SoylentNews is people
SoylentNews
I'm just informed enough about IT security to know that I really know very very little about it. That said, I probably know ten times as much as do 99% of people. I'm an expert in my field, and while I've been a jack of all trades on many fronts, today's threats to privacy and IT security require expert knowledge to combat.
I do not have time.
- For example, I hear that Microsoft added updates to Win7/8 that threaten my family's privacy...yet I have not yet gone and removed the offending updates. I moved myself to Ubuntu/xfce, but my son is still using Win8. I'll get to it eventually.
- For example, java script is a security risk, and I have No-Script, turn off 3rd party cookies, etc, but invariably I have to turn it off for some website (i.e. to pay my bill), and eventually, I stop turning it back to full security.
- I installed Cyanogenmod and Fdroid on my phone. And for the most part its great..and I have very few apps with permissive permissions settings....but my wife is still using an iphone and ipad, with all sorts of apps...with ridiculous permission leaks..and that is a struggle.
The long winded point I have is that it is now just too damn much work to do it all right. I'm tired after a 10 hour workday. I've obviously taken more steps than most, but it is still leaky as hell...
I need a company/organization that I can reasonably trust to manage my information security/property, to manage my computers, manage my vpns, e.g., to isolate my web browser windows over multiple vpns, ... all of it, and it can't be GOOGLE. My data is my property, as long as I can hold it, so it needs to be a company/organization that built in privacy obligations (like lawyers and doctors supposedly do).
-Signed: A Frustrated Tired Old Nerd (with children)
[Ed's Comment: Does such a company exist? Is it even possible to provide such a service? Or have we just identified a niche in the market for some enterprising person to fill?]
(Score: 5, Insightful) by VortexCortex on Monday October 05 2015, @01:21PM
First off: You're deluding yourself if you think today's consumer cell phones can be secure. For instance, on Android there is a secondary tiny OS that operates the cellular radio. The large OS with user interface and USB, Bluetooth, display, touch input, keyboard (if present), etc. is updated, and you can replace it via firmware update, but you can't get into the other OS. Exploits delivered via cellular radio in that smaller OS can read / write your entire phone memory and exfiltrate all of your data. I know of several such exploits for the majority of popular models. Firmware updates alone will not grant security from a hacker who uses exploits that work against the baseband radio OS. If they've got a Software Defined Radio and a laptop, you're 9001% PWNed whether your userland firmware has zero vulnerabilities or not.
Treat your cell phone as if it were a pay phone at a bar. Everyone can overhear the wireless data you shout (e.g. GSM encryption is horribly broken), and all your bases are belong to the phone provider. Don't use them for banking and don't say or do anything on a cell phone you wouldn't want the world to know about. For years many carriers have recorded every touch swipe and program execution and phone this data home to "improve your experience". The new privacy invasive MS Windows is just embracing and extending this to the desktop [which shall be extinguished soon?].
Secondly: Use a Virtual Machine. Many (most) chipsets nowadays support virtualization in hardware so you don't take a performance hit for having a hypervisory VM. Letting MS Windows run on bare metal? Not even once.
Third: Get or build a security gateway to filter your Internet traffic and provide intrusion detection capabilities. Some companies, like Astaro, offer a free software gateway with free updates for home users (and charge you for business use or more features). Some of these security appliances double as VPNs. Any old geek should have a few old PCs; Slap 2 NICs into one and there's your network security appliance. I'm not sure if there are any security gateway providers that block the intrusive MS Windows updates, but if you're just now worried about them rather than the whole OS then you're ignorant:
MS has root and they've been spying on you for years (one example: sending a list of all installed programs to windows update servers whether MS can update them or not). MS is just being more open about it and collecting a bit more data than they used to. If you're worried about the new privacy invasions, get off of MS Windows. As for your children: Buy them systems without an MS OS pre-installed. Hell, they're kids. Burn them a LiveCD and tell them to install it. They'll likely succeed if they're 10+ years old. Expose them to maintenance now, or you'll be doing it until the day they have no more security.
Lastly, but not finally: Install custom firmware on your routers and keep the firmware up to date (or just build a badass BSD or GNU/Linux router out of another old PC and a few more NICs and enable automatic updates). Do these things and you'll be fairly secure. When it comes to security there is always room for improvement. Absolute security doesn't exist in the consumer world. People have been unwilling to pay the price of security for so long that it has gone extinct commercially, out competed by products offering new and shiny features (read: untested and insecure software).
There is initial time investment time to set up a more secure system. You, like most people, have been unwilling to pay the price of security for a long time (and this will likely be the case for the foreseeable future). Maintenance is the cost of using today's technology responsibly. I used to do Computer Security Consulting, and when I was younger I even made house calls. Paying a security nerd to maintain your crap once a month might be what you need to do (finding a trustworthy and knowledgeable hacker is a different story; If they don't mention things in this post, they're probably not competent at security). If you want security you will have to demand it from the market before the supply can be created. Today's markets have failed to demand security, and you have gotten what you paid for.
There is a silver lining: As long as everything remains so damned insecure, the Geek shall inherit the Earth.
(Score: 2, Informative) by Anonymous Coward on Monday October 05 2015, @01:43PM
There's a tiny/secondary OS on everything. It's called the Bios. Even that can be hacked and you'd never know.
(Score: 0) by Anonymous Coward on Monday October 05 2015, @11:48PM
Secondly: Use a Virtual Machine. Many (most) chipsets nowadays support virtualization in hardware so you don't take a performance hit for having a hypervisory VM. Letting MS Windows run on bare metal? Not even once.
Not this again. How does virtualization make Windows more secure, exactly? Please be specific.
(Score: 2, Informative) by cpghost on Tuesday October 06 2015, @12:49PM
With a VM, you can, for instance, disable some peripherals, like, say, mic and camera..., and much more than that. You get the idea.
Cordula's Web. http://www.cordula.ws/
(Score: 3, Informative) by WillR on Tuesday October 06 2015, @05:27PM