(Are you sitting comfortably? Because you will need to be...)
The Online Safety Act got me thinking about VPNs and other gadgets, that got me thinking about online security, which pointed me to the ideas of OPSEC, and that changed my thinking on some of these matters.
Online security is about reducing the chances of financial and reputational loss by identity theft, unauthorised third-party use of your accounts and other means, that is brought about by using the Internet. Privacy is a by-product of doing OPSEC well. This approach leads to some interesting conclusions, for instance...
Adult sites carry a reputational risk (with almost everyone in your domestic and professional life). It hits when people who want to pick a fight with you, find out you visit adult sites. They find out because they catch you in the act, or because you leave traces. Those risks will not be reduced one jot by using a 15-character randomly-generated password stored in an encrypted vault. That password protects literally nothing, since the site advertises its content. The reputational risk will be defrayed by you leaving no trace of visiting the site or being a member, which is a whole bunch of measures discussed later. The password is the least of your concerns.
Let's talk about passwords.
Device, e-mail and Cloud storage passwords must never be stored on-line. In your memory, or on paper hidden in (your choice of unlikely place here).
First, financial / identity risk. Official document numbers - National Insurance number, NHS number, passport number, driving license number - as well as bank account details, credit card numbers and the like, must never be stored in password managers or anywhere else online. Where are you going to store them? Well, gee, how about on the document or card itself? Which you keep somewhere as safe as it needs to be (the room safe in a hotel, for instance). Only take such cards and documents as you really need when you leave the house / hotel room.
Passwords and challenge responses for banking sites, payment processors (e.g. PayPal), and retail sites where you store payment details (Amazon, for most of us), must never be stored in password managers or anywhere else online.
Do not store your credit card or other payment details on any retail website. (Okay, maybe Amazon and PayPal.) A commercial / charity / academic site gets your name, address and e-mail, and maybe some relevant preferences. (When they send the first marketing e-mail, click the "unsubscribe" link to keep down the spam.)
If you have anything valuable - don't post a photograph of it, or post about it.
Second, reputational risk. If someone gets your social media password, they can post scurrilous content that will land you in jail (these days in the UK, that's a low bar). With that in mind, you may not want to put those passwords in a password manager or similar. This is the first of the convenience trade-offs, and it's your decision. The same applies to passwords for your favourite online forum.
While it's nice to flex about your fabulous life, every week there's a story about someone being caught out by Welfare or HR or divorce lawyers, because of a social media post. The more reputation-sensitive the industry you work in (financial services and the Arts especially) the more your social media content becomes a performative PR exercise. This is a whole other can of worms.
Third, work-in-progress. Documents, photos, files, projects, recordings and any other of your work-in-progress, finished product and records, should be in Cloud storage (Instagram and the like also counts) - that way, you can recover from the loss of your devices. By all means keep local drive copies and take external drive backups as well, if you like, but anyone who takes the computers will take the external drives as well. Choosing suitable Cloud storage is a separate subject.
Next some good news.
The hardware and software industry knows you are not going to use the Internet if you think everything you do can be seen by anyone who can download the right program. So they work hard at providing encryption and security. They are actually so good at it, Governments keep asking them to provide "back doors", which the industry actively resists.
Wi-fi these days comes with WPA2 encryption by default, but if you have older equipment, you should check.
Your computer and phone (these days) have built-in firewalls, virus-checkers, and other such. These are good enough that you never see security hype about having anti-virus programs anymore.
HTTPS is the dominant standard for Internet transmission. Your internet traffic is encrypted from your device to the final destination server, and cannot be snooped by anyone in the middle. Your ISP can see the main page address, but nothing more.
So let's get to the counter-measures. As far as possible, these are setup-and-forget. The best security measures are affordable, invisible, do not require constant maintenance, and discourage all but the best of the pros and the worst of the crazy amateurs. "Eternal vigilance" is not a technique. These counter-measures are for you - how much you trust your partner and children to be sensible and respect everyone's privacy and security is up to you.
Your devices must have a password and / or fingerprint or facial recognition. While it may be possible to do without a password on an account, the OS may prevent other security-dependent features from working with that account.
Your Web Browser should have something along the lines of "Block trackers and third-party cookies" in its Settings menu. For Safari, it's Preferences -> Privacy -> Prevent cross-site tracking. Turn that on if it isn't already. You may need to ask Google for help finding it. If you can't find such a setting, look for an Extension that does the same and install that. This will take care of a lot of the "they are selling your data" issues. (Warning, Google disable your ability to upload images into Blogger if you disable this. Tut tut guys.)
Only visit sites that are HTTPS (or "secure"). (This is almost all of them now.) Your browser should have a setting like "warn when visiting insecure sites" or "force HTTPS" or something similar. Use that.
Use your 5G service rather than coffee-shop / airport / wherever wi-fi's. 4G and earlier are less secure, but better than a spoof wi-fi provider.
Use phone apps in preference to websites wherever possible. Aside from anything else, the app is often easier to use than the website.
Taking your work computer or phone home is a convenience / risk trade-off. Let your employer decide. Anyone who takes your personal devices from home will take the work devices as well. If you must take work devices home, go straight home. Having your laptop stolen in the pub is not a good look.
Open Banking is a convenience vs risk decision. Once someone gets one account, they get as many as you have linked.
Password managers are not a security tool, but a convenient way to log on to low-risk sites that require passwords (typically anywhere that doesn't have payment or official document numbers stored, nor is reputation-threatening: retailers, charities, museums, music streamers, online newspapers, and the like). Especially if you are logging in and out of even a handful of sites every day. Choosing and managing one is a separate subject.
VPNs are a tool to bypass geo-restrictions rather than a security solution. Don't use free ones - since how else are they making money except by selling traffic data? VPNs hide the ultimate destination from your ISP, but the VPN still knows it. Who do you trust more? Choosing one is a separate subject.
Apple's OS X and iOS are terrific operating systems. NEVER use either to do anything remotely shady, because you will never be able to remove all the traces. OS X and iOS are not designed to allow that level of access.
Windows is designed to allow that level of access. Even if you are an Apple fanboy, use a cheap Windows machine for... errr... private purposes, get a decent File Shredder / Disk Wiper, set up a routine to cleanse all the temporary files that get generated by web browsing, and run it every time you finish a session. You may need help with that - this is where you find out who you trust.
What about the (digital) stash? (if you don't know, I'm not telling you) There are online storage services providing end-to-end encryption, a solution that fits well with the rest of the advice here.
If you want some security theatre over-kill, try this guy...
If you like some of his hacks - use 'em.
We end with the harsh truth. A father's biggest OPSEC problem is not that he isn't using a VPN. It's allowing his son access to money so that the boy can lose nearly $6,000 in an online game. A husband's biggest OPSEC problem is not the length of his logon password, but the deteriorating relationship with his wife that leads her to snoop on his computer and phone looking for divorce-fuel.
Most people wind up in trouble over something digital because someone snitches on them. Someone at work reports something to HR; one of your kids says something that a teacher over-hears and reports; a "good person" whose precious Liberal conscience won't let them not report it; management looking to stitch someone up. ISPs run scans on un-encrypted data to compare file signatures, and report matches. Teachers, therapists, social workers and other functionaries have been turned into informants. And never forget that un-answerable question "Darling, why do you use Private Browsing?" Wives and children are entitled to privacy from you - just ask them - but you are expected to let them see everything you do.
Hackers and "government surveillance" are "stranger danger". Hackers are after entire databases, crypto-currency, and corporates, not random individuals. The security services can barely keep track of the Bad Guys they know about, and don't need to add to the list with mass surveillance - and they have said so. The people who will spend time going after you are people who know you and want bad things to happen to you. We do not want to know that about the people we deal with every day, and so the industry pushes "stranger danger".
A few days after I finished and polished these thoughts, The Algorithm threw this up for me, and his views are very close to mine.
No comments:
Post a Comment