled on your router. In my professional opinion, this setting poses a significant security risk as it automatically opens ports on your network, potentially allowing unauthorized access. I recommend disabling UPnP to enhance your network’s security. If you require specific ports open for gaming, you can manually forward them instead of relying on UPnP.

15. An attacker hacked everything (laptop, phone, router, network etc.) simultaneously, how do I recover?

The scenario you are describing, i.e., a hacker installing malware on all of your devices simultaneously, is highly unlikely. It is improbable that someone (or something) could infect a heterogeneous collection of devices across different architectures and operating systems with just a single piece of malware, virus, or rootkit. Such an all-in-one compromise is simply not feasible in the real world and is more likely to occur only in movies.

16. Which 2FA is better?

First, SMS-based authentication is the weakest form of all MFA methods. Unfortunately, not all websites provide multiple options beyond SMS for MFA. So, in the absence of stronger methods like TOTP authentication, hardware keys, or passwordless options, SMS is better than just using a username and password. Regarding TOTP authentication, all applications, including Google Authenticator, Microsoft Authenticator, and other similar apps, use the same underlying algorithm and are interchangeable. They typically follow the TOTP algorithm defined in the IETF standard RFC 6238. Lastly, for backing up authenticator secrets in case you lose your device, follow the FAQ#12 above.

17. Someone says they know my MAC address. Can they see my internet activity?

Yes and no. First, the MAC address is only applicable to the LAN (local area network) i.e. your wired or wireless network. It does not go beyond the LAN to the WAN (wide area network), a.k.a. the internet. However, by using your MAC address (and sometimes even without it, depending on how much effort they put in), someone could see which websites you visit unless you use your own DNS. They cannot, however, see or read the content of what you are browsing since most communication is encrypted these days. On a related note, many people panic about someone learning their IP address, which does indeed go outside of the LAN, but the same answer more or less applies. You can read more about it in FAQ #1

18. How can I stay safe online? What are the basic tips to avoid becoming a victim?

Using common sense is your first line of defense in staying safe online and avoiding becoming a victim. Trust your instincts, be cautious of unfamiliar websites or emails, and think twice before sharing personal information. Common sense can go a long way in protecting you online. In addition to using common sense, adhere to the following guidelines to enhance your online security.

  • Strong Passwords: Use complex passwords and change them regularly. Consider using a password manager.
  • Multi-Factor Authentication (MFA): Wherever possible, use more than just a password to secure your accounts, commonly referred to as 2FA. Most websites provide multiple options for MFA these days. Always choose an OTP authenticator if that option is offered and avoid SMS-based 2FA.
  • Enable Firewall: Ensure your device's firewall is enabled. Most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private.
  • Antivirus and Anti-malware Software: Keep them updated to protect your device from threats.
  • Phishing Scams: Be skeptical of emails or messages with links or attachments that urge immediate action or ask for personal information. If it sounds too good to be true or creates a sense of urgency, it's likely a scam.
  • Web browsing: Always ensure websites use HTTPS, especially when entering sensitive information.
  • Public Wi-Fi: When using public Wi-Fi, avoid logging into sensitive accounts or performing financial transactions. It's safer to wait until you're on a trusted network.
  • Installing Software: Only download and install software from reputable sources. Avoid pirated software and gaming cheat codes, as they often contain malware and viruses.
  • Software Update: Regularly update your operating system, browsers, antivirus definitions and apps to protect against security vulnerabilities. 
  • App Permissions: Check the permissions granted to apps and revoke any that are unnecessary.
  • Personal Information Sharing: Be mindful of what personal information you share online. Don’t overshare on social media and be wary of websites or services asking for more information than necessary.
  • Monitor Your Accounts: Regularly check your bank and credit card statements for any unauthorized transactions.
  • Backup: Regularly back up your data to an external hard drive or a cloud service.
  • Educate Yourself: Stay informed about the latest cybersecurity threats and how to protect yourself.
  • Trust Your Gut: If something feels off or too good to be true, it probably is. Your intuition can be a powerful tool in staying safe online

19. Are QR codes safe to scan can?

The answer is neither yes nor no, but more like a maybe. While most QR codes are safe to use, it's important to be aware of the risks of fraudulent QR codes. "Quishing," or QR phishing, is a cybersecurity threat where attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content. Scammers can place these fake QR codes in many places, including emails, text messages, social media, public places, printed flyers, or physical objects. Unfortunately, some, if not all, of the QR code scanners on mobile devices do not give the option to check/inspect the URL before navigating to the website; instead, they directly take you to the link represented in the QR code. At this point, it is too late to do anything if that URL is indeed malicious. Scammers take advantage of the fact that QR codes are very common, and most people trust them because they are usually from reputable places like restaurants or ad posters. This is another example of convenience over security that gets people in trouble.

20. Are URL shorteners safe to click?

The answer is neither yes nor no, but more like a maybe. Many of you are likely familiar with URL shorteners that redirect you to a different long-winded URL when clicked. If you’ve ever seen or used tinyurl.com or bit.ly links, you know how they work. URL shortener services have been abused by scammers for phishing campaigns for a while now. Recently, there has been an increased use of these techniques, specifically leveraging reputable and legitimate websites. Read the blog at (https://blog.selvansoft.com/2023/03/shorturlscams.html) to learn more about it and, most importantly, how you can view/inspect the URL to find out where it would take you before actually clicking on it.

21. What is Device Bound Session Credentials (DBSC) and how it will prevent Session Hijacking?
While this is not a FAQ, I documented it here to raise awareness. Device Bound Session Credentials (DBSC) is a cutting-edge security feature developed by Google to counter session cookie theft (a.k.a. Session Hijacking). Its unique approach stands apart from traditional security measures. The goal is to disrupt session cookie theft by linking authentication sessions to a specific device using the Public Key Infrastructure (PKI) platform. This means stolen cookies become useless as they can only be used on the device from which they were obtained, where the private keys are stored using the Trusted Platform Module (TPM). Google has already implemented this on the Chrome browser as of this writing, which can be enabled with the experimental flag (chrome://flags/#enable-bound-session-credentials). However, for this to work effectively, every website's session management code needs to be modified to use the DBSC API to prevent cookie theft, which may take a long time to adopt. So for now, we are still at risk of session cookie/token theft, one of the most common ways online accounts are compromised today.

22. When using Apple Pay or Google Pay, what information does the merchant see?
Regarding credit card information, merchants only see a token. Both Apple Pay and Google Pay utilize tokenization, which replaces your actual card number with a unique digital identifier or token that is mapped to your actual card number, name, billing address, etc., at the financial institution before payment is authorized. This means that when you make a purchase, merchants receive a token rather than your real card details. The two places where your actual card number and other information are stored are on your phone app and the financial institution that provided the token; merchants don't get to see any of that.

23. Can a photo/image contain executable malicious code?
Yes, it is possible. Just Google "Stegosploit" to learn more or read this blog. However, it is more complicated and rare compared to common methods of compromise, such as installing pirated software, game crack codes, or software from unknown sources. In order for the malicious code to run, you would need to load the infected image in your browser or any image display/rendering software, allowing it to exploit an unpatched vulnerability in your browser or image display software. Again, this is very rare, and as an ordinary user, you are unlikely to be targeted.

24. How to check if a URL is malicious?
There are several websites where you can post a URL to check if it is malicious, such as virustotal.com, which inspects the URL content and analyzes it for malicious signatures. However, interpreting their reports without deep technical knowledge of web technologies can be difficult, and non-technical people often misread them. Additionally, these tools often produce false positives because the signatures they look for, especially "MITRE Signatures," are common across all websites. Without fully understanding the report, it can cause unnecessary panic and fear. The best approach is to post on technical support forums, where people with expertise can help you. Here are a few more websites that perform URL analysis: urlscan.io, www.urlvoid.com, and checkphish.bolster.ai. Again, interpreting the results will not be straightforward.

25. I received a threatening email with accurate personal information. Is this real? I'm scared. What should I do?
The short answer is, although it is frightening, do absolutely nothing. It is not real, no matter how accurate the personal information listed in the email is; it is 100% a scam. So mark it as spam, delete it, ignore it, and get on with your life. The long answer is that cybercriminals reach out after gaining access to your data, which they can easily obtain from public sources as well as from numerous data breaches or leaks. This data can include email, personal photos, photos of your home, name, address, date of birth, phone number, and information about your friends and family. They then generate mass email campaigns threatening to disclose compromising images or videos or manipulate data unless the victim pays a ransom in cryptocurrency because of its anonymity. These scams are collectively called cyber extortion and are currently on the rise. Finally, if you're curious to find out where they obtained the data, you can search your email address on HIBP database (https://haveibeenpwned.com/), though this does not help you in any way other than telling you where they got your data.

26. Do I need password manager for hardware-based passkey?
No, you are confusing the passkey authentication standard with password managers. In hardware-based passkey authentication, absolutely nothing is stored in a password manager or any other place, hence the term passwordless authentication. Password managers, of course, store your passwords. If you have both a passkey and a password for a site, stop using the password as it is the weakest link and always use the passkey. Without going into too much detail, here is a simpler explanation of how passkeys with a hardware key, such as YubiKey, work. During the initial setup of a passkey with a website, your YubiKey creates unique key pairs (public/private) based on the FIDO2 and WebAuthn standards. The public keys are shared with the website along with an identifier, but the private keys never leaves the YubiKey. The only way someone can log in with your passkey is by having physical possession of your YubiKey.

27. What are the advantages of using hardware key vs. software authenticator apps for MFA challenge?
Hardware keys, such as YubiKey, are impossible to steal remotely because the private/master key never leaves the key. The only way someone can use your key to generate a response to an MFA challenge is by having physical possession of your key. In contrast, all authenticator apps store their secrets in cloud storage or browser plugins for convenience. The side effect is that if the secrets are leaked (which is bound to happen eventually), anyone who has them can generate any or all of your OTP challenge tokens. You can mimic the same behavior by not storing your secrets anywhere and keeping them under your full control (read FAQ #12). In that case, I’d argue they are more or less equivalent to hardware keys, with one exception i.e. the  convenience. You don’t need to carry a phone or need power; just plug in the key on the device doing the authentication and touch the key.


Sunday, June 30, 2024

VPN Myth vs. Reality

A VPN (Virtual Private Network) is one of the most misunderstood technologies among non-technical people. In fact, I have encountered many technical people who completely misunderstand what a VPN is and is not. These days, the term VPN is often touted as a solution for all security issues and is advertised by vendors as a one-size-fits-all security solution. This is a misconception and creates a false sense of security. A VPN is not a magic shield for online safety; it is primarily a privacy tool, not a security tool. While privacy and security do overlap, they are distinct concepts. Privacy is about protecting your personal information and activities from being observed, whereas security involves protecting your data and devices from unauthorized access and threats. Let’s take a closer look at what a VPN is and is not.

What VPN is?
Simply put, VPN creates an encrypted network tunnel between your device (laptop, phone etc.) and a VPN server. All your data pass through the tunnel in an encrypted form to the VPN server to make it harder for anyone to track your online activity and most importantly where you are located. The websites you visit will only see the VPN server’s IP address not your device’s IP address. It is this aspect that allows journalists, activists and the like to hide from governments that watch everything they do. Similarly, cyber criminals can leverage this to mask their identity. It also allows people who want to get access to services (for example: video streaming) that are "geo-fenced" i.e. not allowed from certain countries due to regulation etc. Finally, corporations use VPN to prevent sensitive corporate data travelling from employee laptop via public network and to provide access to company resources. That is pretty much VPN is in a nutshell.

What VPN is not?
VPN does not protect you from cybercriminals or viruses or trojan or spam or adware or identity theft etc. Remember I mentioned above that VPN would prevent anyone from tracking your online activity? Well, it is not entirely true. Logged-in accounts and browsing habits can still be tracked (see my earlier blog on 3rd party cookie) by websites you visit. In addition, your VPN provider knows which sites you visit and has logs, even though many claim they don't log. As mentioned earlier VPN isn't antivirus! So even with VPN running, you still need separate protection from malware, virus, trojan etc. Also, there is no guarantee on complete safety, as leaks can happen at the VPN server and some VPN providers log your activity and hand over to authorities when requested depending on local and international laws.

Do you need VPN?
The short answer is no, unless you have a specific reason to hide your online activity. For most everyday users, this isn't necessary. With the widespread adoption of https protocol, which encrypts data between your browser and the websites you visit, VPN adds little value for general online safety. In fact, using a VPN can significantly reduce your bandwidth despite the vendor’s claims of a "fast" solution. About 15 years ago, when the https protocol was not widely implemented, using a VPN was the only way to encrypt data from prying eyes -- up to the point where the VPN tunnel ended. However, this is no longer the case today, as all websites are protected by end-to-end secure connectivity.

Ultimately, whether you use a VPN or not, inherent risks are associated with using public Wi-Fi, which is beyond the scope of this blog. Unless your device runs on a secure operating system, such as Linux or Apple’s macOS, there is always a risk of compromise on public networks — even with an active VPN. It’s possible for someone sitting nearby in a coffee shop to hack into your device.


Monday, May 6, 2024

Disable third-party cookie

What is third-party cookie?
Have you ever wondered why websites suddenly start serving you ads for specific products everywhere you browse? For example, after you visit an eyewear website or search for glasses on Amazon, you'll notice you get a lot of ads related to eyeglasses or sunglasses. This is done using third-party cookies stored on your device which are primarily used for targeted advertising. 

Why do you need to disable third-party cookie?
They track your browsing activity across different websites, building a profile of your interests to be used by advertisers to serve you ads that are more likely to be relevant to you. As such, they raise significant privacy concerns because they allow companies to track your online movements across multiple websites, building a detailed profile without your full awareness.

How to disable third-party cookie?
While Firefox and Safari browsers have blocked third-party cookies by default for quite some time, Google Chrome, on the other hand, had a deadline to phase out third-party cookies by the end of 2024. However, Google recently announced that it is delaying the phase-out of third-party cookies beyond 2024 (https://searchengineland.com/google-third-party-cookie-phase-out-third-delay-439864)

If you are a Chrome browser user like me, you don’t need to wait for google to phase-out third-party cookie. You can actually disable it in Chrome browser by typing "chrome://settings/cookies" on the address bar and selecting "Block third-party cookies." I've had this setting enabled since its introduction and haven't encountered any significant website functionality issues. Once you do that, your browser address bar will show a blocked icon for every site you visit that uses third-party cookie as shown below … 

More interestingly, the following is a screenshot of my login session with my bank (a major US bank) website. As you can see the bank’s webpage code indeed has embedded content from facebook.com. However, since the third-party cookies are blocked, it will not be able to read which is what I want. As a matter of fact, this is indeed how Facebook learned about my banking activity which I have documented in detail in a blog post last year. You can read it at  https://blog.selvansoft.com/2023/06/facebook-knows-you-way-more-than-you.html to learn how the information was gathered.

Ideally, I’d like to block facebook.com here all together (i.e. disable it like I did with public.cobrowse.oraclecloud.com). However, it is not very practical because if I do that, I need login & authenticate to facebook.com every single time which is painful, so I let it be there at least I know they are not going to learn my banking activity for sure which is good enough.

Finally on a related cookie topic, I learned an interesting fact from a tech podcast with Steve Gibson (grc.com) on the annoying cookie permission pop-ups (GDPR compliance) we see on every website these days. It turns out that about 65% of the websites ignore what you choose and place tracking cookies anyway. You can view/hear the relevant section of the podcast here and here.

Tuesday, April 2, 2024

Free 1TB cloud storage?


Who says there is no free lunch? I saw this ad from TeraBox (terabox.com) for a free/permanent 1TB cloud storage which I thought was too good to be true. So, I created a free account and attempted to upload a huge 32GB file, but it failed saying for free tier, the largest file you are allowed to upload is 4GB. Ok fair enough, so I chopped the files into 4GB pieces and tried again. To my surprise, the free tier account uploaded all of them without any issue (see screenshot below), but it took longer since they do throttle upload speed for free tier which is totally understandable.

 

In addition to throttled down "upload speed", the "download speed" is also heavily throttled down as well, so it would take longer to download your file. But if you are only interested in storing your data for backup it doesn’t really matter how long it takes to download especially considering its free service. If you really need all your data downloaded fast, you can always signup for paid version $3.49/month (at the time of this writing), download everything and switch back to free tier 😃

Bottomline is, I would not recommend this as your only, primary cloud backup but certainly a great option as a secondary storage … its free anyways!

If you decided to use this service, do not download their phone app, or native app which are full of adds for free tier. Just go to terabox.com website and signup a free account on your laptop/desktop and upload/download files using the website on your laptop/desktop.


Thursday, January 18, 2024

Is your computer compromised?


Easy way to check if your computer is/was compromised now or in the past

With the recent addition of Naz.API dataset (a massive collection of over 1 billion stolen username and passwords) to HIBP service ("Have I Been Pwned" - a service by troyhunt.com), it is now very easy to check if your computer is compromised by information stealing malware now or in the past. 

Go to the HIBP service at https://haveibeenpwned.com and enter your e-mail (don’t worry, it is 100% safe) and check the search results. The results may span several pages, so make sure to scroll down and check all the breaches your email is listed as compromised. Keep in mind that it is not at all unusual to see your email show up on multiple breaches. For example, see the screenshot below of my own email search.


As you scroll through the list, check if your email is listed for Naz.API. If your email was one of the unfortunate one to be included in the Naz.API list, it is a clear indication that your computer is now or in the past was compromised and information was stolen. The very least you can do is to make sure your current password is not included in the list. There are couple of ways you can check. I know some password managers like 1Password for example can check all your passwords against HIBP database. If you don’t use any tools that support checking your password in HIBP database you are welcome to use my php script at my GitHub repo below which does the same thing, the only caveat is that it checks one password at a time against HIBP database, so you have to repeat that for all your passwords.

How to run: If you are on a Mac or Linux, you can run the script directly with the two commands as shown below ... If you are windows, you have to install php, curl etc first which is beyond the scope of this blog.

curl -s https://raw.githubusercontent.com/aselvan/scripts/master/security/pwned_password.php -o /tmp/pwned_password.php
php /tmp/pwned_password.php

If you are unfortunate to have your password listed in HIBP as per the tools (1Password or my script or any others that check your password against HIBP), and if it is any of your current passwords, change it ASAP and enable 2F if that’s not already in place. If your current password is not found, it means an old password you used in the past was compromised. Still, it is a good idea to change all your passwords ASAP.

If you use more than one email address now or in the past, repeat this for each e-mail.

For further details can be found at the following links


Wednesday, January 3, 2024

New Year, New Password!


As part of your new year’s resolution, it is a good idea to get your online security a fresh start in 2024. With cyber threats becoming an unfortunate norm these days, it's time to enhance your cyber hygiene to protect yourself from becoming a cybercrime victim this year. Change all your online account passwords, especially financial/banking, shopping, social media accounts. The following is a list of things to consider.

  • Change your passwords (also change username if permitted)
  • Enable password-less logins if available.
  • If you don’t have 2F enabled, make sure to enable it.
  • If the site supports stronger 2-factor mechanisms, like Authenticator app or better yet hardware key based, use that instead of SMS based 2-factor; While SMS based is better than just password alone, it is prone to attacks like SIM swap scams 
  • Validate your recovery mechanisms.
    • Reset recovery app keys (if any)
    • Validate recovery e-mail.
    • Reset onetime login codes.
  • Last but not least, invalidate all logins (i.e. log out from all devices and log back in). Though this step may be enforced by the password change, some sites don’t enforce it.

Remember, cyber hygiene is like flossing, not the most glamorous, but essential for long-term digital health. This year, make your online security a resolution you actually stick to. Have a safe 2024 and beyond!


Wednesday, July 12, 2023

T-Mobile SIM swap protection

Many of us know or heard about how easy it is for cyber criminals to circumvent the SMS based 2FA authentication. While SIM swap scams are around for a while but according to FBI, it is currently on the rise. Ideally, you should use the authenticator app or better yet, hardware keys for 2FA but if the website only offers SMS based 2FA you have no choice but to use that. Unfortunately, lot of websites including some financial/banking websites offer only SMS based 2FA. If you are a T-Mobile customer, you can secure your SMS based authentication slightly better with T-Mobile SIM swap protection feature. I don’t know how well it actually protects but it is better than nothing. Log into your T-Mobile account and navigate to Account/Profile/Privacy & Notification/SIM protection to toggle it on as shown on the screenshot below. For convenience, the link below will take you to this setting directly if you are already logged into your T-Mobile account. 

https://www.t-mobile.com/account/profile/fraud-block/simswap


Related Link:

https://www.wirefly.com/news/fcc-proposes-new-rules-stop-sim-swap-attacks


Saturday, July 1, 2023

Three Simple Online Banking Safety Tips


Here are three simple steps you can take while doing online banking to minimize your chances of becoming a victim. As the title says, these steps are simple and does not take much time or effort to follow.

  1. Before login to your banking website for financial transactions or to even review your bank statement etc., close all tabs in your browser. If you are paranoid, temporarily disable any browser plugins you may have installed which you can turn on later.
  2. When you are logged into your banking website, do not do anything else like google search, Facebook, Instagram, or any other browsing specifically, read emails or worse, click on a link your buddy sent you to "check it out". You can do all that after step#3 below.
  3. Once you are done with your online banking business, make sure to log off. Many secure banking web sites these days do protect you by logging you off automatically. However, don’t rely on them because there are still some stupid online banking web sites that don’t properly log you out in a reasonable time or worse, don't do anything.

Simple Cyber Hygiene Practice


Here is some advice on simple cyber hygiene practices to protect yourself online. You really don't have to take extreme steps to bulletproof your online accounts because if a persistent and determined cyber criminals decided to target you (i.e., spear phishing), there is very little you can do to stop them especially if you are a high value target. Luckily most of us don't fall into that category unless you are dumb enough to divulge your personal info by posting on social media that makes you a target. However, with a bit of effort on your part, you can make it slightly harder for cybercriminals to scam you so they will move on to easy targets. 

"You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you."

Trust me, there are still stupid people out there who use "123456" as password (BTW: "123456" is one of the top 10 passwords in 2022 including "password") feeding this fast growing $8 trillion cybercrime business. 

Now, how do you make it "slightly harder"? The answer is, as you may have heard many times, don't just rely on user/password alone even if you have a strong password like "~ti0ah5%#W". Though a strong password is the first step in making it harder, it does not always protect you in all cases as there are ways criminals find a way to gain access to your stuff. So, ensure that you enable 2FA (two factor authentication) wherever it is offered. If multiple methods are provided for 2FA like SMS & authenticator, choose the latter as SMS based 2FA is a false sense of security though it is better than just user/password.

Friday, June 2, 2023

Facebook knows you way more than you think!

We all know that Facebook collects data on all of us. They manage to do that with different ways including via 3rd-party web browser cookies; an explanation of 3rd-party cookies goes beyond the scope of this blog but you can read about it here if you are interested to know more. While 3rd-party cookies are slowly phased out, the alternative i.e. FLoC proposed by Google, as per many privacy advocates, is even worse ... so for now, just assume Facebook and other platforms will always have a way to spy on you.

While there are ways to restrict what Facebook collects (follow steps at end of this blog), there is not a whole lot you can do to make them stop other than just deleting your Facebook account. The reason is, Facebook generates substantially all of its revenue by selling ads, so they have to monitor your online activity to slap you with targeted ads and curated content based on your web browsing behavior i.e., the sites you visit, shop, like etc. At the end of the day, Facebook knowing that I have T-Mobile wireless, or shop at Amazon or browse Reddit etc, is not a big deal for me, I just don't care. However, when I looked at what websites are sharing with Facebook, specifically, financial institution that I do business with, I was very concerned. My financial institution (will not mention their name here) shared with Facebook something related to my activity which is scarry, see below ...


It is unclear to me what they shared since I don't have the details other than Facebook telling me they did. I have the habit of clearing all cookies on banking and financial websites frequently, so unfortunately, I can no longer access this specific cookie in my browser to see the content of what all was shared with Facebook! However, based on the name of activity shared i.e., "COMPLETE_REGISTRATION", I can only assume it is not something I would like them to share, whatever it is. If it was just "PAGE_VIEW" like all other sites, I would be ok with it even then, why would Facebook need to know what bank website I visit? The only thing I remember is opening a new account, transferring money on those 2 days at that exact time mentioned which caused my concern. Why on earth Facebook needs this information? Just to give some perspective, this is just one specific instance of a website I have discussed above, there could be crap ton of them we visit every day sharing all kinds of stuff w/ Facebook 😮.  

Finally, if you got this far, you could follow the steps below to tell Facebook to quit doing this, at least for now, until they figure out new ways of profiting on you 😃

Update: (May 22, 2024): Since many page links and interfaces have changed since this original post back in June 2022, I updated the details below as of today. 

While logged in Facebook ...

  1. Navigate to https://www.facebook.com/off_facebook_activity
  2. Click "Manage future activity"
  3. Click on "Disconnect future activity.” 

This will also clear all the stored activity, so you don't need to clear that. For visual reference, The screenshots for steps 2 and 3 are below. 




Android Battery Drain

 

If your android phone runs out of battery sooner than you expected, you are not alone. The culprits are power hungry, and poorly designed smartphone apps you may have installed – trust me, there are lot of them including popular apps many of us use on a daily basis. To give an example, “Withings Health Mate” app that I use tracks weight from Withings Digital Scale and for some reason it adds a background task to sync the weight from the scale to cloud continually. This is insane ... why on earth anyone needs their weight to continually sync to cloud? A better design would be to sync to cloud whenever you open the app to check your weight history; there is absolutely no need to sync body weight continually especially it involves using your precious battery power. To make matters worse, some of them go totally nuts and do some crazy stuff. See my findings on fitbit at the link https://link.selvansoft.com/crazy-fitbit

Anyways, here is the list of top 10 apps that drain battery a lot. 

  1. Fitbit
  2. Uber
  3. Skype
  4. Facebook
  5. Airbnb
  6. Instagram
  7. Tinder
  8. Bumble
  9. Snapchat
  10. WhatsApp

In my opinion, any phone can and should last a full day with heavy usage and two days on normal usage without having charge but if you have one or more of these installed, it is highly unlikely your phone battery will last all day long.

Solution:

The good news is, there is a way to limit the use of battery and extend your phones ability to last a whole day or two. For example, my phone battery lasts 2 full days on regular use. If you happened to run one of these apps above, just follow the video at link below to adjust the settings and enjoy longer battery charge!

https://selvansoft.com/public/videos/battery_optimize.mp4

Note: Some apps may not function properly while running in the background with this change, but most apps should work just fine. If you have any of them installed, just open each of them once so they will be listed on the recent list so you can easily find them, otherwise just search all the installed apps to find them to change the setting.

Finally, if you rarely use any of these power hogs, just uninstall them and install it back when you find the need to use. Another option is to enable “Google Play Instant” to run apps w/ out installing (note: Not all apps support this function). Go to your Google Play Store app Settings/General/Google Play Instant and enable it as shown in the screenshot.




Thursday, May 25, 2023

How to protect yourself from Card Skimmers

Before I go into steps to protect yourself from card skimmers, it is important to understand the various protocols used in POS (point of sale) devices to read your credit/debit cards. There are 4 types and they are --- swipe (magnetic strip), chip (chip in card), tap (RFID) and smartphone (NFC). I won’t go into the details on each of these, but it is sufficient to be aware that there are multiple technologies involved in POS transactions. Now, here are different ways to prevent or at least lower your chances of becoming a victim of card skimming listed in the order of most effective to least effective.

  1. Use your 'smartphone' to pay (Google Pay, Apple Pay) wherever you can. How to get this setup is outside of the scope but it is very easy. This is the strongest protection you get today, and it is extremely difficult (if not impossible) for criminals to scam you. Most POS devices accept these today although if you live in US (lagging behind the world) it is not uncommon to see vendors using ancient devices that does not support smartphone pay.
  2. Use 'chip+pin' if your card and the POS device supports, this is the second-best way. If you live outside of US like Europe, even in India, you are golden because it is the standard for POS devices for many years and you are required to use pin to do transaction. Every time I was on a business trip to India, I always find myself arguing with waiter at restaurants “hey, I don’t have a pin” 😄. If you live in US, it sucks since chip+pin is not mandated for whatever reason.
  3. Use 'chip' if your card and the POS device supports. Most credit card/banks these days issue cards with chip but unfortunately in US, they also include the magnetic strip to cover the lazy ass vendors who still use archaic magnetic swipe. This pretty much negates the benefit of chip as scamming devices can still read your magnetic strip. So, if you live in US, what I’d recommend is to scratch the magstripe on purpose (I did that on all my cards). Use a sharp knife or steel wool to scratch the magstripe to a point it can’t work. Keep one card with magstripe in case the vendor says, “we don’t have chip reader you have to swipe”. Trust me these guys won’t change unless they are mandated by law to switch to modern POS at state/federal level.
  4. Use ‘tap’ if the POS device and your card supports it. If you see this symbol on the back of your card, then it is enabled for RFID. Again, US lags on this protocol as well. While this is the most convenient way to make purchase, there is a huge security hole in this method which enables most sophisticated attacks which I won’t go into detail but there are things you can do to avoid them i.e., use an RFID blocker (you can buy them at amazon for $2 a piece) and place it in your wallet/purse along with your credit/debit card equipped with this technology. I use these if you need a recommendation https://link.selvansoft.com/1307688f
  5. Use 'check' which of course has many problems of its own but it may be slightly better than the last one below.
  6. Lastly, if none of the above options available to you, you have no choice but to use magstripe/swipe. You might want to spend few seconds to look for signs of tampering on the POS device. See the picture at top of this blog for signs to look for. Obviously, you won’t have lot of time besides, you may annoy other customers behind you if you are spending too much time poking around the device 😄

Finally, you can and should setup text alerts when your card is charged even for a $1. Almost all bank/credit card institutions provide the feature to TXT. The only annoying thing is getting TXT for everything you do on your card, but it is better than being a victim. 

My text alerts look like this (see screenshot below).  Notice it says “card ending in xxxx was not present” that has multiple meaning but, in this case, it means these transactions are done without card i.e., done with google pay which I use everywhere it is accepted and it’s the most secure way today to pay at POS. Period.


Tuesday, May 23, 2023

ProtonVPN - fast & free

ProtonVPN

Not sure any of you are aware of Proton Mail which is a fully secure email service and has been around for a while. I signed up for their free tier email service a while back but never used it since I don’t want to pay for yet another cloud space and the free tier space of 500 MB is not much for daily use.

Anyway, I know they had VPN for free as well but never tried it until recently and I am blown away by the speed --- very low overhead compared to different VPN service I have used. Granted it is wireguard, a modern successor of VPN but still, literally I get same speed as provided by my ISP. First, I could not believe and started measuring speed with every speed test tool that is out there and they all came back with more or less same and speed which is roughly same as what I get with my ISP  (see screenshot) without VPN layer. At this point, there is absolutely no reason to not use them permanently… and it's Free!



How to get ProtonVPN

Head out to https://proton.me and sign-up for free account and you get encrypted mail service and 1 VPN connection free. Wireguard is pretty simple to use, all you have to do is install wireguard (https://www.wireguard.com/install/ ) and get the credentials/keys from ProtonVPN and off you go. 


How to run wireguard (MacOS or Linux)

After wireguard is installed, follow the simple steps shown in screenshot below to start/stop wireguard. The screenshot is on macOS but it should be same in Linux possibly on windows under powershell as well. The third argument is the name of your wireguard configuration file without the '.conf' extension. In my case it is lion.conf. This is the configuration file you downloaded from the ProtonVPN and it should be copied to /usr/local/etc/wireguard/ on MacOS, or /etc/wiregaurd on Linux.

Wednesday, April 5, 2023

HOWTO: Credit Freeze

Data breach incidents are very common these days. In-spite of all the efforts & money spent by organizations on robust cyber security measures to protect themselves, data breaches continue to occur. With countless sensitive records compromised, it serves as a stark reminder that no organization or individual is immune to cyber threats and as an individual, there is nothing you can do to stop. However, there is one thing you can do to protect your identity and personal data by adding a credit freeze on demand or forever. 

As a matter of fact, I don’t see a need for your credit report to be in “unlocked” status unless you apply for loan, bank account, credit card etc. which you don’t do every day. So, why does it need to be in “unlocked” status? When you need it, you can, with a click of a button (at most bureaus) unlock your credit, get your business done and lock it back. 

I have listed below all you need (link/phone/address etc) to place a “free” (yes free) credit freeze to avoid becoming a victim of identity theft, fraud and scam that could potentially wipe your hard-earned money and ruin your financial reputation, possibly forever!

EQUIFAX:

Online: https://my.equifax.com/membercenter
By phone: 800-685-1111
By Mail: Equifax Security Freeze, P.O. Box 105788, Atlanta, Georgia 30348-5788
Online Account:
Terminology: Freeze
How To Lock: Home and select Freeze on the side bar

EXPERIAN:

Online: https://www.experian.com/freeze
By phone: 888-397-3742
By Mail: Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
Online Account:
Terminology: Security Freeze
How to Lock: Experian is sneaky & goes out of the way to hide the free service pushing customers to pay for the “File Lock” (a paid service). Use the direct link below to get to the ‘free’ option.

TRANSUNION:

Online: https://service.transunion.com/dss/
By Phone: 888-909-8872
By Mail: TransUnion LLC, P.O. Box 2000 Chester, PA 19016
Online Account:
Terminology: Credit Lock
How To Lock: Dashboard has Lock/unlock button
Direct URL: N/A

INNOVIS:

Online: https://www.innovis.com/securityFreeze
By Phone: 866-712-4546
Online Account:
N/A

Final Note: The information above is designed to be simple and easy to follow, so that anyone can place a credit freeze quickly and easily. Permanently freezing your credit reports is sufficient in protecting yourself from identity theft. However, I did encounter a more complex process outlined on Reddit (link below) that focuses on all the steps to take if you were indeed an identity theft victim. Some of the steps mentioned there are very extreme and complex, but I suppose overprotecting yourself isn't bad, especially when it comes to your identity.

https://www.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/

Saturday, March 18, 2023

ChatGPT vs. Google search

Whether you're looking for the latest news, a specific product, or a how-to guide, Google search can help you find what you need in a matter of seconds. We all use google search every day at least once or some people like me use multiple times a day. 

Ever since ChatGPT came along, I find myself going there in the hope that I will find what I am looking for faster and easier using the conversational search approach. However, I often find myself falling back to Google search because 4 out of 5 times ChatGPT gives me wrong information and directing me in the wrong path (see the screenshot at end). At this point, I am convinced that it is actually faster for me to go to Google search in the first place for accurate information. Granted my search needs are highly technical in nature and I understand that is not exactly same for everyone but still I think Google search is faster, and most importantly accurate, at least for now.


What do you think?


Just for fun, I asked ChatGPT the question and here is the response I got.

When it comes to finding specific information quickly, Google search is still the go-to tool for most people. However, if you want a more conversational and personalized response to your query, ChatGPT can be a great option.

Here is a screenshot of one of the flat-out wrong answer from ChatGPT for one of my search/question with high degree of confidence 😆