2018-08-10 Information Security Practice

Christina asked a question on her blog, Infosec and Data Privacy:

Infosec and Data Privacy

1. On a scale of 1 to 10, where do you rate your personal infosec practices? Name three practices you do to define that level.

2. If you rated yourself above 6, name two practices someone at levels 2 through 5 could do to raise her level.

3. If you rated yourself below 6, name two practices of yours that most people should do but don’t. What would you like to learn.

I guess I rate myself above average, so... 7? I am tragically aware of Illusory superiority. Specially now that I know Christina rated herself a 4. 😢

Illusory superiority

Christina rated herself a 4

Here are three things that I do which most people don’t do:

1. My laptop disk is encrypted. My backup disks are encrypted.

2. I have two sets of backup disks and one set is always at the office.

3. I deleted my Facebook account, got rid of Messenger and I’ve moved nearly all my friends and family away from WhatsApp to either Signal or Threema.

Here are two simple things you can do to raise your security level:

1. Make backups and keep one set of backups outside your home in case of fire, flooding or break in.

2. Use a password manager with a long, unique, randomly generated password for every service you use.

I think it’s important to look at your threat level. What is most likely to cause you harm in the near future? I’ve heard a lot of people complain about lost pictures and documents because they didn’t do backups. That’s why deleting Facebook is not as important as making backups. It’s also why encrypting disks is not as important as making backups in the first place.

Same with your accounts being hacked because you used simple to guess passwords, or hard to guess but popular passwords. Remember that there are enormous lists of passwords out there with all the passwords other people have used: thus crackers start with those passwords because chances are, somebody will have thought of the same password.

​#Security

Comments

(Please contact me if you want to remove your comment.)

⁂

One more - Use 2fa (not SMS based), especially where password restrictions make strong passwords painful...

– Kristopher Browne 2018-08-10 18:48 UTC

---

Yeah, that’s true. I use the Google Authenticator app for a few things but I hardly ever get asked for it so it didn’t seem like a big deal in my life. But yeah:

Authenticator app for the big service providers would be a good idea. Using it for your mail provider is specially important as mail is the universal password reset mechanism these days.

1. Google

2. Amazon

3. Facebook

4. Apple

5. Dropbox

6. Domain Name Registrar

– Alex Schroeder 2018-08-10 18:54 UTC

---

Now that I’ve seen Christina’s list, let me see whether I can find things that are easy to improve upon.

• I update all priority security and technical patches ✔
• I use Linux ✔
• I use KeePass for my passwords ✔ (I use a GPG encoded text file)
• I use EFF dice and handbook for my passphrases **F** (I just mash the keyboard...)
• I use PGP keys and command-line GPG for emails to my penpals **F** (I try to, but not many of the people I write emails to have a public key on a key server; in fact I recently used a public key I found for the former maintainer of a big software project and it turns out he had forgotten his passphrase!)
• I don’t set up Gmail or any email on my phone and I turn it off when I am travelling without a geocache purpose. **F** (I use Gmail via IMAP on the phone; my phone is always on)
• I use Firefox Focus on my phone **F** (I have it installed but anything that needs bookmarks I open in the Firefox app; and any URL I open from other apps get opened in Safari – and I don’t know how to change that)
• I actively opt-out of commercial data sharing when invited ✔
• I geocache, which literally is about sharing my positions through data so I’ll never be above a 6 until I get a refurbished Garmin 162 GPS unit ✔ (I regularly go through all the apps on my phone, limiting permissions where possible and the apps which do get access to location services only get it while I’m using them)
• I encrypt my HD when I take my PC over the border ✔ (I wonder whether that’ll help at the border, though...)
• I use a flip phone with no internet over the border **F** (I use my regular phone and connect to all the free Wi-Fi networks)
• I have a Keybase account **F** (I have one, but I don’t use it)
• I have at least one Tails USB drive **F** (I haven’t even tried it)
• I back up my system at least occasionally ✔
• I use Tor Browser on occasion **F** (I installed it but never used it)
• my GUI mail clients present messages without HTML **F** (I love to use bold and italic)
• my Gmail (18 year old account) is delivered via Thunderbird **F** (I try to use Gmail via Gnus, an email client in Emacs, or the Mail app on my phone, but when checking private mail at work I’ll use the Gmail website)
• I buy my 2600 magazines with cash! **F** (I try to buy as much as possible with cash, but I have never bought a 2600 mag.)
• I have a protonmail account **F** (Just Gmail. In fact, I gave up self-hosting my email.)
• I have five-six active do-not-track and ad-block add-ons on my Firefox browser **F** (I have uBlock Origin, Privacy Badger, HTTPS Everywhere, HTTPS by Default – somehow uMatrix got lost somewhere; I also don’t have a good control over my config settings: sometimes I’ll follow some instructions online but never systematically)
• I empty my caches and destroy the cookies regularly when using other browsers **F** (I should do this more often, definitely!)

Looking at all the points where I failed, which one would be the easiest to fix. I guess getting rid of Gmail and moving to Protonmail? Or a better browser setup, I guess?

– Alex Schroeder 2018-08-10 21:22

---

Great list!

– Ynas Midgard 2018-08-17 13:59 UTC

Ynas Midgard