S07E04 - Practical mobile security

This week the team consider security:

  • how to secure your devices;

  • keeping your data safe; and

  • how to achieve the right balance of security and convenience.


Ben: Hello and welcome to the 361 Degrees Podcast, Season 7, Episode 4. My name is Ben Smith from Wireless Worker.

Ewan: I'm Ewan from Mobile Industry Review.

Rafe: I'm Rafe Blandford from the "All About" sites.

Ben: Hello, gents. Good to have you back again this week. You're very excited this week, Mr. MacLeod

Ewan: Yeah. Bring it on. I've been having lots of Irn-Bru.

Ben: Irn-Bru?

Ewan: Yeah.

Ben: Any news with you?

Ewan: No, still looking around to supplement my Ocado habit.

Ben: There we go.

Ewan: Yep.

Ben: Again, if you could send a pound for Ewan MacLeod that would be lovely. Thank you very much.

Ewan: That's right. We've got to keep my wife in curtains.

Ben: Mr. Blandford?

Rafe: The only news from me, I've been playing around with a Lumia 630, new low-end Windows Phone device, kind of the equivalent to the Motorola E device on Android. I always think those devices are the most interesting because they're the ones that more people use than all the high-end stuff.

Ben: How much is it?

Rafe: It's 100 pounds.

Ben: Okay, all right, but the E is cheaper, right?

Rafe: It's about the same price. It depends how you look at it. What's interesting to me about it is it's actually got a motion chip in it for using it as an accelerometer all the time, so you can do that kind of more fitness tracking thing. It's also got mirroring built in, so if you've got the right TV you can duplicate it with the screen of your smart phone on the TV.

Ben: Nice.

Rafe: And typically that's stuff you've been used to having in 500 pound handsets and now, as always is the case with smart phones, you can also get it in the cheap budget handsets.

Ben: What color is it?

Rafe: It's green.

Ben: You're liking it?

Rafe: Yeah, I'm enjoying using it. It's an interesting device.

Ben: By the way, what's your primary handset at the moment?

Rafe: I actually have three devices that I'm using.

Ben: What's your primary handset?

Rafe: It's the Lumia Icon.

Ewan: The American one?

Rafe: Yeah.

Ben: I have been using at using motion tracking for a different purpose. There's a vehicle insurance company in the UK called Admiral. They're part of a big brand. They have a bunch of names. But they've released an app called ‘Appy Driver’, which I don't approve of, but that's just a gag. You sort of hit start, you hit start when you start to drive, and it tracks the way you drive, and it will then generate you a discount code. If you're a safe driver, over I think 250 miles you have to do.

Ewan: Right.

Ben: It will generate you a discount code to give you a cheaper car insurance.

Ewan: I can just give it to my grandmother and say, "Drive around this?"

Ben: Well, the cynic in me says that if I'm a careless driver, which I'm not, but that my insurance might go up, but it's fascinating. I think there's some investigation to see that.

Ewan: Yeah. It might be the idea of it, yeah.

Ben: It's interesting to see motion tracking being used for something more exciting than fitness apps, which I've become a bit bored of now.

Ewan: Yes.

Ben: Gentlemen, anyway, enough chat. This week what are we going to talk about Mr. Blandford?

Rafe: We're going to talk about security for real people. This is a big topic, security and privacy in general, but I think a lot of the time there's some rational, common sense steps that you can take. We'll talk through some of the kind of background stuff, in other words provide better practice guidance, is the way to phrase it.

Ben: Yes. Absolutely. I feel like a proper radio presenter. Live last week, I met up with security expert, Terence Eden, who is a friend of the show, but also incredibly knowledgeable about all things security, and asked him to talk tips for securing your mobile phone. These is things that you can practically do, which is, I think, great advice to have any time, so.

Terence: I'm a mobile consultant I talk to businesses big and small about what they're doing on mobile. Most recently, though, I've been involved in hacking the government, in quite a positive way. I've been pointing out a number of security flaws across dot gov.uk and dot nhs.uk, and I'm very pleased to say that the government has responded superbly and is actually fixing some of these flaws in our nation's infrastructure.

I've got a sort of top five tips that I'd like to share. In at number five is just stay skeptical. Quite often, lots of mobile viruses and mobile scams spread by text message, by e-mail, by Twitter, and these are things that we get on our phone, but for some reason because they seem to come from people we trust, all of our savvy just goes out the window. You may very well have received a Twitter message from someone which says, "Oh my God, people are saying mean things about you on the Internet. Click here to find out." Or you receive a text or an e-mail which says, "Help, my credit card has been lost. Please can you send me some money somehow." I think people quite often just let commonsense go out the window.

When you see a message from someone which purports to be from your friend, just think, does this sound like them? Is what they're asking me to do a rational thing to do. When you go and click a link that someone has sent you, check to see if it's actually taking you to where you expect to go.

The big thing that we see at the moment, especially on sites like Twitter and Facebook, which are mobile first destinations, is someone sends you a link saying, "You've got to check this out on Facebook." You click on it, it looks like Facebook, you type in your username and password, and just as you hit enter you realize actually you've gone to Facebook.dodgeysite.com rather than the actual Facebook you're expecting. So, just take a look, take a second, before you actually click on something and submit passwords, and just stay a little, stay a little skeptical of what you see and hear.

Ben: What can I do if I have ended up putting my password into a fake site?

Terence: The most important thing you have to do is, if it's something like Twitter, go to settings, and you will see all the applications that have authenticated against it. You'll see your Tweetbot, or whatever Twitter app that you use. You just need to go and delete all of those and then change your password. It's a bit of a pain because you'll meet, let's say you've set your smart TV to Tweet what you're watching, or get your Tweets while you're watching Eastenders, you'll need to re-authenticate that against.

The same goes for Facebook. You'll just need to go in, change your password, and look through the list of everything that's connected to your account, and if you don't recognize anything, delete it. To be on the safe side, delete all those connections to your account, because you don't know which ones have been compromised.

If you want to be really security conscious, you can turn on something called two-factor authentication. This means you give your mobile number to the social network. When you try to log in, what will happen is you type in your user name and password, and then Twitter will send you a text message, and it says your one-time password is 12345. You type that code in and you're logged in. That way, if someone does manage to get your username and password, it doesn't matter, because they don't have your phone as well. If they do have your phone as well, then you're a bit out of luck there.

Tip number four is don't download apps outside of the official App Store. Now, the app stores aren't perfect. You can get dodgy apps in there, but there are some safety in numbers. If you see an app that's been downloaded 100,000 times and Google or Apple haven't deleted it, there's a good chance that it's probably safe. You will find, as you browse around the web, websites will try to push their apps onto you and automatically download it onto your phone, especially if you're on Android. Never ever click on those links because, yeah, never ever click on those apps because you don't know, they've gone through quality control whatsoever. Which kind of leads on to tip number three, which is when you install an app, look at the permissions.

Let's say you've got, you want an app which will add great filters to the photos that you're taking, and when you install it a popup comes on that says, "This app wants permission to send text messages, dial phone numbers, and read your contacts." And you think, well, is that right? Does an app which, all it should be doing is looking at my photos, may be sending them to the Internet, why does it need to place phone calls or send text messages? If you're not sure that an app genuinely needs those permissions, just don't install it. I mean, you know that when all your friends say, "Oh, you've got to download this app, it's the best." Well, just because an app says, "I really want access to your phone book, but I promise I won't do anything bad with it," doesn't mean you can trust it.

Again, don't download apps outside of official channels, and even if you do, take a look at the permissions that they're asking for, because chances are that's a brilliant way to catch stuff which wants to, wants to scam you.

Ben: Why would I be worried about an app that wants to send text messages or make calls?

Terence: If you have an app which can make phone calls by itself, there's nothing to stop it ringing premium rate numbers, or sending text messages to those premium rate scams that may, basically, every time you send a text it charges your phone bill two pound 50, and of course you don't know about it until your monthly bill arrives and all of a sudden you see that you've spent 500 pounds calling the Cayman Isles and sending texts to dodgy services.

Ben: I know you're an Android users, but objectively iOS is a better platform because of the checks Apple do on apps, isn't it?

Terence: Yes. There are more rigorous check son the iPhones, on the iTunes stores, but that doesn't stop dodgy apps from coming through. Of course, because iOS is so popular, it becomes a very popular target for scammers as well, so it slightly swings in roundabouts. You're unlikely to get a completely virus ridden app, but at the same time you're definitely a higher profile target, because so many people have iPhones and iPads.

Ben: What should I do if I live in a country where Apple or Google's app stores aren't available, or perhaps I don't want to use them for some reason?

Terence: If you can't get onto a secure app store, like the Amazon app store or Google Play, you can download apps which are virus checkers of a sort. I'm quite keen on Lookout, which is a great Android app. Whenever you install something, it will check it and it will look through the list of permissions, alert you, but it will also look through the app and see whether it's been reported that it's a scam or a virus. I have installed an app before from some dodgy website, and Lookout has popped up and said, "You know what, we've seen that this app will send lots and lots of text messages to premium rate numbers. Do not install it. If you're absolutely sure that you want to install it, click here." But it at least gives you that option.

Tip number two. Ben, what's the password for your Twitter account?

Ben: Well, actually, Terence, it's “password123”.

Terence: That's the kind of password an idiot would have on his luggage. That's a terrible joke. You can cut that out. Lots of people use really short passwords. Why? Because they're easy to remember and they want to be able to type them into their mobile phone, and this means that people quite often have the same password for Twitter as they've got for Facebook as they've got for e-mail as they've got for everything else. This is a real security disaster, because it means that if your Twitter password gets hacked, those hackers have access to everything, all your accounts. So, my top tip is use a password manager.

I'm very fond of LastPass, but there's also 1Password, as well. You'll find a whole bunch of them on your app store. What that allows you to do is generate really long random passwords of uppercase, lowercase, numbers, special characters, and then really easy copy and paste them into the apps and into websites you use. Rather than just remembering that your password is password123 you can have a nice long unintelligible password. You don't have to remember it. You don't have to write it on a bit of paper and then tap it into your phone with your thumbs. You can just copy and paste it in. I find tools like Lost Pass and One Password absolutely invaluable. They will keep you safe, far more than anything else available, I think.

Ben: Aren't I putting all my eggs in one basket by using one app and one password to secure?

Terence: That is definitely a risk. And you want to chose that one master password to be something strong, something long, something only you know, but it's a trade-off. I would much rather have one strong password protecting all of my other strong passwords, than use the same password over and over again, or use lots of very easy to crack passwords. It's a security trade off and that's what we have to do when we're looking at security, is say, well, this isn't perfect but it's a hell and a lot better than just using Password1 as my password everywhere.

Tip number one. I'm hoping that in post-production you'll edit in a great big fanfare here. This is my number one tip for mobile security. Buy a wrist strap.

Ben: A wrist strap?

Terence: A wrist strap. On your phone you probably have a case. It's got a little hole, and you can buy a lanyard, a bit of string or a bit of leather, that you click on to your phone and you wrap around your wrist while you're using it. A recent report said 10,000 phones are stolen in London every month, 120,000 a year. That's just in London. Across the UK it's hundreds of thousands. It's a staggering amount. I've seen videos of people. They're phone is out, they're looking at Google Maps, and some little tyke cycles past them, nabs the phone out of their hand, and just carries up on the High Street. You've got no chance of catching them. If you're wearing a wrist strap, it is much more unlikely that someone will be able to yank the phone away from you. Because if they do yank the phone away from you, chances are it's unlocked because you were making a call, you're looking at Google Maps, and presto they've got access to all of your e-mail, all of your documents. They can start making premium rate phone calls straight away.

In all seriousness, all my phones have a fairly sturdy wrist strap. When I'm out and about on the mean streets of Oxford, I have that wrapped tightly around my hand so that people can't steal it from me.

Now, there are things you can do that will make life easier for you if your phone does get stolen. The first is to make sure you've got a copy of your IMEI. That's your phone's serial number. You'll find that on your phone's box, or you can dial star hash 06 hash on your phone dialer. It will give you the IEMI. If your phone does get stolen, you can give the IEMI to the police or to your mobile network provider, and they will block the phone from being able to be used. That is, they'll stop it from being able to make phone calls.

The other thing that you need to do is set a PIN or a password on your phone. You can use facial recognition, or the iPhone's thumbprint scanner. I think the Galaxy S5 has a thumbprint scanner as well. Anything to stop a casual thief from being able to get into your phone is of paramount importance.

If you're on Apple, set up "Find My Phone." If you're on Android, "Android Device Manager." This means that if your phone is stolen, you can find out where it is, but much more importantly you can click a button and have your phone be completely wiped, which means that anyone who has it doesn't have access to all of your sensitive information.

That's it. That's my top tip. Try not to get your phone stolen. Which is, I mean, when we look at the number of viruses and dodgy sites and things is a real problem, but of a far greater and more likely threat is your phone being nicked when you take it out in the pub, when you're wandering down the street looking at directions.

Ben: Right, gents, so what do we think? First of all, big thanks to Terence for his expertise, because he properly knows his stuff, but let me kick it off. One of the things I was surprised about, and actually felt stupid on reflecting afterwards, was that I thought he was going to say, "Secure this. Use that setting. Blah, blah, blah." And give us some techniques and things. But actually, tip number one, don't get your phone stolen. I mean, it seems, it seems really simple, but actually, if the bad guys don't have your phone, then it's going to make them a great deal, make it a great deal more difficult to get data from you, and obviously phones call money as well.

Ewan: The practical reality is just don't lose your phone.

Rafe: The point he made about it being more common is a good one. I don't think I've ever had a dodgy app or followed a dodgy link on my phone, but I have had a phone stolen from me. I'm wondering, Ewan, have you had a phone stolen?

Ewan: I was phone jacked. You can Google phone jacked in London Times. You'll see I had a horrifying experience.

Ben: So, what happened?

Ewan: Well, a guy. I was talking on my phone. It was a Nokia N95 8GB, I think it was. It was a little while ago. I was walking along the street, and I just had it, I had it loosely in my hand, to my ear, and a guy just from behind me just ripped it out, ripped it out. I was so surprised. He just took the phone from me and ran away.

Rafe: How about you, Ben? Have you had any bad experiences?

Ben: I was just trying to think. I don't, I don’t think I've ever had dodgy apps, but I, having said that now, thinking back to earlier Android days, and even back to the days when I used to have Symbian phones, I'm not sure that I can say that I hadn't, because I wasn't very discriminating in terms of where I got apps from. Back in the days when you used to install them direct from websites, I'm thinking one actually didn't know, and if someone steals your user name or password or details, and, you know, do you necessarily know? I'm not sure.

But actually, what I have done, also, is I've lost and had pickpocketed more than my fair share of iPhones and things as well. Actually, recently, I was posting some devices around, fortunately I had the foresight to wipe them, but I was sending some devices to someone, and they went missing in the post.

Ewan: Oh, dear.

Ben: Well, again, it's not, it may not have been a crime. It may have just been that the package got broken or it went missing, but those devices, in that case were belonged, could have company data on them, sending them from one employee to another.

Rafe: It makes the point quite nicely that we've got 100 percent hit rate in our experience of having had a phone stolen from us, and in terms of serious annoyance, I can't think of any sort of malware or bad stuff that's happened on the phone, like you with the early days of Android, there were some apps that probably drained the battery or did something that it weren't quite supposed to. But in terms of passwords, I've been fortunate in that I've never fallen from one of the phishing schemes or some of the social engineering. You can quite easily understand how it happens. I don't know whether we're typical of the population or our listenership, but I think that's why Terence had that as number one.

Ben: Well, and this isn't mobile specific, is it, Rafe, but lots of retailers have had data stolen, so some of those measures around being cautious about being addressed by name or kind of appearing to have some information about you, it could actually be that this is a follow-up attack, that they have got some information from another source.

Rafe: Absolutely. That kind of thing, I think, on mobile, is perhaps you feel more comfortable because it's your personal device, and also, often, when you're in the browser on a mobile device, we're starting to see the pattern, now, where the URL is becoming less important, or indeed it's hidden. We're seeing updates to iOS where you're just seeing the domain, not necessarily the full URL. And I fully expect in the future that kind of, the idea of displaying a full URL maybe go away altogether, and so there is this need of having a bit of awareness around that, and to think about it. I don't think anyone should ever be ashamed if they fall for something like that, because the whole point is they can be very convincing, and there is the whole aspect of the social engineering to them.

Ben: It's, I have to say, and I'm not trying to make a technology or a point here, but it worries me about Android, particularly, because I'm aware that the Android apps aren't checked at all, really, in any meaningful way before they go in the store, and I've received an app recommendation and searched for apps, and seen multiple apps with the same name or with an, and it could just be people ripping them off in an attempt to profit by selling their app over the popular one, but actually these could just as likely be the malicious apps.

I have to say I have now, I have now stopped recommending, going back to our episode a long time ago, Ewan, about tablets.

Ewan: Yes.

Ben: Things like that. I was saying, "Well, go and buy a cheap Android tablet." Now it's putting me off recommending that cheap Android tablet, because typically I was recommending those to people who were not wanting to make a big investment because they didn't want to spend a lot of money, but it also means that they're not particularly mobile savvy, they maybe don't have lots of devices, and it just, the risk is beginning to worry me because, you know, it's a relatively insecure app store.

Ewan: Yes.

Ben: It's a relatively open ecosystem where you can do a great deal more. It's a platform where, when you get asked a security question about permissions, as Terence was saying, sometimes those questions are impenetrably, you know, if you're not a techie, even I don't understand what half of them mean, and I working in the industry.

Ewan: You're the one who's going to get the phone calls from relatives going, "I think we just lost £50,000... I think, from the tablet that you recommended."

Ben: I'm not sure any of my relatives would be worth that much!

Ewan: "And by the way, that guy Ewan on that podcast, he was right." Is that what you're saying? Just to be clear.

Ben: Possibly.

Ewan: I'll take that.

Ben: What things are personally doing to secure our mobile usage and why? Go on, Ewan.

Ewan: There's two things I do. One, I use a thing called Cloak.

Ben: Yes.

Ewan: Have you come across this?

Ben: I love. I've got it on my, it's running on my iPhone right now.

Ewan: Right. Likewise. Why don't you explain it?

Ben: Well, so, Cloak is a VPN, and for, if you're not familiar.

Ewan: WTF.

Ben: A VPN is when you make a secured connection back to a server, and all the data through that pipe is encrypted. Normally you use it because you've got a company laptop or something like that, and you connect back to the company network and need to create that secure channel. My phone, I have a company network, but it's my personal phone, so in this case what you do is it creates that secured network back to Cloak's servers, and the reason for doing that is that when I'm in a coffee shop or I'm on a public Wi-Fi network or something like that, it keeps my data secure, because it doesn't matter whether the app does a good job of securing it or not, it gets it all encrypted as it go.

Rafe: I looked at a couple of the different password technologies and I have used them in the past, and actually in the end, and I probably shouldn't be admitting to this on a public podcast, I decided to have a couple of throw away passwords that I used for regular stuff, and it was things that I really didn't care about in terms of the security, because it was just a signup for a newsletter or something like that. Then I have about 10 passwords, which is about what I could remember, for different services, and it's Amazon and the social ones.

I'm not using a full password manager at the moment, but there's been so much in the news recently that it's making me think twice about it. But what I have done is on all the really critical ones, where it's available, I am using two factor authentication, and the sort of rise of oAuth has also helped a lot with that kind of thing, where you can use some kind of token by doing this password program. I actively look for services that do that kind of thing because they give you more control.

Part of the reason for me for this is I'm using so many different devices, and do switch on a fairly frequent basis. It's become a bit of a pain to have to worry about the password management and doing all the installation of that. But I'm quite conscious, I've made a decision to perhaps not to be as secure, is if I have long passwords everywhere. But on the really critical ones, which are kind of your own e-mail, I am using a unique password, one that is quite complex.

Ben: There is a really good point in there that security people often pick up on. It's about convenience versus security, which is if you put in place a process that is such a pain in the back side to use that you then don't bother using it, or work around it, you've made things worse, so you have to make a judgment about the mix of convenience versus security, and that's also why it's a really good idea to have lots of layers of security, so that if one of those is compromised or is broken, then.

Ewan: Well, let me ask you, them, this one. I've now got it that if you give me a new Android phone, I echo, I know just what you mean, when someone gives you, I mean, I'm testing all these devices all the time. I now need to sit down and type in a 20-odd digit password. It's a laborious arse, right. Previously it wasn't. It was my standard password with a different capital letter, because I was that silly. To my knowledge it's been perfectly fine, but yeah, I thought it's time to not do that The EBay thing got me really concerned.

Rafe: Yeah.

Ben: I think what was really interesting was I think it was 2013 some time, and there was a guy from, there was a guy from Wired, who wrote a post or an article about it, but he challenged some hackers to target him specifically, and they did, and basically they, they compromised security both on his mobile devices and on the Internet, and on web services, generally. But when they hacked into his e-mail, when they got into his e-mail.

Ewan: That was it, right.

Ben: That was the call, because everything else kind of sent the password resets and reminders, and that was the key, and I think, well, actually, that's the first thing I put on any device, you know.

Ewan: Yeah. Set up the e-mail.

Ben: You always set up your e-mail. It's absolutely essential. It made me think about understanding risk because people are notoriously bad at understanding.

Ewan: Yeah.

Rafe: The point this does also make it a lot of these elements are interconnected, and that actually adds an element of fragility, and so by having everything pass through your e-mail, and it could also be your phone number, and actually your device is kind of an example of that, it's a nexus of where everything comes into it. I haven't done anything particularly to tie my phone to me. Again, carrying multiple devices just wouldn't be convenient. But what I have done is made sure that all of those devices I can remote lock and then track if I want to.

Now, I have had a phone that I dropped, and it wasn't stolen. That actually happened at Mobile World Congress, which is kind of a bit notorious for having phones stolen, but actually this was entirely my own fault. I went looking for the phone, but at the same time I'd actually logged on to the website and had locked the phone straight away, and then I actually used the "Find My Phone" feature on windowsphone.com and was able to track down the phone pretty much instantly.

I think that's the kind of security measure that might be a bit more practical for some people. There are plenty of stories of people getting their phones back, because losing them by misplacing them is something that is quite common. There is a bit of technology that I'm quite looking forward to coming in, and it's based on Bluetooth LE and proximity, and the idea that you can put something on your key ring or even around your wrist potentially, that when you're separated from you phone, you'll be alerted to it. Obviously if it's being stolen, you're being phone jacked, that's probably not going to help. I mean, you kind of, hopefully you're aware that that's happening. But it does help that I've left my phone on the desk and walk away, or you're in a café and you kind of walk away. It feels like there's plenty of room still for both hardware and software innovation to make the stuff easier.

I don't want to get too much into the future stiff, but some kind of Dan Laden style embedded chip within you is going to be a lot more difficult to break as a bit of security or identification, unless they start cutting off your arm or something.

Ben: Or just the little thumb thing on the iPhone.

Rafe: Yeah. And there are issues around biometrics. But that kind of Touch ID on the iPhone has become incredibly popular because it is simpler than entering your PIN number that you have to remember, obviously. I think there's still a lot of that hasn't, it's an area that's ripe for disruption.

Ben: Certainly, when I started to think about this episode, I went in and turned "Find My Phone" on, on all my devices.

Ewan: Can you believe you didn't have it on?

Ben: I just hadn't thought about it. It ships with it off, and, unless you go and turn it on, it doesn't work.

Ewan: It's the first thing I do with everything.

Rafe: But what frightens me about this is this is a group of people who are really savvy about this kind of thing who think about it. The vast majority of people don't. It's an education issue more than anything else. I've done the same thing for my family, turning it all on. But I'm sure that they still get into bad habits and, because I myself do it and Ben is doing the same thing. I want more attention to be paid for this by the operating of the handset manufactures, in the default settings, have this stuff on. It's not kind of rocket science.

Ben: If you're listening to this and you haven't got it turned on, Android, iPhone, Blackberry, Windows Phone, all have "Find My Phone" type features. Go and stick it on, turn it on, because actually the ludicrous thing is not only had I not turned it on my current set of iOS devices, I had used it to find an Android device a few years previously when I lost it. So, I've even.

So, we should wrap this up, but resolutions, actions, as a result of today, or a bit of advice?

Ewan: I'm sorry to say I've actually been sitting here writing, making notes of all the stuff I'm going to have to go and do, because this is, it is concerning, and this stuff is actually rather important.

Ben: After the heartbleed bug.

Ewan: Yes.

Ben: I went and got a password manager, and sorted my passwords.

Ewan: You went for 1Password?

Ben: I used 1Password, but then I thought, well, actually, now I'm going to have to put my 1Password file somewhere, and that made me think where am I going to store it to keep it secure, and then I thought, well, I had best encrypt my computer because I carry my laptop around and if I lose it all that data is available there to be stolen. And then, so it took a bit of investment of time, but the nice thing about having thought it through is now I'm not sure that I'm 100 percent safe, but actually I know what I've done.

Ewan: You've taken some steps.

Ben: I've taken some steps. I know what I've done, and I've thought it through, why. I haven't just picked some backup product and send my data there. I've thought, well, actually, I'm going to pick that one because that's the firm that explains to me how they do their encryption, they do their security, and I trust them because I've done some reading up on them, but also crucially I need one in the cloud because all my other data is at home and if my house burns down I'll lose those valuable pictures or something like that. It's not nice to think about, but I'd like to be able to walk out the door and-

Rafe: I think my resolution will be to look at a password manager again, because I made that last set of decisions I made a while back, and there has since been some really high profile things. The heartbeat and EBay spring to mind immediately. I wonder if I will ultimately decide that the trade off isn't worth it, but I think probably the resolution will be to sit down, have a chat with family, and say, "You need to think about this as well." I suspect that will result in Rafe getting to do some more family IT support and set a few things up and explain how it all works, and maybe a backup procedure. Because there's so much data now that is considerably valuable, and actually photos more than anything else. It's the things that you don't want to lose. There's a lot of data I wouldn't like to lose, but actually I wouldn't lose that much sleep over.

Ben: And an addendum to that for me. If you decide you want to use security products like Cloak or like an encryption product or a backup product or a "Find My Phone" or a remote wipe service or even physical security by locking the device down or something like that, do some homework and don't just be, as Terence said, be skeptical. Do some homework on how that product works, and has it been independently scrutinized. Because there's a fantastic market in security products for snake oil and fakery and that kind of stuff, and just because it says it backs up securely, or just because it says it does X, Y or Z, doesn't necessarily mean it does it well.

Rafe: If we've learned anything from the kind of recent Edward Snowden, NSA stuff, it's that there's an awful lot going on, and actually they can be quite intelligent about where they break in to the supposedly secure element, and it's sort of tapping your phone wires and data lines and things like that, whereas why Cloak is such a popular idea. But even that, don't assume because you've implemented these security measures you're absolutely secure. There is no such thing as absolute security, and that should factor into your thinking as well.

Equally well, don't be paranoid that everyone is interested in your pictures that are stored on Dropbox. You're far more likely to lose something or lose a bit of data through your own mistake or through your own oversight, as with social engineering and passwords and things like that, actually just human behavior is almost certainly going to be the weakest link in the chain.

Ben: Right, guys. Let's wrap it up there. End of another episode. Thank you very much for that. As ever, we'd be interested to hear your thoughts and experiences.

Ewan: Definitely.

Ben: Through the survey in this week's post, or tentatively just you can give us a broad feedback in the comments. You can Tweet us at @361podcast, or as some people occasionally do, you're also welcome to e-mail us as well, and there's an e-mail contact form on the website that you can use as well, so get over to the 361podcast.com. Thanks so much, guys, we will see you again next week.