Basic Security, Step 0
For some reason (🤔), a large portion of my friends are suddenly interested in basic security, such as encryption. This has forced me to reevaluate my own web security hygiene, because I love teaching and want to give my friends the best possible advice.
I will be the first to admit, the sum total of what I know is not even step 1, hence the title. However, I don’t know anyone who isn’t a sysadmin who even follows these basic tips and principles, so here they are. I hope you find them useful.
You want to make it harder for someone (referred to as an “attacker”) to monitor your conversations online. I avoid the word “prevent” intentionally: a sufficiently sophisticated attacker can gain access to your system, period. All you can do is make it difficult.
If you don’t want people to know something, don’t post it on social media. Goes without saying, right? Just in case, though… Even though you “have to have Facebook for work” doesn’t mean you need to share anything that would flag you to an attacker.
The Easy Ones
- Use WhatsApp for messaging. I mean, use whatever messaging app you want, but if it isn’t using Signal, assume an attacker can read it. There is a reason WhatsApp is blocked by the most authoritarian regimes: no one knows what you’re saying but you and the recipient of your messages. The guy who wrote it is a legend made real.
- Change your default search engine to DuckDuckGo. We all know Google tracks you. If your attacker can compel Google to share data, then you want to limit what Google knows about you.
- Stop using Facebook.
- Use Https Everywhere. Either add it on to Opera, or FireFox if you bought access to a VPN. You are using a VPN, right?
- Don’t use Windows. Just don’t.
- Encrypt your hard drives. It’s easy on almost every device, but especially Apple products (the iPhone is encrypted by default, I don’t even know if you can turn it off). If you have a Mac, encrypting your hard drive is easy. It is not too hard on some versions of Linux, which sadly you are using if you are serious about this shit.
- Don’t use thumbprint to unlock your iPhone. For weird constitutional reasons, the state can compel you to put your thumb on your phone, but not give the password. Also turn on the feature where your hard drive gets erased after >10 bad password attempts. This only works on iPhone models 5S or greater.
A Bit More Work
Computers don’t speak english, and they don’t know what www.medium.com means.
They have to ask another computer to translate that “domain name” into something more computer-y for them (an IP address, such as 18.104.22.168, which is one of medium’s IP addresses). The computers that translate domain names into IP addresses are called “Domain Name Servers” or DNS.
Currently, the company that provides you internet (your “Internet Service Provider”, ISP) also provides your DNS. That company is probably Charter or Time Warner. Do you trust them if an attacker demands their records? (Hint: don’t trust them to do anything other than fuck you). That’s right. Every domain you’ve ever typed into a bar, they know about. So…
- Change your DNS. You can pick other computers to be your DNS. Computers owned by less-sketchy people. The two options I know off-hand are OpenDNS and Google’s DNS. Instructions in links.
- Find out if you really changed your DNS. Check https://www.dnsleaktest.com/ . Some ISPs intercept requests to other DNSs and reroute them, basically thwarting this. So far, Charter is not doing that, but it is worth finding out if yours is. Instructions on how to get around this.
- Use a better VPN. If you aren’t into the whole “the Chinese company that owns Opera can still track you” thing, then suck it up, bite the bullet (point) and get NordVPN or PrivateTunnel. It costs money. It delivers value in exchange for that money. I know that concept is foreign to some of us, but if you are suddenly aware of security, you might want to contemplate the saying “If you aren’t paying, you’re the product.”
The Deep End
Here’s the thing… there’s no end to this. If you want to take this further, here are some ideas.
- Get a burner phone. Depending on where you live, it is hopefully still legal for you to buy a SIM card from someone, put it in a phone, and top that off with some pre-paid credits. Tada! A phone that no one knows you have. Don’t do something stupid like turn it on (or use it) where you live. (Side note: the app called Burner works if you want to hide your number from someone, like a stranger at the bar, but it doesn’t provide any protection against a sophisticated attacker).
- Use TOR. TOR stands for The Onion Router. The way it works is very clever, and it involves peeling back layers: hence the name. However, TOR has been around long enough that it is now monitored by attackers at the state level. So you have to be incredibly careful if you want to get the benefits of TOR. To continue the onion analogy, sophisticated attackers monitor computers known to be the last layer of the onion, so if you do something stupid like log in to a service, you blew it. They monitor when people enter the onion as well (this analogy is falling apart), so to get the full benefits, you have to use public wifi, and only use access points once. Hope you live in a big, dense city!
- Hide from facial recognition software. Get a creepy mask of someone else’s face for $300! If that’s too crazy, how ‘bout $30 for a paper version?
- Use Tails or a similar OS. Tails is an operating system that can be booted from a USB drive, and forces all internet traffic through TOR. This is Borne Identity shit.
- Move to an island. Because fuck it.