Updated 2Mar2020 - Just me ranting.

The Things I Actually Do

When I was in high school I read The Hidden Pursuaders by Vance Packard. I developed a deep distrust of advertisers and all I've learned through my many years of dealing with Television, and telecom carriers, and working on computers and networks has only deepened it. These industries are populated with some truely vile people and "trust but verify" does not go nearly far enough - they simply cannot be trusted and often they control the tools you'd need to verify. They need to be constantly monitored, heavily regulated (hell, they probably own most congress critters), and actively avoided whenever and wherever possible. The proper phrase is "Assume the worst". This is what I actually do to try to achieve some level of privacy and security (and we really need to have some way to measure thosee things). I'm not always sure it's best practice and I document it to give myself incentive to be consistent with it. This is my personal security handbook and covers:

Always pay attention, think critically, be skeptical, and assume the worst.

Passwords and Car Keys

The thing triggering my distrust of much security advice is self inflicted lockouts. Complex passwors: finger breakers that are hard to remember, difficult to type correctly, and quickly locks the user out. I don't have a solution, just some work arounds and generalities: I use farily long passwords and never reuse them. I just converted to a password manager (Passwordsafe) where I keep login procedures, account names, passwords, and answers to security questions (don't ever use publicly available information). My normal backup procedures capture this, but I also keep a recent copy on a thumb drive which I keep with my towel

My Phone

It's primarily a phone and not a toy. I minimize the applications and try to keep as much turned off as I can. If I had a case that would act as a Faraday cage, I'd use it (I'm not big about incoming calls). I got a nice calculator for it and one game (from ASA). Generally, if I need to use the Internet, I write it down and wait until I can get to my computer. I answer NO calls from numbers that are not in my address book. Same with text messages. Every picture I take from my phone I assume is visible to Verizon, Samsung, and Google (because it's android) and I don't have much trust for any of them. I assume something like superfish operates at a deep level on my phone. I assume this because I can't think of a way to test that it's not. I'll have a lot more to say about this attack later.

Trusting the Carriers

Well, I just don't, nobody should, but your have to do business with them. The the game is fixed so they all have their little monopolies (I thnk it was Bush era rules that let the carrier bar competition in areas they own). I assume everything from my phone is tracked by at least Samsung, Verizon, and Google. I assume everything that can be tracked when I'm connected to the Internet is tracked by everyone who has access to the network traffic (mostly the ISP and the Carrier). My long personal experience and professional career have taught me that this is a most customer indifferent industry and they care nothing at all if they're widely considered scum.

Social Media

I have email, I have a web site where I post pictures (currently not password protected), I have a phone. There is no other social media that I need (frankly no one else needs anything more than that anyway - once you're past that it becomes entertainment and I'd rather get entertainment from a book.

Social Engineering

Tricking the victim into doing somethng they shouldn't do (which is, I think, the foundation of advertising). The signs are: 1. the scammer tries to create a sense of urgency - like an offer that expires soon. 2. they make the product or service sound too good to be true or pass up. 3. the scammer may try to create or imply an existing relationship with the victim in order to develop that sense of trust. I fully understand that I'm gullable and can fall for these schemes and that my best defense is to avoid exposure to them.

Advertising is Social Engineering

Advertising is generally a special (legal) form of social engineering. Much of it is designed to trick you into buying something you don't need or to buy something before you fully thing it through (because once you've parted with your money, you're screwed. It's persistent (like and APT attack you hear about in the news) and sometimes quite subtle though it doesn't really need to be. I'm as suseptible to it as anyone and my mitigation is to avoid as much of it as possible and I try to shop only off a list and avoid impulse buying (not very successfully either).

Think about how you go about to buy something. Say I need service on my car and I'm new in an area. The first thing I'm going to do is ask around. I start with my colleagues who I have most respect for and maybe family and friends (unless someone is a known car freak). I'm especially looking for shops to avoid and then those with consistent, ringing endorsements. I'll even get the phone number that way. If my search comes back empty, I'll probably go to duck duck go and look for local garages and see if there is anything in the reputation stuff like Yelp. After that I might to to the yellow pages, call and ask questions (I once ran into a service department who argued with me about the fuel filters on my truck). Advertising tries to short circuit all that and plant ideas in your head that the advertisers shop is the place to take your car.

I find myself responding to advertising by wanting to own stuff I have no need for. I'm something of a tool freak and I'm intrigued with how tools work and how they can be used. For some reason I want to buy tools that I'll never use. I have to keep myself in check and really pay attention in hardware stores. I try to discipline myself to make a list before I go out to get something so I don't buy anything else.

Web Browsing

I do a lot of web browsing - there's a lot there and I'm optomistic enough to feel I can access it safely (another of those hard to define terms). I use Firefox now because I'm most familiar with it's configuration and there are many add ons available that I approve of.

No Script

You have to understand something about how the WWW works. Scripts are necessary but not always. If you just want to display a page and read some text orlook at pictures (90% of what you actually need from the web), You don't need a script. I use the browser add on No Script to block scripts and then I selectively let them run (or more often decide I don't need to use that web page). Please, use No Script and send them some money every once in a while, this is good stuff.

I want to make a little fuss here. I've used wireshark to look at all the traffic generated be a web request. It's boggling. A simple click on a web address can cause traffic to 30 different Internet Addresses and generate 10MB of network traffic. Sometimes all I want to do is read a couple of KB of text (like a news article) and what comes down is simply amazing.

HTTP vs HTTPS

HTTPS is becoming more prevalent and for good reason, but it does not mean that a web site is safe because it uses the protocol. I want to document what it prevents: 1. Observing the data passing between the local browser and the web server. 2. manipulation of the web pages you download by parties in between you and the web server. 3. Prevention of spoofing (so you havew more confidence that you're really interacting with the web server you intend. And I want to document what it doesn't prevent:

Cookies

Operating Systems and Patches

I think that for most people chosing and OS is a non decision. If they get a laptop or phone or a tablet it's whether or not you love or hate Apple (there are nuances, but when I talk to people about it, that's the divide). Apple lovers get what they get and can't verify or alter anything onces the choice is made. For a phone mostly your alternative is Android, and who wants to trust Google. Nokia used to be an option, but now it's part of Microsoft and you should tread skeptically.

DNS

The design of DNS has some problems in the modern environment. I bugger my hosts table using MVPS hosts. This is not for everyone, but it makes me feel better.

The Backup Religion

I have 2 linux laptops that I keep in sync with each other using something called Unison. Generally I keep my newest one at home, and take my older one with me on the road. I keep a disk drive with me and backup frequently using a script.

Making backups is easy, verifying that they work they way you expect them to is actually quite difficult and requires constant attention.

We get a lot of it wrong

False Positives Can Destroy Security

A false positive happens when some security feature or system causes a delay or access failure. Like mistyping a password. Or a mandatory password change resulting in a lockout. These (cumulatively) will thwart security efforts. For example, I don't access any financial institutions using my phone, no medical, I don't buy anything. This causes delays and is frustrating for me, but I think it's insecure to do such important stuff using a device that's so vulnerable to loss, theft, or compromise and I can't really manage it. A trade off I'm willing to make because I'm completely in tune with my security goals.

But when I worked in a corporation I watched this fail every day. Password complexity rules caused resentment. People could not remember their passwords and had to write them down. They constantly typed them in wrong and we had to have an automated password reset system. They constantly locked them out of their accounts throwing them into the password reset system or generating help desk calls. This all wasted time and really drove respect for corporate IT into the ground (where frankly, it belonged). I'm not advocating insecure passwords, what I do advocate is that a wide variety of the people who will be affected by the rules need to be involved in determining what they are and promoting them so they don't really need to be enforced, but enthusiastically followed.

Don't Use VPN

VPN isn't a threat, but the confidence it might inspire is. Unless you have some compelling reason: If you're a journalist, work for a company with competent IT, or have some compelling use case, it's just a waste of time. I'm going to explain how VPN work in a corporate setting, what that may mean in a private setting, and why private VPN companies may be a bad bet.

More To Read and References

No web page is complete without a list of sources and items for additional reading on the subject. Naturally I don't necessarily agree with all of them, but there are things in them worth thinking about. I'm actuall putting this one here to have an additional heading 1 item. I'm playing with java script here and my long standing refusal to allow scripting is out the window - I'll write a note about why scripting is evil and should not be allowed before long.