SoylentNews is people
SoylentNews
I'm just informed enough about IT security to know that I really know very very little about it. That said, I probably know ten times as much as do 99% of people. I'm an expert in my field, and while I've been a jack of all trades on many fronts, today's threats to privacy and IT security require expert knowledge to combat.
I do not have time.
- For example, I hear that Microsoft added updates to Win7/8 that threaten my family's privacy...yet I have not yet gone and removed the offending updates. I moved myself to Ubuntu/xfce, but my son is still using Win8. I'll get to it eventually.
- For example, java script is a security risk, and I have No-Script, turn off 3rd party cookies, etc, but invariably I have to turn it off for some website (i.e. to pay my bill), and eventually, I stop turning it back to full security.
- I installed Cyanogenmod and Fdroid on my phone. And for the most part its great..and I have very few apps with permissive permissions settings....but my wife is still using an iphone and ipad, with all sorts of apps...with ridiculous permission leaks..and that is a struggle.
The long winded point I have is that it is now just too damn much work to do it all right. I'm tired after a 10 hour workday. I've obviously taken more steps than most, but it is still leaky as hell...
I need a company/organization that I can reasonably trust to manage my information security/property, to manage my computers, manage my vpns, e.g., to isolate my web browser windows over multiple vpns, ... all of it, and it can't be GOOGLE. My data is my property, as long as I can hold it, so it needs to be a company/organization that built in privacy obligations (like lawyers and doctors supposedly do).
-Signed: A Frustrated Tired Old Nerd (with children)
[Ed's Comment: Does such a company exist? Is it even possible to provide such a service? Or have we just identified a niche in the market for some enterprising person to fill?]
(Score: 3, Informative) by Anonymous Coward on Monday October 05 2015, @12:26PM
... because it's allowed by law. However, law forces any data management company go work against you. The only way might be if you trust your data to an IT company of lawyers, maybe?
(Score: 3, Interesting) by Beryllium Sphere (r) on Monday October 05 2015, @06:06PM
There are limits to attorney-client privilege that you have to study before relying on it. For one thing, you'd better be communicating about seeking legal advice in order to claim it.
(Score: 2) by bob_super on Tuesday October 06 2015, @03:11PM
I'm going to start a legal company which will review your code for the legal aspects of its compliance to DO-xxx.
Because of too much demand, we don't have time to review, do we'll just store for you. But it's still attorney-client, right?
(Score: 0) by Anonymous Coward on Monday October 05 2015, @12:34PM
While I cannot help you with the general question, this shouldn't be an issue. Personally I use Firefox with Noscript etc. for normal browsing and Chromium "private browsing" windows for my Javascript / youtube etc. needs, maybe something like that would work for you.
(Score: 4, Informative) by AndyTheAbsurd on Monday October 05 2015, @12:55PM
Just as an FYI: You can create multiple profiles under Firefox, then start Firefox with "firefox -new-instance -p ProfileName" (replacing ProfileName with the name of the profile you want to start) and have a not-running-NoScript Firefox process running alongside your do-everything-else-while-running-NoScript normal Firefox.
Also, there's a Firefox extension called Request Policy that gives you the ability to say "scripts from source A are allowed to run on webpages hosted on site B", which is much better than NoScript's "I trust scripts from source A and will allow them to run on every website" model, which really obviates the need for multiple Firefox processes, because now you know that the scripts aren't running on other webpages from other sites than the ones you've specifically allowed.
Please note my username before responding. You may have been trolled.
(Score: 1) by CaTfiSh on Tuesday October 06 2015, @07:54PM
Rather than getting bogged down with multiple extensions, drop NoScript in favor of uMatrix and you'll have far more control of individual site permissions.
(Score: 2) by AndyTheAbsurd on Tuesday October 06 2015, @09:28PM
uMatrix literally presented no UI on my system, making it entirely unusable. Probably something that I fucked up, but I'm happy with Request Policy (and NoScript has been removed).
Please note my username before responding. You may have been trolled.
(Score: 1) by CaTfiSh on Tuesday October 06 2015, @09:48PM
Sorry to hear that. Possibly a problem with your profile? Do place it on the backburner and if you ever find yourself with a fresh install, take a look at it again. The documentation available is adequate and if one bothers to read and learn how to use it properly, it can be configured fairly rapidly and effectively.
(Score: 2, Insightful) by Anonymous Coward on Monday October 05 2015, @12:39PM
there is no such thing as 'good security', only improving security in a constantly evolving threat landscape
if you think your security is good, you have already failed
(Score: 3, Funny) by Anonymous Coward on Monday October 05 2015, @05:14PM
The three golden rules to ensure computer security are:
do not own a computer
do not power it on
and do not use it
(Score: 2) by Beryllium Sphere (r) on Monday October 05 2015, @05:17PM
The message is the same, though. The highest payoff for time and money invested is to minimize the damage that comes from a security breach. I do, obviously, explain to them how to reduce their chances of getting the next Zeus-like malware from the next Flash vulnerability. The advice that helps them more is when I recommend doing online banking from a separate, locked down machine that's not visiting sites full of free Flash games at lunchtime.
(Score: 5, Insightful) by Runaway1956 on Monday October 05 2015, @12:55PM
Security is not a product, it is a process. A frame of mind. The price of freedom is eternal vigilance. "Freedom" is synonymous with "security". The moment you stop actively countering exploits, you've lost the game. Read the slashplaces. Read the "hacker" sites. Read the "security" sites. Read, read, read - and be prepared to take countermeasures. The Vandals, the Mongols, and the Huns are all at the gates, waiting for you to let your guard down. And, don't forget the Brits . . .
And, you can just forget about hiring a company or organization to do it for you. If such a thing existed, none of us could probably distinguish it from any of the scams out there. Might as well rely on McAfee as any other company, and we all know how well that goes.
Is that hard core enough for you? Well - maybe you'll listen to the Masters of Security - https://www.youtube.com/watch?v=Sam4lq2WHos [youtube.com]
Abortion is the number one killed of children in the United States.
(Score: 2) by Hyperturtle on Monday October 05 2015, @02:23PM
Yes -- if you believe buying a firewall makes you secure, then by all means, by one.
How much money do you think it costs to be secure? $50? $500? $50,000? There are firewalls cheaper and more expensive than that!
Education is priceless. With that, you can probably get that $50 device to perform more like the $500 just by knowing what to enable and disable -- or to know to install some alternate OS on it.
Or perhaps use old hardware to act as firewall that does something you understand.
Outsourcing is not a solution to security, unless you trust the mercenaries to keep you safe even when you are not the highest bidder.
(Score: 2) by Runaway1956 on Monday October 05 2015, @03:30PM
A good router costs between $100 and $200, from the distributor. As you suggest, installing a proper OS, and making that OS perform as you want, is priceless.
http://wiki.openwrt.org/toh/start [openwrt.org]
http://www.netgear.com/home/products/networking/wifi-routers/WNDR4500.aspx [netgear.com]
http://tomatousb.org/ [tomatousb.org]
https://downloads.openwrt.org/ [openwrt.org]
Hardware and software are subject to individual preference, of course.
Abortion is the number one killed of children in the United States.
(Score: 2) by VLM on Monday October 05 2015, @03:43PM
I've noticed an interesting growth over time in router costs. Back when it looked like routers were eternally going to drop to $25 I wondered how Soekris etc could stay in business, but now that you're looking at $125+ including sales tax and shipping, its not too out of line.
(Score: 5, Insightful) by krait6 on Monday October 05 2015, @12:55PM
It sounds like you're suffering from some burnout. I've had this happen to me too.
I looked at the list of platforms you mentioned -- Windows 7 + 8, Ubuntu GNU/Linux, Mac OS X, iPad, iPhone, Android. I'm quite sure I'd feel burnout too if I was trying to secure all of those platforms -- it's just too much work.
Recognizing this what I did a while ago was standardize on a "Stable"/LTS GNU/Linux platform for computers I support for family members so that I generally only need to do periodic security updates on those systems and help them with the inevitable bugs and/or confusion of how to accomplish certain tasks. Those "support calls" have thankfully become pretty rare compared to what I was dealing with when the platform list was bigger.
Another part of our family runs Mac OS X, but since I (intentionally) don't run it I couldn't help there -- eventually another family member took that role along with supporting any Apple devices. In the short-term this sucked a bit because there was a period where user needs went unhandled, but was best for the long-term because it spread the workload.
I would never recommend outsourcing all of your security concerns to an outside party; partly becuase I don't think that way, but partly because it hands someone the keys to your digial privacy. Paid on-site service from a local consultant you build a relationship might be possible, especially if it's a family member -- I've seen that work.
A family meeting about the computer support workload issue could be a good thing too; other family members may be able to come up with further ideas that could be useful (even if not chosen).
(Score: 4, Interesting) by Runaway1956 on Monday October 05 2015, @01:06PM
*nix based - the only way to go. If the *nixes are compromised, then we're all screwed, but I don't see that happening. Apple may not be the best *nix, but it's orders of magnitude better than Windows. Standardizing the family on one distro is probably wise. We see corporations doing that same thing. It's near impossible to support a dozen different distros, even if you're a lot smarter than I am.
Abortion is the number one killed of children in the United States.
(Score: 1) by Francis on Tuesday October 06 2015, @02:09AM
Indeed, all 5 of us using FreeBSD on our desktops are pretty low on the list of targets.
That being said, it's probably not a bad idea to do things like banking in a VM with an immutable disk. Still not hacker proof, but unless you've got millions in the bank, nobody is likely to put in the effort to break that. Security is all about layers.
(Score: 1) by cpghost on Tuesday October 06 2015, @12:57PM
I'm not sure that standardizing on one Unix distro would be such a good idea. Diversity can also be a way to increase security too. Just think of the Heartbleed vulnerability. If we had linked against multiple (API-)compatible Openssl library implementations, this particular vulnerability wouldn't have had this big impact in the field. Some distros would have been affected, others wouldn't have been, depending on their set up.
Or think of a similar kind of vulnerability: a security bug in glibc would affect all Linux distros (except for those using tiny C libs in embedded settings), but would spare the BSDs who use their own libc, and vice versa. Thus, once again, there's a use in diversity here again.
Cordula's Web. http://www.cordula.ws/
(Score: 2) by Runaway1956 on Tuesday October 06 2015, @02:20PM
Perhaps I phrased it wrong - one person doing IT for himself and his family can easily justify standardizing those installations which he administers. For all of us, no, standardization is the wrong thing to do. Any monoculture invites exploitation. That is what is so wrong with Windows, aside from my personal opinions about Microsoft.
If tonight, all the various distros were to be combined into one "Master Distro", with all installations using the same patches, the same kernels, everything the same, we would be compromised in short order.
Security by obscurity has been badmouthed plenty, in various places, but if obscurity is what it takes, I'll go with it.
Abortion is the number one killed of children in the United States.
(Score: 4, Interesting) by Anonymous Coward on Monday October 05 2015, @12:56PM
The best set of tweaks I've seen is here - https://github.com/WindowsLies/BlockWindows [github.com]
I did have to comment some lines out in the hosts list as it's very... Comprehensive.
(Score: 2, Informative) by Anonymous Coward on Monday October 05 2015, @02:58PM
On that note. Setup a firwall for your network. I use ipcop. Since it will also offer dhcp services and DNS. You add a 2nd 3rd 4th... Host files to protect whole network. So kids machines or wife's will be protected without a lot of worry. Yes, it is better to not load ms spyware, but they will find another vector so patching the firewall is faster.
For me I have 17000 block ad and tracking sites. In one extra host file. The was ms sites to block since my wife and daughter both use win10. Mainly school issues.
The other nice thing I also point my DNS feed on red (Internet) interface manually to a root server since my ISP runs "helpful" DNS override. DNS entry not found... Send you to their search and sales engine.
(Score: 3, Insightful) by VLM on Monday October 05 2015, @01:13PM
just too damn much work to do it all right
Consider defense in depth. I could do an almost infinitely better job securing my car, but I don't leave it on the street in the hood with the windows rolled down and the keys in the ignition.
Another parable is two guys see a hungry bear so one guy puts on his running shoes "Why bother you can't outrun a bear" "All I need to do is outrun you..."
(Score: 5, Funny) by WillR on Monday October 05 2015, @04:23PM
(Score: 2) by VLM on Monday October 05 2015, @05:05PM
Forest fire is probably a good analogy. You're probably not going to get stuck in one, but if you are, at least you'll have an interesting story to tell, assuming you survive.
(Score: 2) by Beryllium Sphere (r) on Monday October 05 2015, @05:20PM
That analogy only applies to manually-operated attacks.
(Score: 0) by Anonymous Coward on Monday October 05 2015, @01:17PM
Create an account at https://www.opendns.com/ [opendns.com]
Go to your router and change the default DNS nameservers to OpenDNS nameservers (208.67.222.222 and 208.67.220.220)
This way at least you have a frontline of protection for everything that connects to your home network. Although I don't know if I like what might happen now that Cisco acquired it.
(Score: 3, Touché) by kadal on Monday October 05 2015, @02:06PM
How does this help
(Score: 1, Offtopic) by mtrycz on Monday October 05 2015, @02:32PM
The most basic of your internet services, the domain name service, is the single point on internet that knows most about you. There's no cleaning cookies, privacy mode, or disabling javascript, all that you request on the internet goes through a DNS first.
People run DNS not because of philantroy, but because it makes them money. A single ("anonymized") profile can go 0.04 to 0.50 a month.
Some DNS services state that they dedicate themselves to respecting your privacy, BUT I'm not informed on the one GP reccomended.
In capitalist America, ads view YOU!
(Score: 0) by Anonymous Coward on Tuesday October 06 2015, @03:09AM
The most basic of your internet services, the domain name service, is the single point on internet that knows most about you. There's no cleaning cookies, privacy mode, or disabling javascript, all that you request on the internet goes through a DNS first.
And how does _creating_an _account_ on OpenDNS help?
Please try to keep up with the conversation OK? Don't just spit out text just because some patterns match like a stupid AI.
(Score: 3, Insightful) by bradley13 on Monday October 05 2015, @01:19PM
The author has done a lot - he does more than I do in some regards (and I am pretty paranoid). We can hope that our data is reasonable safe.
What leads to despair is the general direction that security seems to be taking...
- You try to protect your identity, then organizations like OPM are hacked, revealing incredibly detailed personal information on millions.
- You try to protect your passwords, then security professionals (example: what happened at Ashley-Madison) turn out to have made stupid security mistakes that compromise those passwords.
- You try to protect your data with tools like TrueCrypt; the makers of those tools (presumably) get hounded out of existence by a government that doesn't want people to have tools like that.
- You try to protect your servers and infrastructure, then we annually have bugs like Heartbleed that publish your security keys to the world.
For the past few years, I've had the feeling that we are collectively taking 1 step forward, and then sliding 2 steps back. It's just bloody frustrating.
Everyone is somebody else's weirdo.
(Score: 1, Informative) by Anonymous Coward on Monday October 05 2015, @03:29PM
Original poster here.
Yes it is burnout...but more...Some suggest that it is laziness.or a misguided notion that complete security is attainable..but itis more an acknowledgement of the immensity of the attack surface today.
While most answers on this post focus on security, I am generally more concerned with privacy from corporate big data. A lot of money goes into stripping that data from you..to classify you, peg you, to quantify you. That kind of threat requires more than amateur endeavor of me following up on things I hear about from SoylentNews and others. It requires tools or services to manage our data assets that maintain our privacy...
(Score: 2) by Common Joe on Monday October 05 2015, @07:30PM
I think there is definite merit to these statements. 25 years ago, we dealt with viruses and the occasional trojan. F-Prot or an fdisk and everything was taken care of. Today, the vectors as tremendously more varied.
Hmmm... yes, quite a different animal. Minimize the areas of yourself that can be attacked is about the only thing you can, but just know that one day, everything you write has the potential to be public in some way. The good news is that everyone will be in the same boat. In 20 years, it will be a completely different landscape because the public is just now waking up to these kinds of threats. It will take time for the landscape to mature. Until then, just hang on because the ride will be bumpy for everyone. Minimizing your profile is the best defense, but it makes other things harder. You have to find the right balance for you.
(Score: 5, Insightful) by VortexCortex on Monday October 05 2015, @01:21PM
First off: You're deluding yourself if you think today's consumer cell phones can be secure. For instance, on Android there is a secondary tiny OS that operates the cellular radio. The large OS with user interface and USB, Bluetooth, display, touch input, keyboard (if present), etc. is updated, and you can replace it via firmware update, but you can't get into the other OS. Exploits delivered via cellular radio in that smaller OS can read / write your entire phone memory and exfiltrate all of your data. I know of several such exploits for the majority of popular models. Firmware updates alone will not grant security from a hacker who uses exploits that work against the baseband radio OS. If they've got a Software Defined Radio and a laptop, you're 9001% PWNed whether your userland firmware has zero vulnerabilities or not.
Treat your cell phone as if it were a pay phone at a bar. Everyone can overhear the wireless data you shout (e.g. GSM encryption is horribly broken), and all your bases are belong to the phone provider. Don't use them for banking and don't say or do anything on a cell phone you wouldn't want the world to know about. For years many carriers have recorded every touch swipe and program execution and phone this data home to "improve your experience". The new privacy invasive MS Windows is just embracing and extending this to the desktop [which shall be extinguished soon?].
Secondly: Use a Virtual Machine. Many (most) chipsets nowadays support virtualization in hardware so you don't take a performance hit for having a hypervisory VM. Letting MS Windows run on bare metal? Not even once.
Third: Get or build a security gateway to filter your Internet traffic and provide intrusion detection capabilities. Some companies, like Astaro, offer a free software gateway with free updates for home users (and charge you for business use or more features). Some of these security appliances double as VPNs. Any old geek should have a few old PCs; Slap 2 NICs into one and there's your network security appliance. I'm not sure if there are any security gateway providers that block the intrusive MS Windows updates, but if you're just now worried about them rather than the whole OS then you're ignorant:
MS has root and they've been spying on you for years (one example: sending a list of all installed programs to windows update servers whether MS can update them or not). MS is just being more open about it and collecting a bit more data than they used to. If you're worried about the new privacy invasions, get off of MS Windows. As for your children: Buy them systems without an MS OS pre-installed. Hell, they're kids. Burn them a LiveCD and tell them to install it. They'll likely succeed if they're 10+ years old. Expose them to maintenance now, or you'll be doing it until the day they have no more security.
Lastly, but not finally: Install custom firmware on your routers and keep the firmware up to date (or just build a badass BSD or GNU/Linux router out of another old PC and a few more NICs and enable automatic updates). Do these things and you'll be fairly secure. When it comes to security there is always room for improvement. Absolute security doesn't exist in the consumer world. People have been unwilling to pay the price of security for so long that it has gone extinct commercially, out competed by products offering new and shiny features (read: untested and insecure software).
There is initial time investment time to set up a more secure system. You, like most people, have been unwilling to pay the price of security for a long time (and this will likely be the case for the foreseeable future). Maintenance is the cost of using today's technology responsibly. I used to do Computer Security Consulting, and when I was younger I even made house calls. Paying a security nerd to maintain your crap once a month might be what you need to do (finding a trustworthy and knowledgeable hacker is a different story; If they don't mention things in this post, they're probably not competent at security). If you want security you will have to demand it from the market before the supply can be created. Today's markets have failed to demand security, and you have gotten what you paid for.
There is a silver lining: As long as everything remains so damned insecure, the Geek shall inherit the Earth.
(Score: 2, Informative) by Anonymous Coward on Monday October 05 2015, @01:43PM
There's a tiny/secondary OS on everything. It's called the Bios. Even that can be hacked and you'd never know.
(Score: 0) by Anonymous Coward on Monday October 05 2015, @11:48PM
Secondly: Use a Virtual Machine. Many (most) chipsets nowadays support virtualization in hardware so you don't take a performance hit for having a hypervisory VM. Letting MS Windows run on bare metal? Not even once.
Not this again. How does virtualization make Windows more secure, exactly? Please be specific.
(Score: 2, Informative) by cpghost on Tuesday October 06 2015, @12:49PM
With a VM, you can, for instance, disable some peripherals, like, say, mic and camera..., and much more than that. You get the idea.
Cordula's Web. http://www.cordula.ws/
(Score: 3, Informative) by WillR on Tuesday October 06 2015, @05:27PM
(Score: 3, Troll) by NullPtr on Monday October 05 2015, @01:21PM
Emulate what happens on this site: when the user logs in correctly, keep displaying the "enter username and password" boxes. Yes, it looks amateurish but an attacker won't know whether he's logged in or not. Not will the user. But that's s small price to pay.
(Score: 0) by Anonymous Coward on Monday October 05 2015, @01:37PM
I guess you just caused a Null Pointer Exception.
(Score: 1, Troll) by NullPtr on Tuesday October 06 2015, @11:02AM
I just noticed a couple of typos. That's because when I entered the text I was using my phone and this site has no mobile interface; it looks dreadful. And the size is like point 1 size so I have to keep zooming in every few words to see what I'm typing; it zooms out by itself. I didn't realize rendering static pages of text and allow users to type short textual comments was still an unsolved-problem in 2015 but apparently I was wrong. Back to reading the headlines via RSS, I guess.
(Score: 2) by Hyperturtle on Monday October 05 2015, @01:22PM
You first have to care.
Knowing that there are issues but that you will "get to it eventually"...
Your priorities appear to be on self-indulgent desires, or maybe it's Monday and my mental filters are not in place and I am being rude. You moved yourself to Ubuntu, and I suspect that is because you personally wanted to do that and maybe learn something new that is useful, aside from the irritation of how to have less convenience by needing to learn something new that impacts others you know and love. Why did you not move everyone to Ubuntu?
It takes only a few minutes to remove the offending updates. This is presuming you know what ones to remove.
Perhaps your first step is to disable auto-updates; set it to notify you.
Then, when your PC (oh the one with linux won't work that way anymore, so you will now need to make an additional effort with a PC you regularly use to see this on) gets notified, make a list of the updates and look up EACH AND EVERY KB article. You can take MS at it's word (this optional yet very important update resolves issues in Windows; never mind the fact it is optional and part of Windows *update*). Or you can search around the internet.
Make a list and save it to something like a network share, a usb stick, a piece of paper, or if you are clouded, send it to somewhere else on the internet far away so you can then access a second PC in your home and access that same place far away to read the text file. Maybe you can email the list to yourself. Doesn't matter--make or obtain a list of the updates you do not want.
Then uninstall or refuse to install the same items on all of the machines in your home that you want to not have those updates on.
I am tired after a long work day too; and often feel like Indiana Jones in the Raiders of the Lost Ark, when finishes beating up a bunch of Nazi's inside of a camp where there is a bomber being worked on by mechanics, and just as he starts to rest, a big muscle bound guy walks out and bellows his challenge, and Indy has this look on his face like "oh man I just... ok... give me a second to catch my breath", all in gestures and facial expressions, since they speak different languages.
Then they do battle!
You can't use your own laziness as an excuse, because that is exactly why you are in the situation you are now. The only difference is that you aren't entirely oblivious.
Eventually you will get used to doing this, just like anyone that got used to using noscript and permitting things and seeing how things work, and being frustrated by the constant changes to the internet that breaks what you got used to. And, did you know you can simply permit/white list websites you want to permit? Why are you removing all security for everything? That is almost never required if you trust where you are going! If it's that much of a problem, do it the way I sometimes still do -- write a check. It takes discipline to beat back the convenience -- this whole personal/sharing economy is built upon the convenience to make it so easy to not be proactive that it now standard to require people to opt out, rather than opt in! And in some places, opting out isn't even an option. How is that for convenience?
I have been in the industry for a long time. With every convenience, some sort of other favorable item has been taken away. Like my free time when cell phones became ubiquitous, or quiet time at home when remote connectivity became fast enough to work away from work.
The fight for security will NEVER end; they will ALWAYS try to sell something to you, they will ALWAYS try to get a foot in the door to see what you want and NEVER leave you alone -- even if one does, the others are not required to do so. Never expect them to give up because you are tired.
The hydra of what we call the internet today, the many headed beast of distraction, convenience, and the enabler of compulsive behavior... will never be killed, no matter how many heads you cut off. Your best bet is to shield yourself and reduce the impact of the biting--but if you don't learn how to act defensively, then you'll get your ass handed to you by the big guy that walks out just as you thought you offensively took care of other problems at work.
I feel for you and the fact you are married and have kids, but I think that this just makes you more responsible to do the right thing than claim that because of them you are tired.
(Score: 2, Touché) by Anonymous Coward on Monday October 05 2015, @03:38PM
Do you have kids? If you do, do you spend time with them? It is not laziness. I work from morning until 7:30/at night 6 days a week. Sorry kids, I know daddy works a lot but now he needs to take your iPhone games away and patch my external firewall, inspect the new packets z software are sending to FU.com. wanna help?
Your arrogance is aggravating.
(Score: 3, Insightful) by Hyperturtle on Monday October 05 2015, @04:03PM
I work in security as my job; out of interest.
I outsource stuff -- I dont have time to fix plumbing or mow the lawn even. Or fix the hole in the roof the squirrels chewed their way in through (or created).
But I measure what's valuable to me... I'm just a jerk sometimes about what I take to be a priority.
I understand if you do not feel the same way, and that's fine. My issue is that I have been paid in the past to provide advice that various executives ignore as being too costly, or they hire an intern/nephew to reboot PCs after installing a free virus scanner, and call that the solution. Sometimes problems result.
I've been hired to be the scapegoat for problems, and so I have learned to be... quite defensive, and suspicious.
It tried to end that rant with humor, being out standing in my field with a tin foil hat, but it suppose it did not pave over the bumps I had in the road put down.
I'm sorry to have offended you; I still think that having a concern for security is great to start, but it needs to be encouraged -- either via my way, which you don't like or don't like my presentation of, or another way that works for you. Please don't rely on hardware, because that is not the way... a false sense of security. Maybe that's what a lot of people want, and maybe it is arrogant of me to yank that rug out from under some people... but education is key.
Teach your wife, teach your kids, teach the dangers of what conveniences coast in that trade for security and privacy, and use the same products and techniques you expect them to use, or they might not stick with it.
(Score: 2) by isostatic on Monday October 05 2015, @01:25PM
Very few people care, and those that do aren't going to trust a random company
(Score: 1, Insightful) by Anonymous Coward on Monday October 05 2015, @01:25PM
You are looking at security the wrong way.
*all* security can be broken. Well not quite true but pretty much (one time pads). All the remaining security is a mater of time and energy. Take for example the lock on your house. You can put in 15 deadbolts armor up the windows. Yet all of those measure it is just a matter of time and energy to get into your house.
If you are worried about win7/10 just find one of the many scripts out there that turn the sendhome junk (automate the problem it that is what computers do). Get a router that blackholes the ip/name. Or use something like linux. But even then companies like canicanonical/ubuntu are starting to do the same thing. You are also going to have devices where you do not control the stack at all (like your TV).
If you want to keep the info in your house the best 'bang' for your buck is a router where you can control the ip/dns stack. If you are really paranoid you can goto whitelists.
Trust no one. There is no company that will do what you want.
Also keep in mind much of the info you are protecting. Is already in the wild. Thru use of those applications, your ISP, your local town hall, your old phone book, your neighbors, your friends. A trip to your local town hall will yield just as much info. Sure it may be a pain but there is pretty much 0 security on it.
(Score: 4, Insightful) by Thexalon on Monday October 05 2015, @01:54PM
The concept is "Total Cost of Pwnership": How much effort does it take to compromise your system? If the TCP is far higher than the perceived value of the information stored on the device, then most attackers will simply move on to a softer target. After all, why spend valuable time trying to bust into somebody's FreeBSD system when you can just move on to your neighbors' unpatched Windows box?
If you think you're going to get perfect security, I'll let you know right now - you won't. Nobody has it, not even the military or the NSA. The best you could manage: Anything you really need to secure would be stored on a machine with no networking capabilities whatsoever, where you never transferred data to nor from another machine, kept everything encrypted, and put in a bank deposit box when you aren't working on it. Which somebody could still get to, if they barged into the bank with a warrant or a weapon and forced the bank staff to open it, but probably won't because of the TCP problem.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Insightful) by nitehawk214 on Monday October 05 2015, @03:27PM
This is the best post here, which bridges the gap between, "there is no security, don't bother" and "don't use any electronic devices."
Find the thing you have that is the least secure. (probably a mobile device, since those tend to grow legs and walk away) Deal with any security problems there.
Think about the location and number of users and foot traffic. (My work computer has hundreds of people that can walk up to it, where there are only a few people in the world with keys to my house.), Think about the ramifications of the security being breached. (Breaking into my Steam account would be annoying but easily correctable. Breaking into my bank account would leave me broke for the time it takes the bank to fix it. A hackable wifi thermostat could burn my house down.)
Also look at non-electronic security. I no longer write paper checks out of my primary bank account. Simply knowing a person's bank account number allows you to completely drain it of funds. Just look up the routing number for the bank, and you can print off checks. The name on the check does not have to match the name on the account. The check infrastructure doesn't have the ability to verify if a check is valid. Stores never call the bank to see if it is real.
How are the locks on your house. How easy is it to break in? How many people have keys? Do you live in a secure neighborhood or at least trust your neighbors?
How secure is your vehicle? If you park on the street, consider a dash-cam that has a motion sensor.
Repeat this process until you feel that the thing is secure enough. The difficult part is determining the security level of a device.
Remember that "good security" does not exist, only "good enough security".
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by Fnord666 on Monday October 05 2015, @04:20PM
The concept is "Total Cost of Pwnership": How much effort does it take to compromise your system? If the TCP is far higher than the perceived value of the information stored on the device, then most attackers will simply move on to a softer target. After all, why spend valuable time trying to bust into somebody's FreeBSD system when you can just move on to your neighbors' unpatched Windows box?
Unfortunately this presumes that it is an either/or situation, which it's not. With automation, scripting and botnets, attackers can try to get into both of your computers at the same time. It doesn't require their undivided attention.
(Score: 2) by Thexalon on Monday October 05 2015, @04:39PM
I absolutely agree that they can do multiple things at the same time, but the automated scripts and such are likely to target easily-compromised machines with a large install base too. Why bother writing an automated tool that targets a relatively rare OS when you have so many really easy targets available?
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2, Insightful) by https on Monday October 05 2015, @05:35PM
Because they are using other people's resources to run the attacks. They do not have to manage them efficiently or rationally, and an exploit is an exploit is an exploit is an owned machine, unless you don't actually implement the exploit.
Offended and laughing about it.
(Score: 4, Insightful) by Anonymous Coward on Monday October 05 2015, @02:34PM
First, accept that all your boxes and all your networks are already compromised by someone. Whoever scares you most. Russian mafia, NSA, whoever.
Why assume that? Because they could be, at any time, and frankly you'd be none the wiser. The real professionals will always get in where they want to - you can at best hope to keep out idiotic scriptkiddies.
Next, don't assume that you can secure anybody's machine unless they will obey your every order, and you can confirm that they actually did so. Even the military follow this up with checks, people looking over other people's shoulders, and so on. So basically, all your kids' and wife's machines are constantly being recracked because of things they do regardless of your efforts.
Corollary: the best you can do, aside from standard procedures like patches and configurations, is to keep important data off the electronics. If it ain't there, it ain't cracked. (This goes along with cutting microphone wires, putting tape over camera lenses and so on.)
Ultimately you can try to educate your family, but the fact is, like every user group, they don't get it, won't get it, and don't want to get it more than they want to see that cute cat video. So all you can do is protect yourself.
And if you want a way to do things with just a tad more security and flexibility, keep some read-only bootable media around for when you have a suspected crack, or when you want to do something with less recorded backtrace of cookies, use virtual machines which you can drop and recreate at a moment's notice for fresh instances...
... and back things up to help defend against encryption-style blackmail.
(Score: 3, Insightful) by Nerdfest on Monday October 05 2015, @05:48PM
Look at Snowden and the NSA if you want to see how hard security is. These people are supposed to be the experts and a contractor walked out with a treasure trove of information.
(Score: 1, Interesting) by Anonymous Coward on Monday October 05 2015, @05:58PM
There are many armchair experts at everything™ here on soylent, but I have an ever growing laundry list of credentials. Threats are getting to dynamic and too numerous for a non-specialist to even conceive of.
Don't trust the "usual names" here on soylent. None of them have any more knowledge on security than an average CS or admin does. Think about how many times you have had to patch something; every time that happens, a team of architects, designers, developers, QA, and admins failed simultaneously at keeping your assets secure. Think of them as medical assistants and IA specialists as doctors. They have some knowledge but it is more likely to be wrong via incompleteness as it is to be right.
However, the post I am responding to handles the general philosophy of what you ought to do in a manner which makes me feel it unnecessary to add to. Out of nearly fifty posts, that humble currently +1 insightful AC is the one you should be listening to.
If you want more technical, specific advice, you are going to tell me what the deliverables are; i.e. what your risk tolerance is in technical terms, what your assets are, categorize them, give me information on importance weighting, and what the constraints are; critical use assets, budget in dollars and initial time investment along with an ongoing maintenance budget. That is step zero. A risk assessment that includes use-case analysis, impact analysis, and budgeting. Then we can start working on a development plan. A plan to fail is a failure to plan. Yeah its hard and takes more effort than anyone is comfortable with. That is why nobody gets it right.
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 06 2015, @01:34AM
Thank you very much.
I'm actually not an amateur. I spent ($years) in infosec until I figured out that it's a codeword for scapegoat, then I moved on.
I also figured out that bosses don't care about security, they care about not being sued - which is a kind of security itself. But that meant that all my employers were always primed for catastrophe.
The rest of my advice simply follows directly from that.
It's really all about reducing exposure in the teeth of cruel reality, and being prepared for when it all goes bad.
(Score: 0) by Anonymous Coward on Monday October 05 2015, @02:38PM
Security is process. It takes practice to get right because a lot of it is developing good habits. It depends on layers to slow an attacker long enough to be seen and have their access severed. It all starts with taking control of your devices.
So for a start, adopt a platform that gives you the most control, Linux. Do this everywhere, but at least initially on the edges of the network like routers, security checkpoints..so to speak, etc. Then one piece at a time learn how firewalls, dansguardian+clamav+squid, full disk encryption, host-based and network-based IDS/IPS work[tripwire/rkhunter/snort]. Then use these tools.
Security, just like everything else worth it, is hard in the beginning but gets easier once you've done it for a while.
(Score: 2) by MichaelDavidCrawford on Monday October 05 2015, @02:41PM
Renumber all the system calls. That is, suppose read() were system call number 1 and write() were system call number 2. Switch them both in the C standard library and in the kernel exception dispatch table.
Rename /bin/bash to /bin/ls and vice-versa.
I thought of writing a tool to do this in an automated way and so that everyone could scramble them differently but I just don't have the headspace for it now.
Also remove from your servers any software that the servers don't really need - especially the compilers. Don't just stop the deamons you don't use, remove their binaries, X11 programs and libraries and the like.
Put your deamons in separate chroots. It's a PITA to set the first one up but once you see how it's done setting up the second is straightforward. While it is possible to bust out of a chroot - I don't know how but understand that's the case - all but the most determined attackers, automated attacks in particularly won't know what to do.
Enable ssh public key authentication then disable password authentication.
Run ssh on a nonstandard port.
Add an extra round or two to your AES key schedule. Throw away the source code.
Set up "port knocking", that is, ssh won't listen for incoming connections unless you ping your server a certain way.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Insightful) by Dunbal on Monday October 05 2015, @02:42PM
A chain is only as strong as its weakest link. It doesn't matter how "strong" you make your end, your data security is forced to rely on third parties - your ISP, your router manufacturer, your OS and its creator(s), your hardware manufacturer, your "cloud" provider. All it takes is ONE of these to be compromised and you can be as secure as you want, but anyone interested will be able to penetrate your defenses to some extent. If you REALLY want security, don't digitize it/don't put it on a computer. Pen, paper, safe/strongbox/lock and key . And even then you can be subject to disaster, subpoena or espionage. Life is temporary. How much of it do you want to spend worrying about security? Especially when the likely breach will be out of your hands anyway.
(Score: 3, Insightful) by mtrycz on Monday October 05 2015, @02:48PM
I find it strange that the savvy populace of SN hasn't pointed it out first. I'll try to be concise and straight to the point.
There is no such thing as "Good Security". There is "good enough security" for a set of requirements or constraints. You can't have a "measure" of security without stating what the requirements are.
There is always a tradeoff between convenience and security. Examples: most precise search engines, social networks make it easier to stay in thouch and share, payment platforms are hella convenient, etc. (I'm going through a "private person" concerns here). (THIS is where the border between "security" and "privacy" blurs in our common language. If you just don't want your machines owned by viri, then you're good with Win10 and an antivirus. If your concerned with your privacy, then you should just go off the net.)
You have to sit down and state your requirements and the level of convenience you wish to scarifice. I've read good insights about this from both Krebs and Shneier (the biggest security publicists), even tho I can't find a good, comprehensive guide right now, But do check their sites, and subscribe to their newsletters. Shneier uses Windows (for convenience) but he'd advise for a FOSS OS. Krebs recently wrote on his blog that, if you're American, your personal data have already been leaked to some extent in the bazillion leaks that happen daily.
The sad truth in 2015 is that the balance between convenience and security is soooo skewed that a single person, even an informed professional, will have a hard (I argue: impossibile) time to secure his machines and his private life. You HAVE to settle for (some level of) "good enough" if you want to stay on the net.
In capitalist America, ads view YOU!
(Score: 2) by Beryllium Sphere (r) on Monday October 05 2015, @05:37PM
Think carefully, not just about how "secure" you want to be, but about what you need to protect.
Your online banking password? Critical if your bank doesn't offer 2-factor authentication. Your credit card number? Much less so, actually. When it gets compromised, a matter NOT under your control, the cost is minor inconvenience as you get the first trivial fraudulent test charge reversed and update all your $#@! recurring payments.
(Of course never use your debit card online unless it's tied to a separate small account not at your usual bank).
Do you need to protect your location information? Even if you live a vanilla life, there are states and towns where it really matters where you are on Sunday morning. Being in the wrong church could cost you a job, and if it's no church at all... If nobody cares and you're not visiting crime scenes, the priority goes way down.
(Score: 5, Insightful) by Yog-Yogguth on Monday October 05 2015, @03:11PM
(By the time I'm done writing this it's most likely redundant many times over, sorry about that).
What can I actually say except that I share almost but not all the same problems and I'm also a frustrated and very tired old nerd. You have my total sympathy and empathy.
So this is all probably shit advice :D
Sacriledgeous as it may be you probably need to try less hard and narrow your focus. This is mightily difficult in my opinion. I find I need more “downtime” than ever for my brain, it needs time to churn, more time than I'll ever have. Don't exhaust yourself (I did), don't burn out (I did), don't blame yourself (…). Don't cry: laugh if you have to and it's okay to go a little bit insane as long as you realize you have. Don't destroy who you are to yourself.
Now more than ever before it's important to force yourself to take one step back on a regular basis. Let yourself catch up to where you/we are.
Get out and off the screen more if you can. Learn fishing or archery or gardening or knitting (or weaving, did you know it was originally exclusively a male job?) or whatever you fancy. If you can't get out much or at all then find perhaps a nice “serious” YouTube (or similar) channel (I like guns so there's plenty for me, I recommend the Hickok45 channel [youtube.com] (not everything goes on the front page so I link directly to the video list), there's also some great archery channels and this one [youtube.com] might be a good starting point (I like the guy and his cheap self-made bows, seems he's doing knives too now)) or tidbits of distractions like futilitycloset.org [futilitycloset.com] or games or crazy/alien japanese anime or anything you fancy that manages to let you disconnect and unwind.
Or maybe a good book will do it, maybe something soppy, maybe something hard. There are some interesting free books out there like Street-Fighting Mathematics [mit.edu] and (same author) The Art of Insight [mit.edu], I haven't read through them yet but they seem promising.
Let the systems that are beyond hopeless burn if they have to: don't waste your time beyond what you already have solutions to as far as they are concerned. The environment is evolving and evolution is nasty business.
No one is likely to actually be anything close to secure. With the systems that exist (a 100 billion —billion with a b— records daily by the end of this year in/through KARMA POLICE and BLACK HOLE —and these aren't even massively funded US programs but British!— is apparently too large a number to truly fit into our brains) any specific machine does not have to be compromised to compromise the individuals (everyone) they belong to.
Can you save the Tyrannosaurus Rex (or any cuddlier choice) from extinction? Of course not, it's long gone, so leave stuff like that to any would-be genius/mad scientist or imaginary future time-travellers.
I don't want this or the following to be interpreted as not doing whatever each on his or her own feel is reasonable, or like giving up (because you're not, you're just in the process of adjusting to a sustainable level which might be a lot lower), or not learning anything new ever again, or not doing anything any more.
But by now a lot depends on luck anyway.
At the turn of the century I still used Windows both at work and at home (I really liked nt4.0 and then w2k and also Cisco), not long after I felt the same way as now: overwhelmed and realizing I had no chance of any confidence in the Windows systems. So I switched to Linux and also looked a bit at BSDs back then. Maybe in the not so distant future it will become an option to switch to less complex systems, maybe it will become possible to switch to systems based on open hardware (neither will be enough but it should be better).
There are too many threats and most or nearly all of those who were supposed to help secure systems are breaking them. This is what it looks like when all trust is gone.
One can only get so much (or little) done. There's far too much for any individual or small group of individuals to handle, so much so that one only has to laugh. Available information on its own far surpasses my capability and it would make no discernible difference if I spent every second on it (which I of course like anybody else can not and will not do).
Just don't stop because you accept reality.
The silver lining is that one is aware that ones own (and all) systems are insecure. Not because one doesn't continue to try to the extent one can handle but because that extent is rapidly vanishing into what seems like insignificance compared to the capabilities, people, organizations, knowledge, funds, and experience stacked against everyone.
I try to avoid the worst. I don't own a smartphone. I don't use un-free systems.
I speak freely, it's not going to help not to, but I try (increasingly harder) not to tilt completely if I'm trying to explain it all from my point of view.
I'd like to get around to using Firejail [wordpress.com] but haven't so far despite the excellent documentation. I second guess myself far too much and too easily end up going in loops instead of just getting stuff done, I'm also way too easily distracted. The browser is the largest attack vector for most (including me) and for some uses I would like to have multiple versions locked down according to different rules, something which Firejail should manage to do quite well. Maybe even run Firejail in a Docker container (I'd like to try) and also figure out some way that I could allow different instances to save specific data in limited ways, but I haven't learnt/done it yet and to be honest a lot of the time my mind feels like mush (and I don't want to do anything too important when I'm like that) :3
(I will share my experiences once/if I get around to it).
And no: there is no such company or organization as you wish for and I strongly doubt there ever will be because anything such is by definition insecure since it centralizes your/our weakness. Everybody is just as human as you are. Not redcode.is [codered.is] (involving Bruce Schneier who despite being who he is is just as fallible as you and me and likely wrong about quite a few things), not snowdentreaty.org [snowdentreaty.org] (I haven't even allowed that site in my browser, who thought/why did they think it was a good idea to base it on fifteen or whatever sources of scripts, it's a potential injection nightmare, not https either as far as I know, maybe I've got the wrong link?), not anything. They might turn out to be interesting places though. However in the very big picture I think SpoylentNews is much more interesting both specifically as one is in an environment where many share the outlook/situation and all but also generally in deeper ways of free discussion and debate.
Let the future prove me wrong one way or the other :)
P.S. I have considered ditching the internet and maybe also computers but the truth is it wouldn't actually make any difference except for the worse unless and only perhaps if one goes fully native in some secluded wilderness (and even then Amazon tribes that have had no contact with the outside world end up in videos on the internet).
(Score: 0) by Anonymous Coward on Monday October 05 2015, @03:51PM
You are one cool cat Yog-Yogguth, and we appear to think along very similar lines...thanks for the insights.
(Score: 2) by Yog-Yogguth on Monday October 05 2015, @05:26PM
Thanks :)
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 2) by janrinok on Monday October 05 2015, @05:49PM
(Score: 3, Interesting) by Gaaark on Tuesday October 06 2015, @01:02AM
I just installed firejail (on arch/antergos linux using yaourt).
Can any experts here tell me how to use an alias/or whatever, to make all programs i want (from the command line) use firejail:
as in typing 'firefox' will automatically enact "firejail firefox"?
Thanks for any help.
Install was easy: the hard part was figuring the command to use on arch/aur package, lol.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Informative) by linuxunlimited on Tuesday October 06 2015, @12:27PM
I've been using it for some time. The easiest way is to create a bash script with the same name as the executable and put the script in the path before the real executable. For firefox I have the script as /usr/local/bin/firefox:
$ cat /usr/local/bin/firefox
#!/bin/bash
firejail /usr/bin/firefox
Every time you call firefox, the script will run and it will redirect you to the real firefox.
(Score: 2) by Gaaark on Tuesday October 06 2015, @03:06PM
Thanks, linuxunlimited. Works like a charm... now i just have to set it up for other things! :)
Wow... just wanted to hit CTRL+o to save this, lol.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1) by Illop on Monday October 05 2015, @03:13PM
Computer uses you... That is why we move to typewriter.
(Score: 2) by Beryllium Sphere (r) on Monday October 05 2015, @05:40PM
Turn on a microphone in a nearby computer, cell phone, or even landline phone and record the keystrokes. The keys don't all strike with the same force, and there will be characteristic timing delays. Not to mention fishing used ribbons out of the trash.
(Score: 2) by mendax on Tuesday October 06 2015, @05:47AM
Which is exactly what foreign intelligence agency and industrial spies did. This would only work with single-use electric typewriter ribbons. It wouldn't work with my old manual typewriter in the garage. (Yes, it still works; yes, I still know how to use it; yes, I am a fast typist on it;no, I don't jam the keys.)
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 3, Insightful) by PizzaRollPlinkett on Monday October 05 2015, @03:58PM
Even if you had "a company/organization that I can reasonably trust" right now, what happens to that trust when they go kaput or get bought out?
(E-mail me if you want a pizza roll!)
(Score: 0) by Anonymous Coward on Monday October 05 2015, @04:07PM
What happens to a law firm? They can't just start selling records upon bankruptcy or whatever.no reason that that level of obligation cannot enter into an agreement to protect my digital assets.
(Score: 3, Insightful) by RamiK on Monday October 05 2015, @04:11PM
The Internet isn't secure. it can't be made secure since it's designed around trusting people you never met and aren't in business with.
How do I know these third parties and man-in-the-middle(like your ISP) aren't trust-worthy? Because governments and corporation don't use them. They all sign their own certificates and dispense tickets to nodes using Kerberos on an air-gapped internal network.
compiling...
(Score: 2) by Beryllium Sphere (r) on Monday October 05 2015, @06:09PM
Remember Stuxnet.
(Score: 2) by toygeek on Monday October 05 2015, @04:26PM
I think some other commenters have touched on this, but really it is true. Yes, you can look at the Linux source code and audit it. But are you really going to? No. A bunch of people saying an OS is secure does not make it so. Who can forget the issues with OpenSSL and the like. Anything with a processor is either hackable or backdoored, or both. Your antivirus does a MITM attack so it can scan your SSL traffic. Do you trust your AV vendor?
It's much simpler to simply accept that being online with a computer is a known risk. Protect yourself at a deeper level if possible. Don't get all tin foil hat about it, but be smart about what you do and where. Don't want anyone knowing you browse 4chan looking for a particular fetish pr0n? Then don't. Simple as that. Don't want advertisers knowing everything about you? Don't shop online. Don't want $scaryentity reading your email? Good luck with that.
You don't get into your car and fret about getting into a wreck on your way to work (usually) but it could happen. A fender bender at least, or instant death at worst. It's a calculated risk you take every day. Calculate the same risk and either live with it or stop using it.
There is no Sig. Okay, maybe a short one. http://miscdotgeek.com
(Score: 2, Informative) by Anonymous Coward on Monday October 05 2015, @06:53PM
Sucks, doesn't it?
Why people don't refuse the business model, I can't really figure it out. You dont have to be a luddite that uses pen and paper, you simply have to reject the newest OSes of the past several years. There are plenty that are perfectly functional.
All of this came about due to pressing next to continue--with the upgrade to windows 10, with the upgrade to google whateverletter, what have you. I don't know what apple does but it seems everyone has their adherents who do not see the problems.
None of the privacy concerns will go away if we use the same behaviors we used to get into this mess. And thought the ask tool bar was bad -- entire OSes are out to get you now, and they come recommended by the experts.
(Score: 4, Informative) by q.kontinuum on Monday October 05 2015, @10:37PM
Against a targeted attack by one of the three-letter-agencies a private person is probably entirely helpless. A targeted attack by an ambitious hacker might be possible to withstand. But for Joe Average I think the grand fishing expeditions are the most realistic threat, and against those there are some helpful protections available, I guess.
General
* Use different services fro different sources (maybe DNS not from your internet-provider, maybe get a list of servers and shuffle once in a while).
* Encrypt your home- and var-folder. Leave the system-partition, it usually doesn't contain anything sensitive.
* There are filter lists available to filter dangerous domains, can be used with squid
* Consider using virtual machines for different purposes
Mail
* Don't send everything (anything) via Facebook/Whatsapp/Gmail, especially if you can afford have your own mail-server instead
* Use different mail addresses for different purposes
* If possible, use encryption
Browser
* Use browser private window, separate session for online banking; maybe even different user-accounts on your computer
* delete the ~/.macromedia folder frequently (that is, if you still want to use flash)
* Use NoScript, AdBlock, BetterPrivacy, Ghostry and Self-Destruct-Cookies
* Virus scanner: If you need one, you are doing something wrong already [xkcd.com]
* Use different search machines, preferably those who at least claim not to profile you (e.g. duckduckgo.com)
* Use Tor for sensitive topics (Not criminal, those you shouldn't do at all)
These are some ways to escape the casual fishing expedition, and maybe even some routine data-gathering by government agencies. It doesn't stand much of a chance against a targeted attack though.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by darkfeline on Tuesday October 06 2015, @12:38AM
I think that for most people, simply adopting a few security habits reduces their practical vulnerability to almost zero.
Using strong passwords, using different passwords for each site (!!!), using a password manager.
Recognizing phishing emails, switching to *nix and/or signed software. Perhaps a dose of common sense for recognizing possible scams.
Join the SDF Public Access UNIX System today!
(Score: 2) by Appalbarry on Tuesday October 06 2015, @01:51AM
I know where you're coming from AFTN (wc), and suspect that you didn't really need people to tell you things that you probably learned a decade ago. I see little above that was likely to be news to you.
Thinking about it today, I can count three computers (two Windows, one Linux), two smart phones (Android and Blackberry), one "Smart" TV, and two printers in just our home. Plus a wireless router.
Each of these is a vector for problems. Half of them are unlikely to get timely updates for security problems, and some of them will never see a fix.
(Aside: In practice I assume that My Linux box is secure (for some definitions of secure), but honestly I don't know. I assume that most of the kernel, networking, and browser stuff is well examined and safe, but I have no idea about the other hundreds of bits of software, or the much used but lesser known applications that I've added - the ones that are "maintained" by one or two people, or in some cases just abandoned. Am I about to audit my source code? Hell no - I'd have no idea where to start. Can I safely assume that the people who do audit my source code are qualified to properly catch every problem? Hell no! I have no idea who they are.)
Even assuming that all of the hardware, firmware, and software is up to date, there are still lots of ways to get in trouble, not the least of which are the dozens of sometimes very legitimate looking phishing and browser hijack emails that show up every day; the accidents that can happen if you mistype a URL, and the phone calls from "Microsoft" warning that your computer is infected.
We can all sit here feeling smug and superior, but the hard reality is that most of the planet's computer users don't have this knowledge, and all of our technology isn't protecting them. In fact, some of it does the opposite.
I suspect that AFTN (wc) does just about what I do - try to make sure that critical updates happen, at least on the Windows boxes, crosses his fingers and assumes (hopes?) that his Linux boxes and other connected devices are secure; crosses his toes and hopes that neither his printer nor his TV will somehow prove to be the back door through which the bad guys will break in.
And just ignores the smartphones as a lost cause in terms of security.
He probably also has accepted that regardless of all of this, there's pretty big likelihood that one or all of his ISP, his government spy agency, other country's spy agencies, organized crime, eastern European gangsters, the Chinese, and random teenagers will manage to skim and read what he does; archive it all for further analysis; or break into either his local computers, or one of the hundreds of other computers that have some or all of the information about him.
And that's not considering all of the Apples and Googles and Yahoos and Ashley Madisons that are collecting data and meta data with (some form of) permission.
I expect that AFTN (wc) will agree with me that the truth of the matter is this: Anyone who thinks that they can stay ahead of the security threats that exist today is badly mistaken. There are just too many players, and too many holes, to ever shut down every threat.
Like AFTN (wc) I just can't commit the time needed to do even a quarter of the stuff recommended here. Or even an eighth. And I'm someone, like AFTN (wc), who actually cares and is somewhat knowledgeable about the topic.
I don't know the answer, but I'll hazard a guess that if we ("we" meaning people who build and design the software that we all rely on) don't figure out some kind of real and widely practical solution, the governments will step in for us and come down with something seriously draconian.