How to protect yourself online, no matter your security needs

Almost every week, it seems that there is some kind of major security breach. Whether celebrity nudesthe social security numbers of the majority of Americans, or a Bitcoin heist, it seems that our private data is under constant attack.

The Internet and your co-workers are full of advice: put a sticker over your webcamdisable Flash/Java in your browser, encrypt your drives, delete your Facebook account, cover your hand while using the ATM, get a burner phone, pay for everything with cash, start wearing a tinfoil hat to protect against the NSA’s spy rays, etc.

The reality is that as more and more of our lives become digital, information security becomes increasingly important. Many bad things can happen when your privacy is breached: from finding out that you have a boat loan that you didn’t know about to having your naked photos all over the web to being thrown in jail because the government doesn’t approve what you have to say. It’s important to take appropriate measures to protect yourself, but what is appropriate for you really depends on the kind of secrets you have to keep and the kinds of threats you need to protect against.

Let’s consider three people who care about their privacy, and steps they should take to keep their stuff private:

Lisa Monroe

Lisa Monroe lives in Madison, Wisconsin. She is a college student with a part-time job.  She just got her first credit card, and just started going steady with a boyfriend.

Lisa doesn’t have many secrets to keep, but she is worried about fraud to her credit and debit cards and the naughty pics she trades with her boyfriend Brad.

To keep her finances secure, Lisa signed up with the free app WalletHub to keep track of her credit score and uses Clarity Money to monitor her spending and make sure there are no unauthorized charges.

To keep her private photos private, Lisa only sends them using Snapchat, which prevents photos from being saved and notifies her if someone takes a screenshot. She also has enabled a passcode on her iPhone, which she knows is automatically encrypted, so that thieves can’t access her information if it’s lost.

Lisa also uses a password manager, LastPass, which generates a random unique password for every account she keeps so that when the buggy website her college uses is hacked, the stolen passwords can’t be used to login to her bank account.

Andrew Stephens

Andrew Stephens lives in a penthouse facing Central Park in a Manhattan high rise. Andrew was a construction worker when he purchased 1,000 Bitcoins on a whim in 2012. They are now worth $7.2 million, allowing Andrew to massively upgrade his lifestyle. Andrew is obviously worried about the security of his Bitcoin stash, but he’s also concerned about unauthorized transactions on his American Express Platinum card from that club he gets bottle service at. He likes to go diving in Cabo San Lucas and doesn’t want his wealth to leak out, lest he is held for ransom.

Like Lisa, Andrew uses WalletHub, LastPass, and has a security code on his iPhone.

To keep his Bitcoin stash secure, Andrew stashes it on a Trezor. He encrypts all MacBook and Time Machine files using FileVault.   He uses multi-factor authentication with LastPass Authenticator to sign in to his email and bank accounts.  To monitor his financial status, he uses Personal Capital, where he tracks spending on all his accounts.   He uses a YubiKey physical security token to log into his MacBook and lock it when he steps away, so that criminals cannot install a keylogger on it when he leaves it at home or in a hotel room.

Andrew is investing in a Hong Kong startup making an ASIC cryptocurrency miner. When he goes to China, he uses a phone and cheap laptop that he keeps just for travelto protect against both Chinese industrial espionage and the TSA. He wipes the phone and laptop clean just before boarding his flight back to the USA.

Andrew’s home is protected by a home security system with remote cameras he can access anytime.

Zhao Gong

Zhao Gong Li lives in Beijing, China. She works as a lawyer who represents people defending themselves against government-backed property development companies who try to take their family plots without proper compensation. She is worried about the local police ransacking her home to find or plant incriminating evidence as well as spying on her Internet activity to spy on her communications with her clients. Zhao is helping a European NGO to produce a documentary about illegal land seizures in China and does not want the government to find out about her involvement.  She also needs to access the Internet outside China’s firewall for her research.

Zhao’s router is an RT-AC86U router running the Asuswrt-Merlin custom firmware. Whenever she wants to go online, she firsts connects her router to a private VPN service that she pays for with Bitcoin. Zhao keeps all her data on an external hard drive that she encrypts with VeraCrypt. She copies the hard drive at her friend’s apartment once a month in case it is confiscated, and keeps it in her purse at all times. Zhao has a Windows laptop, but the operating system on it is just a decoy used for personal entertainment. She has a tiny encrypted Ubuntu Linux USB flash drive in her makeup case that is her work operating system.

Zhao’s web browser has the extensions HTTPS Everywhere, AdBlock, and ScriptSafeto protect against malicious websites hijacking her computer. She covers up her webcam and the microphone port on her computer.  When she visits her clients, she turns off her smartphone and uses a burner phone with an anonymous sim card she replaces monthly from a street vendor.   Like Andrew and Edward Snowden, Zhao uses the Signal for messaging.

As you can see, your security needs depend on the threats you need to protect against.  Find a balance between security and convenience that is appropriate for your life.  Trying to implement too many security measures will create a lot of extra work and frustration and tempt you (or your kids or employees) to bypass the protections entirely.  Nevertheless, there are some common steps that apply to everyone.  Use a device that is encrypted by default (such as the iPhone) with a long passcode.  Use a password manager to avoid reusing passwords.  Don’t share confidential information (or photos) with people who you don’t trust.    Monitor your financial status.  A few simple steps will protect from becoming yet another victim of the most common online security threats.

Originally published on FEE.org

Three lies the government is telling us about why it wants to backdoor our security

 
First, the US government works against the security of businesses. Just this week, I had to tell Apple that my iPhone app did not have certain kinds of encryption that the U.S. government has export control on. Encryption export controls cripple the security and innovation of software products made by American businesses.  
Furthermore, the U.S. government hoards software exploits so it can hack into your computer rather than publish them that so companies can patch their products.  The NSA intentionally sneaks weaknesses into protocols and bribes businesses to add holes to security products so it can steal the data of their customers.
When businesses want to improve the security of their products, they offer rewards for exploits – Microsoft pays up to $250,000 per exploit, Facebook has paid $40,000, and so on.  The NSA purchases millions of dollars of exploits from hackers, and uses them to spy on the entire world, including U.S. citizens.  Unfortunately, the NSA is incompetent at keeping secrets, so it lost their exploit database and caused millions of computers to be infected and hijacked with the exploits they hoarded.
The hardware and software pieces of both the Internet and individual user’s computers are made by private companies.  There is nothing the U.S. government can do to improve “cybersecurity” other than prosecuting criminal behavior.  However, the U.S. government prosecutes a minuscule proportion of cybercrime.   Whether it is unable or unwilling to punish criminals, the reality is that the only “cybersecurity” that the government cares about is its ability to conduct surveillance and attacks on foreign and domestic political targets
 
Second, the idea that “strong security” is compatible with a government backdoor is a lie. Any security expert can tell you that a backdoor leaves your product vulnerable, even if you trust the government agency with the key. Previous backdoors advocated by the US government have been blown wide open by security experts.  There is near-universal agreement among security experts than government backdoors and security are not compatible – a reality than the DOJ continues to ignore.
 
Third, it is not true that the government wants to weaken American’s security to protect against crime or terrorism. Their real motivation has always been power and money: they want to monitor the flow of information in order to prevent people from hiding their wealth and use their secret keys and vulnerability stash to intimidate and blackmail other countries into compliance with U.S. policies.  This is why the U.S. intelligence budget of over $75 billion dollars did not prevent most American’s personal details from being leaked, but U.S. citizens who do not report foreign bank accounts (under FACTA) can be fined $250,000 or 5 years in jail even if they have never stepped foot in the USA.