This page attempts to serve as a portal for Computer Security concerns, principles, pragmatic approaches, and dogmatic rants. Disclaimer: the bad guys are pretty clever. Even the best countermeasures ONLY buy you time.
Pragmatic Approaches to Computer Security
Evil people and organizations have the Means, Opportunity, and Motive to intercept your data and use it to further their agenda or to harm you. The Pragmatic Approaches segment focuses on practical solutions to deprive them of the Opportunity.
If you don't follow these rules then you might as well not even bother.
- Do NOT use the same passwords for critical accounts. We all trust Jack, but his web infrastructure stores the password in plain text, so if he wants to, he knows the password you're using for his site. If you're using the same login for your online banking etc, you're going to have a PROBLEM if the NSA or a hacker takes over Jack's site regardless of what else you do.
- Use a system to create and remember passwords.
- PAY ATTENTION to security errors, DON'T just click through them, and STOP if there is an error with a certificate or something like "your browser must be updated."
- For banking, credit cards, and utility payments, ALWAYS review your statements at least weekly.
Tips that require additional discipline
Since one of the basic rules is that you MUST review your statements frequently, make it easy on yourself:
- Pay cash whenever possible, period.
- Keep plenty of cash on-hand. Many gov't entities have the ability to seize/garnish accounts "legally", and many hackers have the ability to withdraw funds under certain circumstances. Keep a lot of cash locked up on-hand to buy yourself time if bad things happen.
- For credit cards, consider having 1 that is only for online, 1 that's only for restaurants, and 1 for everything else.
- For credit cards, consider strategies to make "your" payments consistent. For example, when I use my credit card at a restaurant, the check plus tip always adds up to $xx.51. If I see a charge from a restaurant that's $20.00, I KNOW it wasn't me. If I see a charge for $20.51, chances are pretty good that it was me. I do the same thing for anyplace I'm tipping - haircuts, etc.
Mega-paranoid and anal-retentive approach
This approach ONLY works if you use it EVERY time you need to access sensitive data AND follow all the common best practices.
- ONLY (ONLY, ONLY, ONLY) ever access super-sensitive stuff using a bootable CD.
- ONLY use ONE site per reboot (don't access your email, then your bank - access your email, reboot, access your bank)
You've got 3 problems: creating good passwords, remembering good passwords, and remembering which password is used for which site/resource.
Password Creation Tips
The most common recommendation is to create a passphrase and use the first letters of each word to create a password. Something like "My name is Billybob and I got my first jeep in 1960!" can be: MniBaIgmfji1960! That's already 16 characters of gobbledy-gook, but since you've got to have a unique password for each site/resource, you probably also want to think about rules to make them different. Prefixing, appending, or interspersing the resource name can help with that. For example, if tspwiki.com is the resource: TSPW.comMniBaIgmfji1960! MniBaIgmfji1960!TSPW.com and MTnSiPBWa...Icomgmfji1960! are all memorable. They CAN be considered somewhat predictable, so you may want to use prefixes/suffixes for "normal" stuff and interspersion for crazy-important stuff. Don't forget that since MOST banks do an email reset, any time a bad guy cracks your email password they can automatically get into your bank just by searching your inbox for bank stuff and then doing the "forgot password" routine.
Password Resets Involving Answering Questions
Many banks etc will only do a password reset if you reply to the email they send AND if you answer the "magic question" correctly. Unfortunately, many of the answers to "magic questions" are predictable and/or widely available via Social Media. Really, how many answers do you suppose there are to "what's your favorite color?" and how easy is it for someone to find out "what was your high school mascot?" One way to overcome this is to substitute random nonsense for answers. For example, if the question requests a noun (what's your high school mascot), use a verb associated with one of your HS activities (if you were a lineman, the answer to "what's your highschool mascot" is "blocking", if you were captain of the debate team the answer is "debating"). OBVIOUSLY you'll need to do this consistently unless you've got a brilliant memory.
Recommended Videos Explaining Key Exchange Without Math
Here are 2 excellent YouTube explanations omitting math that explain technologies fundamental to nearly all ecommerce transactions:
Using Linux Might be Better
"02/27/14 Computer Privacy/Security & open-source
Linux was regarded as the most secure alternative until several years-old security flaws were discovered, including HeartBleed (which made communications to any Linux or Mac system completely untrustworthy) and ShellShock, which made it trivial for bad guys to compromise Linux, Mac, and other Unix-based systems. Both the NSA and Chinese are suspected of having access to 'nix systems for many years via these exploits (need references). Claims are often made that Linux is "invincible", however as late as 2015 linux systems were being compromised, so it's pretty clear that although Linux currently has a better track record, it's not a silver bullet.
Passionate, dogmatic Rant About how Linux IS Better
Note from []: this section has been retained for historical context even though some of the points and recommendations are now obsolete. "Linux is the only secure solution" is a mantra that has been frequently chanted with the passion that many people reserve for their favorite sports teams. This section has been retained to provide the reader with some sense of the Dogma so that if he or she is discussing Computer Security with an "expert", they have a chance of distinguishing the RATIONAL assessment from the IRRATIONAL dogma.
Take a look at this blog posting from computer security expert Bruce Schneier: https://www.schneier.com/blog/archives/2014/02/was_the_ios_ssl.html
The Snowden documents revealed that the NSA and GCHQ actively work to create backdoors in software. Linus Torvalds (Linux kernel maintainer) refused the NSAs requests for wbackdoors. And Linux source-code is open-source. It can be checked and audited by anyone. Unfortunately, Linus Torvalds has also declined to announce any security vulnerabilities in the Linux Kernel, so Linux can be regarded as less secure and less transparent that MicroSoft or Apple. In other words, whereas MS & Apple announce (in general terms) what is vulnerable, the Linux kernel team has been known to quietly attempt fixes without any indication that a critical security vulnerability exists in underlying code.
You have only one choice if you want any hope of Internet privacy/computer security in your electronics: open-source. Your only other choice if you want privacy/security is to go without electronics usage. Windows, Mac, iPhone are all closed-source. Android has elements of open-source but has many privacy-invasive elements controlled by Google.
I used to use Windows. But as a long-time reader and follower of JJLuna, I actively switched to open-source last year to improve my privacy footprint. It's been a much better experience for me and I share this with others in case you choose to follow in my footprints.
If you want privacy on phone, tablet look at [[wp>CyanogenMod]] or possibly the upcoming [[google>Blackphone]]. For computers you want to look at Linux and/or other distros approved of by privacy stalwart Richard Stallman."