Security

Security is a broad term covering everything from stopping your girlfriend from finding your porn folder to stopping the NSA from breaking into your nuclear power plant.

In our post-Snowden world, it is easy to fall into security nihilism (i.e. "'they' know everything so why bother?") or to think you have nothing to hide.

The worst thing you can have is a false sense of security.

This page cannot possibly define every attack and mitigation strategy available. Instead it aims to provide a decent overview of basic security principles and techniques.

Define your adversary

Who/What do you want to have security from? Who/What is a threat to you? Who/What do you want to keep things private from?

or perhaps you wish to:

or are you under attack from:

or maybe you just want to:

Knowing your "enemy" is important. Thinking in terms of NSA technology is depressing, but narrowing your threat down to advertising trackers makes the battle seem much more practical and winnable.

Threat analysis

For any adversary, there are a few key factors you must consider if you want to create an effective defense.

Typically, the most dangerous hackers have high competence but not physical access. The ones that have physical access rarely are competent. The ones that have both resources and competence have better things to do than hack you. At most you will be hit by their automated software that looks for common, typical weaknesses (really bad passwords like "qwerty" or "rosebud", running vulnerable software that is years behind on security updates) in millions of machines. This is why security through obscurity will work on them - they can easily defeat your system, but it's not worth it for them since there's not enough people like you out there to justify the effort of writing a hack.

So, at both ends of the spectrum you have a balance: Each class of adversary always has one or more severe disadvantage. You can exploit this to create strong defense. The one exception is government intelligence agencies like NSA. These have both physical access, are highly competent, and have immense resources. The only thing standing between you and them is motivation. In other words, the moment NSA has a reason to suspect you, you're done. Best you can do is don't do things they don't like.

Practices by kind of adversary

Against your mother

Your mother can:

These can be serious security implications, however your mother is unlikely to either:

Her motivation:

In response, you can:

Against thieves

Thieves can:

Their motivation:

They are interested in:

In response you can:

Against hackers, viruses, malware and phishing

Assuming hackers here are your run of the mill script kiddies and not nation states, hackers can:

While hackers will always know about security problems before everyone else, they are less likely to use their brand new exploits against random people. High value targets (whether they be financial (paypal?), political (fbi website?) or lulzy (the fappening)) are much more likely to be their focus. Unknown exploits are valuable: They are obtained by hard work or paying for them on the black market. But the moment you use them, everyone will find out and patch the hole. So the hacker wants to make it count, he doesn't want to blow his one shot on something worthless.

Day to day attacks will be from relatively unskilled hackers (script kiddies) and deployed against ip address on the internet.

Occasionally a large internet service will lose it's password database to hackers e.g. twitch.tv. Sooner or later one of these headline hacks will affect you.

In response you can:

Against a jealous girlfriend

Let's supposed that through sheer dumb luck, you managed to get a girlfriend. Unfortunately, she was a jealous bitch from the beginning, but due to >tfwnogf you ended up accepting her anyway. Now you're stuck with a girl who wants to control your entire life. What do you do?

Your girlfriend can:

Her motivation:

She is interested in:

In response, you can:

Advertisers/Marketing companies

Advertisers can:

Some of the security (or privacy) threats with advertisers are opt-in (i.e. you accepted it) and generally advertiser tracking isn't going to mess up your day. Problems arise when advertisers sell your information on to third parties (who in turn sell it to other third parties), go broke and auction off your data, get hacked or are victims of mass surveillance.

It's worth noting that their revenue models would be colossally damaged if everyone ran adblocking software.

In response you can:

But I've already given them everything!

So you've already given Facebook your phone number and address and date of birth? They already know your schools and job and hobbies? Why close the gate when the horse has bolted?

Sure, the data they have today will still be valid in a week. But in six months? A year? Five years? The sooner you cut off advertisers from up to date information, the sooner it'll be out of date. Their databases will say you still like Linkin Park and Jackass unless you tell them otherwise. They'll also miss out on your patterns over time, not knowing the path of your history and making their future predictions inaccurate.

Cellphone service providers

Your cell phone service provider can:

Cell phones are a big problem when trying to avoid location tracking. Without the cell tower your phone is only a phone when you have WiFi access, or not at all.

In response you can:

Internet service providers

While your ISP is able to collect your metadata and block access to websites, these are generally because of Government Policy. Some ISPs will offer a "family friendly" site blocking option which you can turn off. Remember that while ISPs can most certainly be nefarious, usually it's the laws that compel them to give up your data to security agencies that can do you in, as the ISPs really can't do anything about it, but comply.

Your home or business ISP can:

In response you can:

Government policies you can legally avoid

Governments policies may enable:

In response you can (if legal):

See Surveillance Self Defense and Anonymising Yourself for more.

Foreign government policies

Avoiding government surveillance/hacking from countries you're not legally bound to is essentially the same as avoiding your own government's policies (above) without the requirement to follow their laws.

Copyright Trolls are companies which exist purely to litigate against perceived copyright infringements, often using loopholes in copyright law and borderline standover/intimidation tactics to force their target into taking a plea deal.

They have different tactics for organisations than they do for individuals. For individuals they can:

Everything they access is publicly available. They have no more power than you do to monitor the internet. Some sites like http://mypiracy.net/ will show you what information you expose. If you don't see anything, it doesn't mean the trolls won't, but if you do, they can definitely see you.

In response you can:

Local Law Enforcement Agencies (LEA)

We're not talking about breaking the law here. If you want to be a criminal, you can fuck off.

We're talking about attending a protest or running a Tor Exit Node or participating in any other legal activity (or even being targeted by mistake) where your equipment may be monitored or seized.

Obviously laws are different in different countries and within different parts of the same country, but often local LEA can:

In response you can:

National Law Enforcement Agencies

Passive surveillance

Passive surveillance, or dragnet surveillance, is where all internet data is scooped up without a particular target in mind. The NSA tapping into undersea cables and spying on Google's data center links are some examples of this.

In response you can:

Targeted attacks

Hopefully you're never targeted/attacked by this level of LEA/Intelligence agency, but depending on your country, they may be able to:

And in extreme cases/countries:

In response you can:

Practices by tool

The first thing to look for in any security tool is, what is the password/data recovery method? If you lose your password, what are the ways in which it can be recovered?

A real security tool will clearly say: If you lose your password, the data is gone and there is no way to get it back. If you can "recover the password", a hacker can too. More importantly, if they can restore your access, that means they are able to give themselves access, which means all their employees, any government person who asks, and any criminal that infiltrates them (by social engineering or hacking) can now also get access to your account/data without even needing to get past the password!

Beware especially systems that:

Password manager

Don't use a cloud service. Even if encrypted, the database will be shuffled back and forth all over the internet constantly, and every time it's moving around, someone is saving a copy for later. If one day a vulnerability is discovered in encryption, what then?

Enable both password and key file. Cracking the password is too easy with only password (unless you use a +6-word diceware). Gaining access is as easy as stealing your key if no password.

Practices by domain

Phone

Phones are very insecure. Your phone is on you 24/7, and it is constantly being tracked by your cell provider because they always know which tower it's connected to. Your only options are:

There is no real way to defeat cell tracking.

Android

Tip: The newer the phone model, the newer the Linux kernel that comes with it and thus, (potentially) fewer security exploits.

Laptop

Light, portable, easy to recognize, good resale value - laptops are very high on a thief's list. That and the fact that you carry it everywhere means there's a high risk it will get stolen.

Most of the software-related practices are recommended for desktops too.

Desktop

Since desktops are commonly easy to open and fuck with their hardware, the cheapest way to keep one safe is to thoroughly lock your door, use encryption and set a password to your BIOS, hoping that the burglar doesn't know shit about computers or simply isn't interested at all in the contents of your PC.

If you're willing to spend money you can also:

Server

Having your own server secured in a data centre can be useful, but authorities can then raid the data centre and seize it, or bug it, or passively collect data through the data centre without you knowing.

CryptoLockers

CryptoLockers are a reasonably new type of malware which encrypt files on your computer and demand a ransom (often bitcoin) to decrypt them. The ransom is usually fairly "reasonable" (sub $100) and a timer to destruction is included.

To render cryptolockers useless, see Backups.

Social Media/Web of communication

Keeping away from unwanted connections on social media is basically impossible. Changing your name or profile picture and/or changing accounts doesn't work because you will end up connecting to the same friends and familiarity with your new identity.

The block button is your best friend. Failing that, give up on social media. You won't convince all your friends to lock down their accounts so that you can't be found.

If you can't give up social media so easily, because, like most of us, you're addicted, then you can at least take steps to mitigate your addiction and reduce your social media usage.

General resources:

Cool "shit" :

See also

This article is issued from Installgentoo. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.