Often, you may be stuck with your particular ISP, and with one or more ip's uniquely tied to you, your identity, and your address.
A VPN can at least mitigate that, and you can swap them at will, nothing to do with your current residence.
We don't necessarily trust our VPN provider[s] more than we do our ISP.
This. I fail to see how an issue, which is essentially about trust, can be solved by trusting someone else. If you don't trust your ISP you should switch. If you don't trust your ISP and can't switch then you should be using VPN or TOR.
ISP's can do awful things to traffic. I'm not sure why you should trust your ISP and if anything trusting makes you blinkered to some of their practices.
For me the point is: why would you trust a VPN provider any more than you trust an ISP? There might be specific reasons for specific providers, but in general you're putting the same amount of trust in either way.
Some VPN providers have paid for external audits to verify their processes; they can also exist in countries with more favorable privacy laws. ISPs of course are local to you and your jurisdiction.
Maybe you are not in the United States, but for those that are, the answer is pretty simple.
It is reasonable to trust a VPN provider more than an ISP because you have a choice of VPN provider, you can vet them and choose the one that you feel provides the best safeguards to your privacy and security. Most Americans have between zero and one choices for high speed internet. Even in major metropolitan areas it is common to live in a cable monopoly, with a phone company providing sub-par "competition". You cannot vet your choice and choose the one that provides the best experience because you have no options. Even those that do have a choice may still connect to coffee shop or hotel WiFi on occasion, losing choice again.
In short, VPN providers are a) competitive and b) portable.
You're not wrong that you're putting the same amount of trust in them, but these properties mean you would not be wrong to do so.
And that is a fair point. I don't see why you would simply use an alternative DNS resolver in that case and not get a VPN or an SSH tunnel or something?
As for the DNS resolver it may be the case if you have an ISP that sends you to pages full of ads if it can't resolve a name or is slower than your local ISP. There's a good tool to test it and compare the various providers from your location: https://code.google.com/archive/p/namebench/
Because ISPs are desperately trying to be more than just "dumb pipes" that carry our traffic. To expand their revenue many of them track DNS and domains visited to sell ad data to other companies.
If your ISP is also a media conglomerate, you may have a problem. Fortunately, that's not always the case. My ISP is just an ISP. Their growth is in providing more and better internet services to more high-value clients.
I trust them a lot more than I trust some VPN provider.
And that's how 2FA is supposed to be, if you put eggs into boxes and those boxes into one basket you still technically have all your eggs in one basket, which was what 2FA tries/d to fix.
I’ve always thought that if someone gained the ability to surreptitiously capture my devices’ camera feed, I have bigger problems than just my image getting leaked or used as blackmail (because that would necessitate something blackmail-worthy). Also, they’ll get some pretty boring pictures. What else should I consider here?
I came here to write that exact comment. If I don't trust my computer to not be infected, I should not use it at all. Having someone watch me picking my nose is far less privacy-invading than someone accessing my photo library for example.
It's hard to know what kind of information could leak in advance. It gives the attacker more information on your surrounding. They could take mug shots to craft a fake profile. Or maybe see a credit card flashing by... it doesn't have to be blackmail-worthy material necessarily.
Granted, if the attacker can access the webcam then most likely your system is compromised, 1password is compromised (including the 2nd factor as advertised on the site), so you might have bigger problems already. It all depends on the intent of the attacker.
For developers looking for application security information, I can't recommend PentesterLab[1] strongly enough. It has changed how we approach security education internally and has made going through security code reviews and penetration testing audits much less stressful.
Nice list and well designed, too. I dislike the "sign up and get 3 months free" ad for 1Password. I like 1Password and I am using it myself. However, to me, this gives off a wrong vibe on a security focused website.
One thing I read somewhere and previously never thought about: if you are _really_ about security, you should use a password manager and should enable 2FA.
But: you should not use one program for both (1Password offers this), because you are creating a single point of failure.
Negotiating / psychology 101: give a reason, any reason, for why you need something done. Feel free to add a comment to the issue request about why Linux is important to you personally.
Except I didn't do anything like that. Show me where I claimed to give an exhaustive list of what motivates people to use Linux. I gave one reason why some people use Linux. That I thought might motivate the author of the project. Besides that, it's a friggin issue on github, not an essay on why people use Linux. Get over yourself.
I've paid to have CentOS installed over the "free" (included) Windows OS on business machines.
Dell also sells Ubuntu desktops and laptops that cost more than their Windows equivalents. The cost difference is presumably because the Ubuntu machines do not include the crapware bloat that comes with Windows, such as antivirus trial subscriptions.
And already on the live site. Impressive. I've already changed a few things on my Ubuntu laptop thanks to your checklist. I'm going to pass this around to friends and family.
What I like about this list, is that it's opinionated and thus terse.
Take note that some of these tips are either not considered good practice or even harmful depending on your locale.
E.g., the data protection standards in the EU are so high, that there's no need to worry about DNS or ISP snooping for advertisements/tracking. This makes using a VPN or using a different DNS less useful. I might even go so far and call it harmful, because you're introducing a party that you don't have such a strong contract with.
I think the point is more about if you're on uncontrolled wifi (i.e. internet cafes) access points or other nefarious things like mobile providers that rewrite CSP policy (vodafone.pt). These things happen and some safety via a VPN may help.
That is if every company that is in the chain follows those strict data protection laws.
It wouldn't be the first time that bad actors exploited legally protected browsing.
VPN's need to be resolved regarding the following points:
1) Currently, only financially gifted people can even afford to consider privacy at this level.
2) Is complete, non-logged privacy even a desirable outcome?
3) Who should be able to request or correlate log data (governments, the company employees)?
In its current incarnation, VPNs and security in general only changes who can be easily targeted or prosecuted, much in the same way that residents of poor neighborhoods are routinely arrested/searched for drug use where a rich person just doesn't have to worry about getting caught for the same actions. So paid VPNs contribute to an 'internet ghetto', or more accurately: disproportionate enforcement.
It's quite funny to see a security checklist "designed to improve your online privacy and security", which has on top of the page a "Share on facebook" button.
Furthermore I find it contradictory that the site uses Google Analytics while encouraging the use of DuckDuckGo.
Do we not want more people to be privacy conscious? Does every facebook user already know all this information? Did Jesus tell his disciples to recede into a private community of solitude and never interact with the unwashed masses of sinners and keep the good news to themselves?
My scepticism isn't against the act of sharing this information. The "share on facebook" button just reminds me of the actual facebook button, which, as included inside the source code, makes facebook collecting data. This is against the idea of "improved privacy" of the checklist.
Yeah, there is no "real" facebook button. Nevertheless one can find a Google Analytics Script inside the source code. IMO this is really sarcastic.
Where does disabling javascript fit into this picture? I was interested to notice that I had to create an exception for this site to enable 1st party javascript in order to be able to read their security suggestions.
Am I making my own life harder than it needs to be by having a default setting to block all javascript? I use uMatrix to quickly enable javascript for each site that requires it.
No. 3 months ago I started using NoScript and my life has gotten so much easier on the internet. I hate it less now. Usually you can get away without Javascript, and if not, it only takes a second or two to fix. The biggest risk is Javascript. You are literally blindly executing code somebody else wrote on your compute for a website you may or may not trust.
One thing I would like to figure out is how can I 'trust' JS for google on google maps (required to work), but4 not anywhere else? It seems like Noscript is per domain but not based on what page you are on.
The problem with stuff like uMatrix (not specifically, but in general) when compared to Google services is that large, bureaucratic services have oversight where more than one person is responsible. Small services based on 'trust' rather systematic checks and balances (maybe rotating staff, management oversight) get compromised when guy's (sole dev) buddy asks for 'a favor'. You have these niche, word-of-mouth trust system that are anything but trustworthy when there is really nothing to stop a small group of devs doing 'favors' for each other because their morality is more based on personal philosophy and personal networks than anything objective. This used to be known as corruption, but I think that term has lost all meaning.
>>The biggest risk is Javascript. You are literally blindly executing code somebody else wrote on your compute for a website you may or may not trust.
I understand why you used this language, but I think it's worth noting that, unlike blindly executing a program on the operating system itself (such as by running an .exe file you receive via email, torrent, download, etc.), you are executing a script inside a program that is, or should be, sandboxed. So, even though something can still go wrong, the potential impact is a lot smaller.
This is about risk assessment. Most vulnerabilities in browsers are either in JS or in media support. Pure-HTML+CSS exploits are rather rare these days. Therefore, disabling or limiting JS and media reduces risk drastically.
We are not disagreeing? What I'm saying is that not all "blind code executions" are the same. The distinction between running an exe file on the OS and running a script inside a browser does matter, for risk assessment.
I'm disagreeing on "the potential impact is a lot smaller", because we have seen time and time again that executing a script in a sandboxed environment can quickly turn into running machine code with the user's privileges instead.
Yes, that is true in a certain sense, but for example, a lot of fingerprinting can happen with information gleaned via javascript. Granted, having javascript turned off is also a way to finger print poeple.
Frankly, most web pages should not be interactive in any way. There is very little gained by using javascript on pages you aren't interacting with, and a whole lot to lose.
I compromise often with NoScript, but it changes the way you think about running code on your computer. Block first, and adjust later is a good approach for me, especially because I only visit a few of the same sites regularly. On new sites, I definitely do not want any type of javascript being run.
If someone hacks your webcam, they probably installed a keylogger as well and helped themselves to whatever files you have, etc. In other words, if that happens, you have a bigger problem.
You should of course not be using a compromised laptop. Covering the light that goes on when they activate the camera would be one of the few signals that something like that is up; that is of course assuming they did not manage to disable that.
Otherwise solid list.
I'd add a few items:
Plan for the worst and have a contingency plan for breaches. E.g. have a list of phonenumbers handy that you can call to get cards blocked, critical accounts that you need to verify the integrity off, secure backups of essential documents, etc. Also consider what can happen to you when you travel. Phones, laptops, etc. get stolen all the time. Hardware tokens are easy to lose. Bags get stolen, etc.
Keep your 2fa recovery codes in a sane place where you can access them but no-one else can. An encrypted file on a drop box folder with a sufficiently strong key might do the trick.
Be careful with paper copies of anything. Burglaries do happen and in case you are targeted, this may be the most valuable thing to steal in your building.
Require passwords to be entered whenever you access your password manager or 2fa app (e.g. authy). It only takes a few seconds to access your password manager if somebody gets their hands on your unlocked device while you visit the restroom or grab a coffee.
Have an aggressive screen lock policy (it should be locked whenever you are separated from your laptop/phone). Many devices have all sorts of convenient features that boil down to them being unlocked when they shouldn't.
I used to think this way. Its not an accurate assessment of the situation. Its not about code execution on the OS leaking access to the camera, its that Spyware browser you use grabbing the camera via its js APIs. Malversting; Video Conf Apps; Browser Bugs. Don't take a nihilistic view on the Camera cover. Its saved folks from embarrassment many times.
Total side note and blatant plug but if people are interested in open source checklists and lessons on digital and physical security (from how to send a secure email to how to detect physical surveillance) checkout Umbrella Security, a free open source app we built. It’s on Google Play and you can find out a bit more at https://www.secfirst.org. iOS and totally new version due out in Feb!
I cover my webcam because a lot of conference software starts it up by default and I'd rather know that it's black even if the camera is on. Not really "my computer is hacked" kind of threat but more casual privacy for a real and repeated scenario.
I have a question and maybe someone here can answer me.
For the "Use a privacy-first email provider".
I currently use G Suite for business emails within my personal business.
Are there any alternatives that offers something similar to G Suite but with the expected privacy of the listed provider.
I'm aware that I won't be able to get all the features of G Suite, but I primarily only use the email part (Of course with multiple users so it has to have support for that.)
I think the main question is what kind of alternatives are you looking for. Calendar service is provided by most of these companies already. Anyway I'm not sure who qualifies as privacy-first provider. E.g. Zoho has a quite good privacy policy at first glance: https://www.zoho.com/privacy.html
Is there even a difference between main Google PP and G-Suite PP? Is Office365 PP privacy first?
I like both FastMail and Protonmail. Take note of where the infrastructure is hosted for both however, if your privacy concern is one of nation-state actors.
I don't get it. The word "whitelist" doesn't appear anywhere on the page, for me. Has the content changed? Or are you sincerely suggesting that nobody should ever load a webpage from a non-trusted domain?
BItwarden does offer the ability to use on-premise hosting [1] rather than using their infrastructure to store/sync your data. Admittedly, I personally use their infrastructure so I can’t speak to the experience (config/maintenance/etc.) of their self-hosted offering.
There is an iOS app available for password store. I’ve been using [1] which has sufficed for my needs. Set up password protected PGP and RSA keys and it hasn’t had an issue yet.
2FA in 1Password is premised on (1) 1Password use (with 2FA) being more secure in general than using 2FA and not a password manager, and (2) your 2FA key is more secure within the 1Password vault than it would be in Google Authenticator or similar. I think these premises are mostly correct, especially because 1Password enables use of practically uncrackable unique passwords for each service, and because getting into the vault requires 2 auth factors.
If there's any risk of an attacker breaching your 1Password vault, I don't know if it's even worth talking about whether you have 2FA enabled for accounts -- at that point it's very likely they also have access to whatever you'd have used for 2FA also.
(One exception might be if a AgileBits insider were to install malicious code into the 1Password client. In that case, those who use 2FA outside 1Password would be significantly less vulnerable.)
Create a new login entry, then create a new field under the Section header. By default, it's a text field, but you can change it to a 2FA code. Then it will prompt you to scan a QR code.
Creator here - thanks for bringing this up. I was concerned about the message here as well. I'm not getting paid for that ad. I had a couple companies offer sponsorship of this list, but I decided to not pursue. In the end, 1Password simply offered this discount to visitors. For me this felt like the best thing I could do from a user experience point of view (switching to a password manager is hard for most people, and giving the extra nudge to do something really important for their online security might just do the trick) and from an ethical point of view (I'm not getting paid, and will continue adding competing password managers to the list).
I’ve been working on something similar[0] aimed at your average technology user. To that aim, it’s very opinionated, which I also like about this list.
I thought about buying privacycheckli.st at the same time and pointing it here, but ended up deciding that "security" feels like a broader umbrella and might reasonable capture privacy concerns of an average person.
People always go on about covering up your camera, but what should I do about my hardwired microphone? I'm vastly more likely to say sensitive data out loud than I am to mime it out or write it down and hold it up on a sign.
But the point of the “cover up your camera” intervention is that it’s “out of band” from your system software. Even if there’s a root/administrator-level compromise, light just won’t get past the piece of paper/cardboard onto the sensor. I don’t believe there’s an analagous intervention for the microphone.
Since I realized that I never actually use my laptop's built-in camera or microphone, I disabled them both at a bios level and made sure that the necessary drivers are not installed. If I need to get on a video or voice call with my laptop (once in a blue moon), I have a USB webcam and microphone that work just fine.
Recently I was sent a blackmail email that contained a password that I used to use in the past and the sender was claiming that they had also gained to my laptop's camera and had recordings of me watching porn or other "embarrassing" stuff. They threatened to send these recordings to my contacts on email and/or facebook etc, unless I paid them $1082 in bitcoins (apparently they read that if you ask for a non-round number you have more chances of getting it :P).
Covering your camera is supposed to protect you from this kind of things, especially for younger ages or for people less technologically inclined.
I knew all of that too, but it didn't prevent a very unpleasant visceral response in the pit of my stomach when I saw that email come in with the old compromised password on the subject line. The content of the email made me laugh, though.
151 comments
[ 3.7 ms ] story [ 237 ms ] threadIt is reasonable to trust a VPN provider more than an ISP because you have a choice of VPN provider, you can vet them and choose the one that you feel provides the best safeguards to your privacy and security. Most Americans have between zero and one choices for high speed internet. Even in major metropolitan areas it is common to live in a cable monopoly, with a phone company providing sub-par "competition". You cannot vet your choice and choose the one that provides the best experience because you have no options. Even those that do have a choice may still connect to coffee shop or hotel WiFi on occasion, losing choice again.
In short, VPN providers are a) competitive and b) portable.
You're not wrong that you're putting the same amount of trust in them, but these properties mean you would not be wrong to do so.
I trust them a lot more than I trust some VPN provider.
Bitwarden or KeePass for password management
FreeOTP for 2FA
cut off headphone jack plugged in in your laptops mic port complementary to the webcam covering
Granted, if the attacker can access the webcam then most likely your system is compromised, 1password is compromised (including the 2nd factor as advertised on the site), so you might have bigger problems already. It all depends on the intent of the attacker.
[1] https://www.pentesterlab.com/
I work in embedded systems, mostly C code, and I find this area is often missing from general "security guidelines" type of resources.
One thing I read somewhere and previously never thought about: if you are _really_ about security, you should use a password manager and should enable 2FA.
But: you should not use one program for both (1Password offers this), because you are creating a single point of failure.
https://github.com/brianlovin/security-checklist/issues/40
often used by people in preference to other operating systems due to a variety of reasons
Linux being available free of cost is certainly one of the least relevant features for me.
Dell also sells Ubuntu desktops and laptops that cost more than their Windows equivalents. The cost difference is presumably because the Ubuntu machines do not include the crapware bloat that comes with Windows, such as antivirus trial subscriptions.
Edit: https://github.com/brianlovin/security-checklist/pull/46
Take note that some of these tips are either not considered good practice or even harmful depending on your locale.
E.g., the data protection standards in the EU are so high, that there's no need to worry about DNS or ISP snooping for advertisements/tracking. This makes using a VPN or using a different DNS less useful. I might even go so far and call it harmful, because you're introducing a party that you don't have such a strong contract with.
...or even impossible in some cases.
* 1.1.1.1 is blocked in Turkey.
* Most VPN providers are blocked in Turkey.
My personal opinions:
* I don't like the promotion of Brave over Firefox. Change my mind if you can.
* Stressing the importance of HTTPS (extensions like HTTPS Everywhere) should really be included in this list.
Furthermore I find it contradictory that the site uses Google Analytics while encouraging the use of DuckDuckGo.
Yeah, there is no "real" facebook button. Nevertheless one can find a Google Analytics Script inside the source code. IMO this is really sarcastic.
Am I making my own life harder than it needs to be by having a default setting to block all javascript? I use uMatrix to quickly enable javascript for each site that requires it.
One thing I would like to figure out is how can I 'trust' JS for google on google maps (required to work), but4 not anywhere else? It seems like Noscript is per domain but not based on what page you are on.
I understand why you used this language, but I think it's worth noting that, unlike blindly executing a program on the operating system itself (such as by running an .exe file you receive via email, torrent, download, etc.), you are executing a script inside a program that is, or should be, sandboxed. So, even though something can still go wrong, the potential impact is a lot smaller.
Frankly, most web pages should not be interactive in any way. There is very little gained by using javascript on pages you aren't interacting with, and a whole lot to lose.
I compromise often with NoScript, but it changes the way you think about running code on your computer. Block first, and adjust later is a good approach for me, especially because I only visit a few of the same sites regularly. On new sites, I definitely do not want any type of javascript being run.
You should of course not be using a compromised laptop. Covering the light that goes on when they activate the camera would be one of the few signals that something like that is up; that is of course assuming they did not manage to disable that.
Otherwise solid list.
I'd add a few items:
Plan for the worst and have a contingency plan for breaches. E.g. have a list of phonenumbers handy that you can call to get cards blocked, critical accounts that you need to verify the integrity off, secure backups of essential documents, etc. Also consider what can happen to you when you travel. Phones, laptops, etc. get stolen all the time. Hardware tokens are easy to lose. Bags get stolen, etc.
Keep your 2fa recovery codes in a sane place where you can access them but no-one else can. An encrypted file on a drop box folder with a sufficiently strong key might do the trick.
Be careful with paper copies of anything. Burglaries do happen and in case you are targeted, this may be the most valuable thing to steal in your building.
Require passwords to be entered whenever you access your password manager or 2fa app (e.g. authy). It only takes a few seconds to access your password manager if somebody gets their hands on your unlocked device while you visit the restroom or grab a coffee.
Have an aggressive screen lock policy (it should be locked whenever you are separated from your laptop/phone). Many devices have all sorts of convenient features that boil down to them being unlocked when they shouldn't.
Total side note and blatant plug but if people are interested in open source checklists and lessons on digital and physical security (from how to send a secure email to how to detect physical surveillance) checkout Umbrella Security, a free open source app we built. It’s on Google Play and you can find out a bit more at https://www.secfirst.org. iOS and totally new version due out in Feb!
not to mention they're probably recording everything you say, which is probably more valuable than pictures of your face.
For the "Use a privacy-first email provider".
I currently use G Suite for business emails within my personal business.
Are there any alternatives that offers something similar to G Suite but with the expected privacy of the listed provider.
I'm aware that I won't be able to get all the features of G Suite, but I primarily only use the email part (Of course with multiple users so it has to have support for that.)
* Signal >> Blog >> Setback in the outback || https://signal.org/blog/setback-in-the-outback/
* Advocating for privacy in Australia || https://fastmail.blog/2018/12/21/advocating-for-privacy-aabi...
* Honest Government Ad | Ass Access (anti-encryption law) | The Juice Media || https://thejuicemedia.com/honest-government-ad-ass-access-an...
Is there even a difference between main Google PP and G-Suite PP? Is Office365 PP privacy first?
iCloud email.
https://softwareengineering.stackexchange.com/q/46716
https://martinfowler.com/articles/web-security-basics.html
Sorry, securitycheckli.st I can't see your content because you fail this basic test.
I think they're suggesting we should default to no JS anywhere by default, other than sites one whitelists JS usage on.
IOW what NoScript (and maybe uMatrix?) does.
Perhaps the authors felt, storing passwords in their own infrastructure is beyond many users (or) unavailability of iOS app is a downer.
[1]: https://play.google.com/store/apps/details?id=com.zeapo.pwds...
1: https://help.bitwarden.com/article/install-on-premise/
1: Pass - Password Store by Mingshen Sun https://itunes.apple.com/us/app/pass-password-store/id120582...
Also the answer to your question is the first result when googling "1password 2fa".
If there's any risk of an attacker breaching your 1Password vault, I don't know if it's even worth talking about whether you have 2FA enabled for accounts -- at that point it's very likely they also have access to whatever you'd have used for 2FA also.
(One exception might be if a AgileBits insider were to install malicious code into the 1Password client. In that case, those who use 2FA outside 1Password would be significantly less vulnerable.)
Create a new login entry, then create a new field under the Section header. By default, it's a text field, but you can change it to a 2FA code. Then it will prompt you to scan a QR code.
I'm not affiliated - not even using their product.
[0] http://www.pepperparadox.com/privacyguide/privacyguide.html
Covering your camera is supposed to protect you from this kind of things, especially for younger ages or for people less technologically inclined.
Note that they may have gotten the password from a hacked website--not from your webcam/microphone.
Check out https://haveibeenpwned.com/
[0]https://www.obdev.at/products/microsnitch/index.html