Traditionally, the Google Assistant always lived under the home button on Android phones, but as the company announced at MWC today, LG, Nokia, Xiaomi, TCL and Vivo are about to launch phones with dedicated assistant buttons, similar to what Samsung has long done with its Bixby assistant.
The new phones with the button that are launching this week are the LG G8 ThinQ and K40 and the Nokia 3.2 and 4.2. The upcoming Xiaomi Mi Mix 3 5G and Mi 9, as well as new phones from Vivo (including the Vivo V15 Pro) and TCL will also feature a dedicated Assistant button. With this, Google expects that over 100 million devices will soon offer this feature.
With a dedicated button, Google can also build a few new features into the Android OS, too, that’ll make it easier to bring up some Assistant features that were traditionally always a few taps away.
As expected, a single tap on the button will bring up the Assistant, just like a long tap on your phone does today. A double tap will bring up the Assistant’s visual snapshot feature that provides you with contextual information about your day and location (similar to the sorely missed Google Now of days gone by). A long press activates what Google calls a “walkie talkie feature.” This ensures that the Assistant listens to longer queries, which Google says is “perfect for emails or long text message.”
It’s interesting to see that the Android ecosystem is now building these buttons into phones (and we can probably assume that Google’s own next-gen Pixel devices or the fabled low-end Pixel 3 will have one, too). They will make it easier to discover the Assistant, of course, and maybe get people to use it more often, too — and that’s surely what Google is hoping for.
Verizon has made a deal to use Amazon’s low Earth orbit (LEO) satellites to add capacity to the Verizon cellular network and provide fixed-wireless Internet service in rural parts of the US. Verizon said it will use Amazon satellite connectivity for both consumers and large businesses.
There won’t be any immediate change to Verizon’s services because Amazon has said its Project Kuiper division won’t launch any satellites until at least 2023. The companies yesterday announced a “strategic collaboration” in which they “have begun to develop technical specifications and define preliminary commercial models for a range of connectivity services for US consumers and global enterprise customers operating in rural and remote locations around the world.”
Verizon already provides LTE home-Internet service in rural areas and 5G home-Internet service in urban areas. But availability is limited, and Verizon plans to use Amazon Kuiper to expand its fixed-wireless offerings.
“To begin, Amazon and Verizon will focus on expanding Verizon data networks using cellular backhaul solutions from Project Kuiper,” the Verizon announcement said. “The integration will leverage antenna development already in progress from the Project Kuiper team, and both engineering teams are now working together to define technical requirements to help extend fixed wireless coverage to rural and remote communities across the United States.” Using Kuiper for cellular backhaul will “extend Verizon’s 4G/LTE and 5G data networks” in those rural and remote communities, Verizon said.
Service a “few years away”
Verizon told CNET that Kuiper-powered service for customers is a “few years away” and that the deal is nonexclusive for both Verizon and Amazon. Verizon could thus partner with additional satellite companies, and Amazon could offer its satellite connectivity to other cellular carriers. Verizon also said it intends to use Amazon Kuiper “to make the entire map of the US red”—in other words, to fill in coverage gaps where Verizon’s wireless connectivity is weak or nonexistent.
While the Verizon/Amazon plans are vague now since they’re still in an early stage, the companies said they will “explore joint connectivity solutions for domestic and global enterprises across agriculture, energy, manufacturing, education, emergency response, transportation and other industries.”
Amazon plans to use Kuiper to “serve individual households, as well as schools, hospitals, businesses and other organizations operating in places where Internet access is limited or unavailable,” the announcement noted. Amazon has US approval to launch 3,236 low-Earth-orbit satellites and says it plans to invest more than $10 billion in the project. By contrast, SpaceX Starlink has been providing LEO satellite Internet service in beta for about a year, and SpaceX CEO Elon Musk said the service will come out of beta this month.
In the first half of this guide to personal digital security, I covered the basics of assessing digital risks and protecting what you can control: your devices. But the physical devices you use represent only a fraction of your overall digital exposure.
According to a report by Aite Group, nearly half of US consumers experienced some form of identity theft over the last two years. Losses from these thefts are expected to reach $721.3 billion for 2021—and that’s only counting cases where criminals take over and abuse online accounts. Other valuable parts of your digital life may not carry specific monetary risks to you but could still have a tangible impact on your privacy, safety, and overall financial health.
Case in point: last September, my Twitter account was targeted for takeover by an unidentified attacker. Even though I had taken multiple measures to prevent the theft of my account (including two-factor authentication), the attacker made it impossible for me to log in (though they were locked out of the account as well). It took several weeks and some high-level communication with Twitter to restore my account. As someone whose livelihood is tied to getting the word out about things with a verified Twitter account, this went beyond inconvenience and was really screwing with my job.
The attacker found the email address associated with my Twitter account through a breach at a data aggregator—information probably gleaned from other applications that I had linked to my Twitter account at some point. No financial damage was done, but it made me take a long, hard look at how I protect online accounts.
Some of the risk tied to your digital life is taken on by service providers who are more directly impacted by fraud than you. Credit card companies, for example, have invested heavily in fraud detection because their business is built on mitigating the risk of financial transactions. But other organizations that handle your personal identifying information—information that proves you are you to the rest of the digitally connected world—are just as big a target for cyber crime but may not be as good at preventing fraud.
Everything counts in multiple accounts
You can do a number of things to reduce the risks posed by data breaches and identity fraud. The first is to avoid accidentally exposing the credentials you use with accounts. A data breach of one service provider is especially dangerous if you haven’t followed best practices in how you set up credentials. These are some best practices to consider:
Use a password manager that generates strong passwords you don’t have to remember. This can be the manager built into your browser of choice, or it can be a standalone app. Using a password manager ensures that you have a different password for every account, so a breach of one account won’t spill over into others. (Sorry to again call out the person reusing letmein123! for everything, but it’s time to face the music.)
When possible, use two-factor or multi-factor authentication (“2FA” or “MFA”). This combines a password with a second, temporary code or acknowledgment from someplace other than your web browser or app session. Two-factor authentication ensures that someone who steals your password can’t use it to log in. If at all possible, don’t use SMS-based 2FA, because this is more prone to interception (more on this in a minute). Applications like Authy, Duo, Google Authenticator, or Microsoft Authenticator can be paired with a wide variety of services to generate 2FA temporary passwords or to send “push” notifications to your device so that you can approve a login. You can also use a hardware key, such as a Yubico YubiKey, to further segment authentication from your devices.
Set up a separate email address or email alias for your high-value web accounts so that all email regarding them is segmented off from your usual email address. This way, if your primary email address is caught up in a data leak, attackers won’t be able to use that address to try to log in to accounts you care about. Using separate addresses for each service also has the side benefit of letting you know if any of those services are selling your personal information—just look at where and when spam starts showing up.
If you’re a US resident, make sure to claim an account for your Social Security number from the IRS for tax information access and other purposes. Much of the refund and stimulus fraud over the past few years has been related to scammers “claiming” accounts for SSNs that were unregistered with the IRS, and untangling that sort of thing can be painful.
Register for account breach checkups, either through the service provided through your browser (Firefox or Chrome) or through Troy Hunt’s haveIbeenpwned.com (or both!). The browser services will check stored passwords against breach lists using a secure protocol, and they can also point out risky reused credentials.
Consider locking your credit reports to reduce identity theft risks. Equifax provides an app called Lock & Alert that allows you to lock your credit report from all but existing creditors, then unlock it from the app before you apply for new credit. TransUnion has a similar free app called TrueIdentity. Experian charges $24.99 a month to lock your credit checks, and TransUnion has a “premium” version of its service that locks both TransUnion and Equifax reports on demand for $24.95 a month. In other words, if you want to have tight control over all your credit reports, you can do it for $300 a year. (You can, with some searching, find the free versions of those credit freeze services—here’s Experian’s and here’s TransUnion’s—but man, those companies really, really want to lift a giant pile of money out of your wallet in exchange for a bunch of highly dubious “value-adds.”)
When 2FA is not enough
Security measures vary. I discovered after my Twitter experience that setting up 2FA wasn’t enough to protect my account—there’s another setting called “password protection” that prevents password change requests without authentication through email. Sending a request to reset my password and change the email account associated with it disabled my 2FA and reset the password. Fortunately, the account was frozen after multiple reset requests, and the attacker couldn’t gain control.
This is an example of a situation where “normal” risk mitigation measures don’t stack up. In this case, I was targeted because I had a verified account. You don’t necessarily have to be a celebrity to be targeted by an attacker (I certainly don’t think of myself as one)—you just need to have some information leaked that makes you a tempting target.
For example, earlier I mentioned that 2FA based on text messages is easier to bypass than app-based 2FA. One targeted scam we see frequently in the security world is SIM cloning—where an attacker convinces a mobile provider to send a new SIM card for an existing phone number and uses the new SIM to hijack the number. If you’re using SMS-based 2FA, a quick clone of your mobile number means that an attacker now receives all your two-factor codes.
Additionally, weaknesses in the way SMS messages are routed have been used in the past to send them to places they shouldn’t go. Until earlier this year, some services could hijack text messages, and all that was required was the destination phone number and $16. And there are still flaws in Signaling System 7 (SS7), a key telephone network protocol, that can result in text message rerouting if abused.
I spend most of my time these days investigating the uglier side of digital life—examining the techniques, tools, and practices of cyber criminals to help people better defend against them. It’s not entirely different from my days at Ars Technica, but it has given me a greater appreciation for just how hard it is for normal folks to stay “safe” digitally.
Even those who consider themselves well educated about cyber crime and security threats—and who do everything they’ve been taught to do—can (and do!) still end up as victims. The truth is that, with enough time, resources, and skill, everything can be hacked.
The key to protecting your digital life is to make it as expensive and impractical as possible for someone bent on mischief to steal the things most important to your safety, financial security, and privacy. If attackers find it too difficult or expensive to get your stuff, there’s a good chance they’ll simply move on to an easier target. For that reason, it’s important to assess the ways that vital information can be stolen or leaked—and understand the limits to protecting that information.
In part one of our guide to securing your digital life, we’ll talk briefly about that process and about basic measures anyone can take to reduce risks to their devices. In part two, coming in a few days, we’ll address wider digital identity protection measures, along with some special measures for people who may face elevated risks. But if you’re looking for tips about peanut butter sandwich dead drops to anonymously transfer data cards in exchange for cryptocurrency payments… we can’t help you, sorry.
You are not Batman
A while back, we covered threat modeling—a practice that encompasses some of what is described above. One of the most important aspects of threat modeling is defining your acceptable level of risk.
We make risk-level assessments all the time, perhaps unconsciously—like judging whether it’s safe to cross the street. To totally remove the threat of being hit by a car, you’d either have to build a tunnel under or a bridge over the street, or you could completely ban cars. Such measures are overkill for a single person crossing the street when traffic is light, but they might be an appropriate risk mitigation when lots of people need to cross a street—or if the street is essentially a pedestrian mall.
The same goes for modeling the threats in your digital life. Unless you are Batman—with vast reserves of resources, a secret identity to protect from criminals and all but a select few members of law enforcement, and life-or-death consequences if your information gets exposed—you do not need Batman-esque security measures. (There are certainly times when you need additional security even if you’re not Batman, however; we’ll go into those special circumstances in the second half of this guide.)
For those who want to lock things down without going offline and moving to a bunker in New Zealand, the first step is to assess the following things:
What in my digital life can give away critical information tied to my finances, privacy, and safety?
What can I do to minimize those risks?
How much risk reduction effort is proportional to the risks I face?
How much effort can I actually afford?
Reducing your personal attack surface
The first question above is all about taking inventory of the bits of your digital life that could be exploited by a criminal (or an unscrupulous company, employer, or the like) for profit at your expense or could put you in a vulnerable position. A sample list might include your phone and other mobile devices, personal computer, home network, social media accounts, online banking and financial accounts, and your physical identification and credit cards. We’re going to cover the first few here; more will be covered in part two.
Each of these items offers an “attack surface”—an opportunity for someone to exploit that component to get to your personal data. Just how much of an attack surface you present depends on many factors, but you can significantly reduce opportunities for malicious exploitation of these things with some basic countermeasures.
Physical mobile threats
Smart phones and tablets carry a significant portion of our digital identities. They also have a habit of falling out of our direct physical control by being lost, stolen, or idly picked up by others while we’re not attending to them.
Defending against casual attempts to get at personal data on a smart phone (as opposed to attempts by law enforcement, sophisticated criminals, or state actors) is fairly straightforward.
First, if you’re not at home, you should always lock your device before you put it down, no exceptions. Your phone should be locked with the most secure method you’re comfortable with—as long as it’s not a 4-digit PIN, which isn’t exactly useless but is definitely adjacent to uselessness. For better security, use a password or a passcode that’s at least six characters long—and preferably longer. If you’re using facial recognition or a fingerprint unlock on your phone, this shouldn’t be too inconvenient.
Second, set your device to require a password immediately after it’s been locked. Delays mean someone who snatches your phone can get to your data if they bring up the screen in time. Additionally, make sure your device is set to erase its contents after 10 bad password attempts at maximum. This is especially important if you haven’t set a longer passcode.
Also, regularly back up your phone. The safest way to back up data if you’re concerned about privacy is an encrypted backup to your personal computer; however, most iOS device owners can back up their data to iCloud with confidence that it is end-to-end encrypted (as long as they have iOS 13 or later). Your mileage will vary with different Android implementations and backup apps.
Along the same lines, make sure you have installed the most recent version of the phone OS available to prevent someone from taking advantage of known security bypasses. For iOS, this is generally simple—when your device prompts you to upgrade, do it. The upgrade situation on Android is somewhat more complicated, but the same general advice holds true: upgrade ASAP, every time. (There is a school of thought that says you should hold off on the latest upgrades in order for bugs to be worked out, but adhering to that advice will put you in a position where your device might have exploitable vulnerabilities. You can mitigate those vulnerabilities by upgrading.)