Understanding Threats and Digital Privacy

14 min readNov 11, 2016

One of the things that is often absent in conversations about digital privacy is the concept of a threat model. There’s a lot of talk that goes “here’s how you secure your system” but it doesn’t go into tradeoffs or the question of who you are securing your online presence from.

This is a guide to basics of digital security and privacy, where I’ll attempt to address some of the questions of the who and the why as well as the what.

I will not be coy here. I am writing this directly in response to the presidential election, because I am deeply concerned—about the administration itself and in the near term more so about its adherents and advocates—and taking steps to be prepared seems like a very sensible thing to be doing right now.

Personal Threat Model

One of the things that concerns me as we move forward is not the President-elect per se—he’s fairly incompetent himself and the government usually has better things to do with its time in general, though he’s sufficiently vengeful that I’d be foolish to completely discount it—but rather something akin to this ordering:

Supporters. Both domestic and foreign.
Appointees.
Congressional and Executive policies and the policies of the aforementioned appointees. Including management of organizations such as the NSA and FBI.
Passed laws.
SCOTUS decisions supporting those laws.

The ones higher on the list are the ones that are more of an imminent threat, the ones later on the list are the ones that are more destructive should they start to occur.

This informs some degree of consideration: the further down on that list the more devastating, but also the longer it will take the less likely it is to be personally impactful. As a general matter we aren’t looking at a state actor at that level taking a personal interest, and we are talking more broad actors.

Things like, say, a House Un-American Activities Committee start to form a significantly more personal connection, but they take longer to implement and their activities are more arbitrary and random.

What this means: I do not think that you need to obsess about the NSA sitting outside of your door. At least not yet. Meanwhile, some random Trump supporter sitting in a coffee shop is a significantly greater personal risk for the foreseeable future, especially as reports of hate attacks tick up and after the various lessons of GamerGate.

I’m going to be focusing here on low-hanging fruit, because this is a game of tradeoffs rather than absolutes. The only secure system is one you’ve erased, melted with thermite, covered with cement, and dropped into the challenger deep.

The only thing that I’ve ever wanted for Christmas is an automated way to generate strong yet memorable passwords. Unfortunately, large swaths of the security community are fixated on avant garde horrors such as the fact that, during solar eclipses, pacemakers can be remotely controlled with a garage door opener and a Pringles can. (This World of Ours)

These are also meant to be the sorts of things that your average user can perform, rather than the eight levels of indirection some geeks I know employ. The reason for this is simple: It’s very easy to get caught up in the details, but if your concern is a bad actor at a state level coming for you personally, then:

They are not going to be impressed by that you purchased your private VPN with cash.
It’s easy to miss simple, practical things you can do.
A lot of things that are seemingly good ideas to enhance security in one area can make you weaker in others.
It can substantially complicate your life in ways you don’t expect or make it very tempting to circumvent your own protections, rendering them useless.

I also won’t be going into the various levels of operational and information security: this is about some basic steps you can take to secure yourself.

Remember this:

Security is about tradeoffs rather than about absolutes, so the goal is to maximize the amount of security you get against threats, based on the actual level of risk that the treat poses.

Just Do It

There are some things that, independent of your threat model, you should make sure you are doing. These are simple, easy, and just involve a bit of due diligence with very, very few downsides relative to the their complexity.

These aren’t foolproof by any stretch, but they provide a “basic level of protection.”

Keep your software up to date. This especially goes for your operating system and your web browsers.
Be careful about home devices on the internet.
Use a virus scanner. Avast and ClamAV are both free or inexpensive.
Enable whole disk encryption (Windows, Mac, Android, iOS should have it by default).
Make sure you use at least a 6 digit PIN for your phone.
If you are using iOS go under Settings -> Privacy and make sure that Passcodes are enabled and that Erase Data (after 10 failed passcode attempts) is enabled.
Don’t share passwords or accounts with people.
Secure your personal wifi with WPA2 if at all possible (don’t leave it open, don’t use WEP, and do use a secure passphrase).
Make sure your computer locks when you start up and whenever the screen saver is engaged. Set up aggressive screen saver preferences.

The decision to use a fingerprint scanner is a personal preference. There are security risks, but there are also security risks to unlocking your phone at all in a public place—especially where there are cameras. So I prefer to use it, and just depend on that after a certain number of failed attempts or on shutdown it will require the passcode anyways.

If you use OS X you might consider some of the tools at Objective-See as well.

Protecting Against Accident

One of the things that we see a lot of in recent years is a site gets compromised and then, even though they reset their passwords, the password list is cracked and because users employ the same password between multiple sites the other sites are compromised. When the LinkedIn attack happened I had a shared password with Facebook, and so my Facebook account ended up attacked using the password.

In these cases what we are protecting against is the accident and the coincidental. A dedicated attacker who has compromised your cell phone provider and is specifically after you is not what you are defending against, it is the person in the coffee shop, or the one who gets your information from breaking into some other service that you also happen to be using.

On the other hand, a lot of things where you are trying to protect against someone who happens to be looking for whatever shows up on a public wifi system will also help protect against that same more targeted attacker, making this sort of security an excellent place to start, regardless of your full concerns.

Multi-Factor Authentication

What saved me in that case from having my Facebook account compromised was that Facebook checked with me, directly, about the login. It required that in order to log in that a token that it sent to my phone be provided, and while the attacker had my password, they didn’t have the token.

This is called “multi-factor” (MFA) or “two-factor” authentication (TFA/2FA). Using this, a time-based token is either generated or sent to some other piece of hardware—usually your phone, for convenience—and you input that when you log in.

This means that even if an attacker has your password, they can’t log into your account without the token.

A lot of sites support various forms of MFA, and you can search to see if your sites are included. I generally recommend enabling MFA everywhere it is available, but especially important are:

Email accounts, such as gmail. Most especially if these accounts are authorized to reset your passwords elsewhere.
Your online banking or other financial accounts, such as Vanguard.
Your social media accounts, such as Facebook and Twitter.
Any online storage systems, especially ones where you sync your password managers, such as Dropbox.

Now, if you are having codes sent to your phone, and your phone is compromised then the MFA will not save you (for that you need a hardware token or better yet a security key), but these are not about a dedicated attacker who has your phone or who has compromised your cell service provider, these are about incidental or coincidental attacks. This is a tradeoff, but I don’t like carrying 500 hardware tokens and nation-states very rarely target you directly (they can, but it is rare) while these sorts of attacks are everywhere.

If you are concerned about government based attackers who are looking specifically at you, then you might not trust SMS backup. In which case a security key is definitely the way to go, especially for your more sensitive accounts.

Have you been pwned?

Another step to check to see if your accounts have been compromised is to register with haveibeenpwned.com. This will let you know when services are compromised, even when the company drags its feet about changing passwords, and if you do have a shared password (more on that in a minute) you will know to change it.

The Problem of Passwords

A lot of the old advice on passwords is not only wrong, but it is contradictory and impossible to implement. If we listen to the old advice your passwords are supposed to be:

Long.
Not easily guessed (no birthdates or other such things).
Not use words or easily remembered anything.
Different for each website.
Never written down.
Contain a mixture of special characters.
Changed every 30–90 days.

Meanwhile, a lot of implementations limit length to 8–16 characters and/or don’t allow certain special characters (such as spaces) .

I don’t know about you, but for me asking me to memorize an entirely different variation of “]A2>8D3rxD+3*hbg” for every single website I visit and to change it every 30 days is not just an exercise in futility and frustration, but it means that I’m pretty much guaranteed after inserting my password three or four times to have to reset it anyways because I can’t remember it.

So instead, I recommend two strategies.

The first is to use a password manager. No, seriously, just use one. The good ones will let you generate a different password for each site, let you customize it to the various bizarre and not-clearly-documented rules that different sites have, and will alert you when those passwords are compromised or the same. Some options:

There are others, but these provide an array of options depending on how much you want to pay and what feature set you want.

The second strategy—and the one I recommend for securing your password manager—is Diceware. Used properly, diceware will generate strong passphrases that work with all of the major password managers and for your high security things like ssh keys. The fact that they use dictionary words is irrelevant: it has a known amount of entropy per word and produces a phrase that you can more easily memorize. I recommend using the “third roll” under the “Optional stuff you don’t really need to know,” but this depends on your memory and risk tolerance.

What you choose in here is dependent on your risk tolerance, but it is worth remembering here that while we are still discussing accidental compromises good password management will also effectively prevent increasingly targeted attackers.

HTTPS, DNS, and VPN

When you are sitting there on an unsecured wireless network (such as the one I am typing this from) or you are dealing with a service provider you don’t trust, there are a variety of tools to keep your communication at least somewhat more secure.

They aren’t foolproof and there are still levels of trust, but they will help significantly against a wide spectrum of attacker types who are coincidentally on your network or who are phishing to see what they can get.

The first is HTTPS. If the website you are visiting isn’t using https, then anyone sitting on the network with the right tools (or on any of the servers between you and the target website) can intercept the traffic, read it, and even change it.

This includes passwords.

Thanks to tools such as letsencrypt the use of https is becoming easier and more widespread, so make sure that where it is available you are taking advantage of it, and be very careful what you say or do on websites without https.

One tool you can install in your browser for this purpose is HTTPS Everywhere, which ensures that where https is available you use it.

The second thing you can do is set yourself up with a trusted DNS server such as Google Public DNS or OpenDNS. When you go to a website such as “google.com” one of the first thing your browser does is tries to figure out where “google.com” is from a DNS server. This server is set automatically for you unless you configure it, and a variety of attacks against your system are possible.

This helps protect against an attacker who just happens to be listening upstream from your computer, as well as your internet service provider hijacking your connection. Which might be useful if you for some reason have cause to not trust your ISP.

The third thing you can do is to start using a VPN. VPNs—or virtual private networks—will secure even your otherwise unsecured traffic from local sniffers and threats (nb. not from the VPN itself). You can go to a lot of trouble getting your own VPN setup or you can pay someone else for it. The Mary Sue has a list of them and I’ve had good luck with Avast SecureLine which strikes a nice balance between usability and cost at the expense of some configuration or “power user” options.

Email Encryption

Here I’m not talking about using PGP or some other tool that requires everyone to be on the same platform, but just make sure that your connection to your email provider is going through a secure connection.

The goal here is to limit the number of exposure points. Email has a lot of ways that it can be compromised and it isn’t always clear once an email is sent if the various copies of it will ever be fully deleted, and so every little bit helps.

Protecting Against Casually Directed Threats

So you are talking a lot through Facebook messenger and an entity gains access to those logs, now what?

Now we have moved out the realm of the incidental attacker and are looking at a bad actor who may have significantly higher access and who is specifically looking at you. Someone who works for Facebook or Google, for example, who has access (and may very well be accessing that data against the company’s own policies).

This isn’t meant to protect you against a nation state with your name, but it won’t hurt.

These are by their very nature more abstract than the above, because we are dealing with a more abstract form of attack and there are significant tradeoffs.

Secure Messaging/Phone/Video

Depending on your risk tolerance here, it might be worthwhile to employ an app for communication that uses secure, end-to-end encryption. Apple’s Messages, WhatsApp, Google’s Allo, and Facebook (among others) all include various forms of end-to-end encryption (with plusses and minuses), but one of the biggest and most respected players here is Open Whisper Systems’s Signal.

Signal is convenient in part because it only requires a phone number—it doesn’t have an account setup with a separate password—and it is both free and open source.

Consider Usernames/Pseudonymity

Use different usernames on different services, unless you don’t care about a bad actor tracking you between them based on your username. Sometimes this matters more than others, but basically: if you are trying to keep your real identity separate from a username, make sure that the username never gets associated with your real name.

This is far from foolproof, but provides a bit of resistance against a targeted attack.

Be careful also about information here that is a matter of public record (e.g., house purchases, marriages, etc) and understand that an attacker is very likely to be able to jump between these resources quickly and without much effort.

Also here be careful about your photos. If you have a public photo in more than one place, it can be used to link accounts.

Evaluate your Privacy Preferences

On facebook, google, etc there are a variety of privacy settings you should take a good close look at on a regular basis. These are things like “who can see my friends list” and “can people see when I am online.”

There are no single right answers here as everything is a matter of tradeoffs, but is worth your while to look at this periodically and make sure that it is set where you are comfortable.

Consider Blocking

There are a variety of tools to help you manage your social presence, and these can and should be used aggressively. Use block, use mute, disconnect, do whatever it is you need to do to feel safe. The GGAutoBlocker on Twitter is one of the better known blocklists out there for that service, but most services have some sort of block functionality.

It isn’t enough, it isn’t sufficient, but it can help alleviate the pressure.

Use a Remote Backup

Push comes to shove, you’ll want the ability to restore your system from a secure, remote backup. This can help especially if your computer gets compromised for any reason—for example, if it is stolen or if your phone is confiscated. I use backblaze for this task on my computer, which also allows me to set a key for encrypting the data.

Identity Theft

In all of this one thing to be very aware of is identity theft, e.g., someone taking your information and using it to present themselves as you. To this end:

Shred your sensitive documents (while keeping important documents).
Consider identity theft insurance.
Consider getting a safe.

A Note On Tor

Widely suggested in this domain is Tor, a tool for ensuring online anonymity against bad actors at the level of nation states, but Tor is not without its problems. It is also widely blocked and often slow, making a lot of the internet much more difficult if not impossible to reach. So until and unless those problems are addressed or you know for absolute certain what you are doing and that it is necessary (which it sometimes is), I usually don’t recommend it.

This isn’t even getting into the weaknesses of Tor.

There are some other systems that are in development that address some of these problems, such as riffle, but be careful what roads you tread down here since it may attract more trouble than it solves.

These are advanced tools for advanced purposes, not something to use lightly or that will help if you don’t know what you are doing or why you are using it.

Systemic Threats

Now that we’ve talked about specific threats and generalized threats, the time has come to address the systemic threats which are in many cases much broader and farther reaching. These are things like laws that are passed and SCOTUS appointments.

They basically have the ability to rewrite your ability to do a lot of the above, beyond even the more direct ramifications.

I have more to say on this topic for a later date, but this is the area where it requires more advocacy and high level approaches, as opposed to things-you-can-do-on-your-own-system.

In many cases here if you can’t donate there are other things you can do: speak out for them, make sure they are known about and supported, or volunteer time.

Support Organizations Who Are Fighting

There are a variety of organizations out there that are helping to provide protection and fight on these fronts. A handful of the major ones are:

These are organizations that will work on a high level in the courts to make sure that our rights are preserved and supported.

Support Organizations Who Are Supporting The Disadvantaged

A lot of people, especially disadvantaged people, are going to suffer under Trump’s policies. These organizations are going to need a lot of help in the coming years (there are many others, this is just a few):

Planned Parenthood
Council of American-Islamic Relations
Trans Lifeline
Strike Debt projects
The myriad—and largely local projects—that help provide education, housing, employment assistance, etc.

There’s much much more to talk about under this heading, but it can wait for later.

Get Involved

Don’t get complacent. We need to work toward getting ready for 2018 and 2020. Donate what you can or just survive if that’s all you can do so that come 2018 and 2020 we are ready.