hello friends! new(ish)!
Security: Difference between revisions
>Echelon1 |
>Echelon1 |
||
Line 99: | Line 99: | ||
* Spy over your shoulder. | * Spy over your shoulder. | ||
* Possibly physically access your computer when you're not there. | * Possibly physically access your computer when you're not there. | ||
* Recruit nerd friends, i.e. hackers, viruses, malware and phishing to help her break into your devices if you put up any resistance. | * Recruit nerd friends, i.e. hackers, viruses, malware and phishing, to help her break into your devices if you put up any resistance. | ||
Her motivation: | Her motivation: |
Revision as of 16:28, 9 April 2015
Security is a broad term covering everything from stopping your mother from finding your porn folder to stopping the NSA from breaking into your nuclear power plant.
In our post Snowden world it's easy to fall into security nihilism (i.e. "'they' know everything so why bother?") or to think you have nothing to hide.
The worst thing you can have is a false sense of security.
This page cannot possibly define every attack and mitigation strategy available. Instead it aims to provide a decent overview of basic security principles and techniques.
Define Your Adversary
Who/What do you want to have security from? Who/What is a threat to you? Who/What do you want to keep things private from?
- You mother?
- Thieves?
- Hackers, Viruses, Malware and Phishing?
- Advertisers/Marketing companies who build profiles on you to sell you garbage?
- Rivals and rival businesses?
- Government policies you don't agree with and wish to legally avoid?
- Foreign government policies you don't agree with?
- Copyright trolls?
- Local Law Enforcement Agencies (LEA)?
- National Law Enforcement Agencies?
or perhaps you wish to:
- Publish anonymously?
- Keep journalistic sources safe?
- Participate in whistleblowing?
or are you under attack from:
- Psycho ex-partners/family members?
- Internet trolls/doxxers?
or maybe you just want to:
- Be as secure as possible as a fun experiment?
Knowing your "enemy" is important. Thinking in terms of NSA technology is depressing, but narrowing your threat down to advertising trackers makes the battle seem much more practical and winnable.
Security Tools and Practices
Against Your Mother
Your mother can:
- Physically access your computer.
- Physically access your computer when you're not there.
- Spy over your shoulder.
These can be serious security implications, however your mother is unlinkely to either:
- Have the technical knowledge to perform an attack.
- Have the motivation to perform an attack.
All your mother is likely to do is walk past when you're masturbating, or perform a Windows Search for her cat photos and accidentally turn up your hentai.
In response, you can:
- Lock the door to your basement.
- Zip/rar/7z your porn with a password.
- Encrypt your home directory.
- Put a password on your bios and deny her booting your computer.
Against Thieves
Thieves can:
- Physically steal your computer and deny you access to your data.
- Remove the storage drive from your computer and recover data.
While common burglars are unlikely to have the technical knowledge to remove your storage devices and run tools against them, they are likely to give your hardware to their "nerd" friend, or ebay/pawn your hardware off. Where it ends up from there is anyone's guess and whatever nudes you've taken will likely end up on a chan.
In reponse you can:
- Encrypt your home directory.
- Use Full Disk Encryption.
- Backup your data and phsyically hide it.
Against Hackers, Viruses, Malware and Phishing
Assuming hackers here are your run of the mill script kiddies and not nation states, hackers can:
- Use Remote Exploits to access your computer (hacking your computer).
- Trick you into running exploits on your computer (viruses, malware).
- Trick you into disclosing the credentials to your computer or web services (phishing).
- Guess the credentials to your computer or web services (cracking).
- Break into web services and determine your credentials (hacking web services).
While hackers will always know about security problems before everyone else, they are less likely to use their brand new exploits against random people. High value targets (whether they be financial (paypal?), political (fbi website?) or lulzy (the fappening)) are much more likely to be their focus.
Day to day attacks will be from relatively unskilled hackers (script kiddies) and deployed against ip address on the internet.
Occasionally a large internet service will lose it's password database to hackers e.g. twitch.tv. Sooner or later one of these headline hacks will affect you.
In response you can:
- Keep your operating system and software up to date to cut down on remote exploits.
- Use anti-virus and anti-malware scanning software.
- Be wary about running unknown software or logging into untrusted sites (common sense 2015).
- Run a restrictive firewall to allow only certain applications access to the network.
- Use a password manager to generate random, secure passwords for your local computer accounts and web services.
- Use a password manager to have different passwords on every web service you use.
- Only use trusted web services, and give them as little sensitive data as possible.
- Use Two Factor Authentication (2FA) for higher value web services (banking, email).
Against a Jealous Girlfriend
Let's supposed that through sheer dumb luck, you managed to get a girlfriend. Unfortunately, she was a jealous bitch from the beginning, but due to >tfwnogf you ended up accepting her anyway. Now you're stuck with a girl who wants to control your entire life. What do you do?
Your girlfriend can:
- Physically access your computer and phone.
- Spy over your shoulder.
- Possibly physically access your computer when you're not there.
- Recruit nerd friends, i.e. hackers, viruses, malware and phishing, to help her break into your devices if you put up any resistance.
Her motivation:
- Get any shred of positive evidence that you're cucking her. For security purposes, assume that a jealous girlfriend is emotionally attached to the idea that you're going to cuck her. No amount of evidence against will ever convince her of the opposite, and a single, dubious figment of evidence in favor will confirm her suspicions. Her determination will be extreme: they say hell hath no fury but that of a woman scorned, so be prepared for a fight that at best will only end when either side decides to break up, at worst with injury or material damage for either side, or if you live in an SJW place, with a false rape accusation.
She is interested in:
- Your location ("why were you on this part of town where this bitch lives?").
- Your communication metadata ("who is that skank you talk to all the time?").
- Your personal media ("who is this bitch in the picture?").
- Your login credentials (there is no better place to find all that than your social media accounts).
In response, you can:
- Do everything you would do against your mom, against thieves and against virii, hackers and malware.
- Never share your passwords. This is going to be the hardest one. Women are natural savants when it comes to emotions and know every single emotional manipulation trick under the sun, and a jealous girlfriend will have no qualms on abusing them if that's what it takes to make you cough up your password. Do not fall for any blackmail, badmouthing, refusal of sexual consent, melodrama, fake tears or blaming. Password sharing is not a proof of love or a ritual of intimacy, it is a dangerous practice that negates every single countermeasure you take against information breaches.
- Keep your phone with you at all times, with a password lock, encrypted and with instant screen lock. Consider enabling the fingerprint reader if securing your phone outweighs giving the botnet your fingerprint.
- Enable two-factor authentication as a safeguard against password. This way, even if you share your password, she will require the login code that has been sent to your sealed, locked, encrypted phone that can only be unlocked with your own finger.
- Be especially wary of spear phishing. Do not click on any weird link sent by your closest friends, or if you feel compelled to do so, open it from a tightly secured operating system where you have never logged in to your social networks.
- Keep your GPS off at all times, or use a custom ROM that restricts apps' access to your location.
- Keep your lawyer on standby and call them the very moment she involves law enforcement into the mix (e.g. threatening with a rape accusation).
Advertisers/Marketing Companies
Advertisers can:
- Collect information when you login to them.
- Track you across different websites you visit without logging into them.
- Track you via GPS on your phone.
- Track you online via WiFi on your phone.
- Track you offline via WiFi on your phone.
- Track you offline via credit/debit cards.
- Track you offline via reward/membership cards.
Some of the security (or privacy) threats with advertisers are opt-in (i.e. you accepted it) and generally advertiser tracking isn't going to mess up your day. Problems arise when advertisers sell your information on to third parties (who in turn sell it to other third parties), go broke and auction off your data, get hacked or are victims of mass surveillance.
It's worth noting that their revenue models would be colosally damaged if everyone ran adblocking software.
In response you can:
- Not create social media accounts, or create accounts with false information (although you'll still have the same friends, so are still opting in big time).
- Disable third party cookies in your browsers.
- Turn off GPS on your phone, or use a custom rom to limit which apps have access to your GPS.
- Turn off WiFi on your phone, or use a custom rom to limit which apps have access to WiFi.
- Turn off WiFi when you're out and about, especially in malls/shopping centres.
- Use cash.
- Don't use reward cards. Most people never use the "rewards" and your privacy is worth more.
But I've Already Given Them Everything!
So you've already given Facebook your phone number and address and date of birth? They already know your schools and job and hobbies? Why close the gate when the horse has bolted?
- You'll change jobs.
- You'll move house.
- Your interests will change.
- Your friends will change.
- You'll get married/divorced/have children.
- You could even change your name or get married and change your surname.
Sure, the data they have today will still be valid in a week. But in six months? A year? Five years? The sooner you cut off advertisers from up to date information, the sooner it'll be out of date. Their databases will say you still like Linkin Park and Jackass unless you tell them otherwise. They'll also miss out on your patterns over time, not knowing the path of your history and making their future predictions inaccurate.
Cell Phone Service Providers
Your cell phone service provider can:
- See what cell tower you are connected to whenever your phone is on.
- See when your phone is switched off.
- See who you call and text, when and where, and for how long.
- See who calls and texts you, when where you are, and for how long.
- See your data usage metadata and perhaps "full take" data.
- Sell you a phone preloaded with their applications, which have all kinds of permissions granted.
Cell phones are a big problem when trying to avoid location tracking. Without the cell tower your phone is ohly a phone when you have WiFi access, or not at all.
In response you can:
- Use VoIP and data messaging instead of traditional calls and texts. Encrypted VoIP and messaging exists.
- Convince your contacts to use VoIP and data messaging.
- Install a firewall to restict which apps have access to the data connection, or turn your data connection off completely.
- Uninstall preloaded apps, flash a custom rom or buy a standalone phone unlocked from any provider.
- Leave your phone at home when you're going out.
Internet Service Providers
While your ISP is able to collect your metadata and block access to websites, these are generally because of Government Policy. Some ISPs will offer a "family friendly" site blocking option which you can turn off.
Your home or business ISP can:
- Provide you with an email service which they control (e.g. you@yourISP.com).
- Force you to use a modem which they retain root access to, which may also contain serious bugs.
In response you can:
- Use an alternative email service and/or use PGP.
- Bridge your ISP modem to a router which you control. $50 will buy you an OpenWRT compatible router.
Government Policies You Can Legally Avoid
Governments policies may enable:
- Collection of metadata or "full take" internet data.
- Forcing ISPs to block websites or internet services.
In response you can (if legal):
- Use HTTPS versions of websites wherever possible. There is a browser plugin for this.
- Use a Virtual Private Network (VPN)
- These can be paid or free services. Don't trust free services to anything other than light trolling.
- These can be based in a variety of countries and be bound by that country's laws, even though they have exits in multiple countries.
- Some take your privacy more seriously than others. Ultimately it's down to you trusting their word, but do your homework and make an informed choice.
- Use an anonymity network such as Tor (free, trustable).
- Use a proxy for web browsing (free, perhaps trustable, perhaps not).
- Use encrypted messaging when communicating with others.
See Surveillance Self Defense and Anonymising Yourself for more.
Foreign Government Policies
Avoiding government surveillance/hacking from countries you're not legally bound to is essentially the same as avoiding your own government's policies (above) without the requirement to follow their laws.
Copyright Trolls
Copyright Trolls are companies which exist purely to litigate against perceived copyright infringements, often using loopholes in copyright law and borderline standover/intimidation tactics to force their target into taking a plea deal.
They have different tactics for organisations than they do for individuals. For individuals they can:
- Monitor/scrape torrent tracker information.
- Monitor usenet posts.
- Monitor irc chat and honeypot dcc.
Everything they access is publicly available. They have no more power than you do to monitor the internet.
In response you can:
- Use a VPN.
- Use Tor.
Local Law Enforcement Agencies (LEA)
We're not talking about breaking the law here. If you want to be a criminal, you can fuck off.
We're talking about attending a protest or running a Tor Exit Node or participating in any other legal activity where your equipment may be monitored or seized.
Obviously laws are different in different countries and within different parts of the same country, but often local LEA can:
- Seize your devices and keep them for extended periods.
- Request or demand your passwords.
- Detain you.
- Request your metadata of "full take" data from your internet and cell phone service providers.
- Request your metadata or "full take" data from higher law enforcement.
- Question your friends/family/roommates/landlord/whoever.
In response you can:
- Be polite.
- Speak to a lawyer for advice.
- Know your rights.
- Prepare yourself for attending a protest in the US or elsewhere.
National Law Enforcement Agencies
Passive Surveillance
Passive surveillance, or dragnet surveillance, is where all internet data is scooped up without a particular target in mind. The NSA tapping into undersea cables and spying on Google's data center links are some examples of this.
In response you can:
- Use end to end encryption wherever possible (e.g. email, web browsing, file transfer).
- Use an anonymizing network such as Tor.
Targeted Attacks
Hopefully you're never targeted/attacked by this level of LEA/Intelligence agency, but depending on your country, they may be able to:
- Do everything local LEA can do.
- Sniff your network traffic, be it home WiFi or cell network.
- Attack your systems, perhaps with 0days (publicly unknown and unpatched vulnerabilities).
- Intercept your online tech purchases and bug them.
- Attack the systems of people you trust.
- Pay off people you trust.
- Detain you when entering/leaving their country.
- Threaten you with lengthy prison sentences.
- Stop you from revealing the attacks and stop others revealing to you that you're under attack.
And in extreme cases/countries:
- Do whatever they want to you.
In response you can:
- Kid yourself.
- Use all of the above tactics combined.
- Buy your tech equipment anonymously in a bricks-and-mortar store using cash.
- Stay off the radar in the first place.
CryptoLockers
CryptoLockers are a reasonably new type of malware which encrypt files on your computer and demand a ransom (often bitcoin) to decrypt them. The random is usually fairly "reasonable" (sub $100) and a timer to destruction is included.
To render cryptolockers useless, see Backups.
Social Media/Web of Communication
Keeping away from unwanted connections on social media is basically impossible. Changing your name or profile picture and/or changing accounts doesn't work because you will end up connecting to the same friends and famility with your new identity.
The block button is your best friend. Failing that, give up on social media. You won't convince all your friends to lock down their accounts so that you can't be found.