Ask HN: Do you manage your family's digital safety?
Most of my family members (nuclear and extended) have little interest in spending time to manage their digital selves. Amongst other things making sure they have control of their passwords and accounts in a safe matter.
I've lately decided to set up a 1Password Family Account to help at least my nuclear family into taking net security more serious.
- What steps did you take to make it simple enough for your family to care?
- Did you retain any restorative powers? As in keeping master passwords to certain things and/or emergency accesses like in LastPass?
- Which subjects spurred the most discussions and how did you solve it?
- Which items do you share amongst all family members?
Edit: Formatting
131 comments
[ 2.9 ms ] story [ 179 ms ] threadI did the same thing as in the office - embarrassed or annoyed them (in a small way) by using their lack of security. I changed desktop backgrounds, "stole" £20, sent emails with promises like "I'll wash your car" to people. I'd follow this up with a lecture on "if I can do this, imagine what some dodgy foreign hacker could do".
Constructively, I pay for the whole family's 1Password and Fastmail accounts. I am the admin. I'm patient and understanding when they do something wrong. And I limit the number of people I help to those I can really help.
We have a WhatsApp group where they can ask whether something is dodgy. They don't use it for chitchat, so anything that comes through, I treat urgently.
I really like that idea.
I'm a big believer in Signal (I have a monthly contribution set up) but Whatsapp is far more common for most people to use.
I have convinced my older parents and siblings to all use Signal though, so I consider that a win.
You got bigger problems after Password Managers.
Just polished up the transparent Squid/SquidProxy/custom-ICAP-servers-to-block-DNS-over-HTTPS/Default-Deny-firewall for my home.
It seems to me that we are losing the war on Zero-Trust home-based content filtering (with the onslaught of Webroot port 7777, and DNS-over-HTTPS, and even AVG 443 for DNS.
You all hear me? I am (and probably we are) losing control of the HomeLAN/home-net via the onslaughts via circumventions of Zero Trust Model.
And this new DNS RTYPE SVCB and HTTPS by Akamai CDN, Apple iPhone/iPad, Cloudflare, and BigIP/F5 is making this gateway (and me) losing it all.
https://filters.pluckeye.net
https://adamnet.works
https://docs.diladele.com/tutorials/transparently_filtering_...
https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https...
They get firefox browser with adblocker preinstalled. I manage their important passwords (eg fastmail) and trained them to rely on firefox sync for the recoverable accounts.
I use MeshCentral for remote administration (amt)… its amazing for the price (free).
OPNsense firewall in all the homes. Unknown devices are isolated and egress over wireguard VPN.
It was built by a german chemicals company and the reinforced concrete blocks signals.
When I moved out I told the landlord that he should use it as a selling point, as some people in the area had just tried (and failed) to sue the library for not respecting their wifi allergy.
Only apps that truly need admin rights (that install services, etc.) would be blocked. Everything else is wide open.
The admin rights restriction on app installs was almost just a convention that people followed. Now that the app incentives have changed (malicious apps don’t try to take over the machine anymore, they just try to steal your data), admin rights restrictions are becoming irrelevant.
Persistence is easy enough with startup shortcuts or scheduled tasks in each profile.
Also, I’m not saying these apps have some kind of hidden malware, I’m saying they are operating as designed, and usually offer features in exchange for letting them do things like upload your address book, etc.
I'm asking because I do exactly the same: no admin accounts for my family on their own Windows machine (mother in law and wife etc.).
They're also using only local account. Is Microsoft banning local accounts?
A Microsoft account and an internet connection will be required to use Windows.
Been operational for a few years. Minimal maintenance. Great peace of mind.
My kids get locked down OS's and games, in addition to communications limits and screen time restrictions. But they're elementary age, so this is okay. The rules relax bit by bit as they get older.
For my extended family? Nothin. They're grown ups. I do host the family e-mail domain but there aren't any rules around that (well, they do have to pay for it...). We've had discussions about best practices, but the non-technical folks don't care ("so what if Google tracks me, I don't care") and the other half are technical and more than capable of managing their own digital lives.
I do not go around imposing my beliefs upon them. They have their own problems to be bothered with mine too.
Household shared threat models include:
- they download a trojan, it infects your shared printer, and copies all your documents to the bad guys
- their phone is compromised and its microphone listens to your conversations and keystrokes.
These are attacks against high-value targets. If you're just surfing Reddit, you probably don't care. But if you work for a tech company and have customer data or cloud logins on your machine, you should probably care.
Printer could be an issue, I guess, but most tech jobs don't involve a lot of printing and if they do a USB only printer should be supplied by the company.
Internet safety, DNS security, https://wrdrd.github.io/docs/consulting/kids #internet-safety #family-media-plan #screen-time-guidelines
Rclone supports encryption over top of like every cloud storage provider; and then what js could hit delete and confirm on our cloud storage, resulting in starting over from zero, like preppers, like bushcrafters - with DR bushcraft knives with flints (and hand-crank solar rechargeable FM/WX radio USB powerpacks) - like a low-budget made for TV Swiss Family Robinson: https://wrdrd.github.io/docs/tools#rclone
Ansible-molecule, DevSec baselines; your (1) Raspberry Pi SD card will fail, and probably before a thumbdrive or an SSD.
E2E: Cyph, Keybase has encrypted git repos; GitLab/Gitea does Issues with trackbacks: https://www.cyph.com/blog/cyph-pgp
PWD generates a printable substitution box: https://github.com/westurner/pwd
SGP: SuperGenPass https://github.com/chriszarate/supergenpass
JS implementations of SSS to do better than splitting a string in parts and printing some redundantly: https://github.com/topics/shamir-secret-sharing
"SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes" https://github.com/satoshilabs/slips/blob/master/slip-0039.m... :
> Shamir's secret-sharing provides a better mechanism for backing up secrets by distributing custodianship among a number of trusted parties in a manner that can prevent loss even if one or a few of those parties become compromised.
> However, the lack of SSS standardization to date presents a risk of being unable to perform secret recovery in the future should the tooling change. Therefore, we propose standardizing SSS so that SLIP-0039 compatible implementations will be interoperable.
Email i use on a gsuite legacy domain and have for a very long time. It allows us to move email around if needed. We still have some older gmail accounts as backup, but rarely use them. Ill probably move to something else, Mail in a box on a linode or protonmail. The problem is i havent found a 1:1 feature, between google voice for voicemail and junk phone #, and contact syncing.
On the network i manage that. Use opnsense with unifi for wifi and a few vlans. We dont have cable, so roku's/ROKU tvs get their own DMZ and we have plex and a few streaming services.
I also help manage my parents network. So they have a pfsense appliance (setup and bought well before all the nonsense) and it has a VPN connection to my house, with a similar Unifi wifi network.
All of our stuff is MFA enabled and i just handled the setup on her phone etc, gave and setup yubikeys etc.
Outside of my parents and wife/family, i dont really get involved. I really dont want to. My in-laws I have helped do things for like setup some wifi extenders etc. But their needs are more simple and dont require the complexity my parents do (that WFH and run a business from home with a larger layout.)
Mine was almost 20 years old.
I have already moved to workspace for now. There will be no charges until August or so. And then 50% off through August of 2023. So its....not awesome but gives me breathing room to find an alternative (Or just stay the course).
I will say one gotcha that got me...The dont allow Google Voice for workspace. If youhave a legacy account, even on the gsuite it should be fine, but you cant setup new service. And if you mark the payment account as "individual" you have NO options. If you set it as a business you could get google voice as a paid service.
Payment accounts cant be changed once setup. Which is crazy.
I will say one gotcha that got me...The dont allow Google Voice for workspace. If youhave a legacy account, even on the gsuite it should be fine, but you cant setup new service. And if you mark the payment account as "individual" you have NO options. If you set it as a business you could get google voice as a paid service.
Payment accounts cant be changed once setup. Which is crazy.
Everyone else: not my circus, not my monkey.
I have done zero or little past basic configuration and have had no issues or surprises.
There seems like a good OSS project - a bit of WMI a bit of bash - so I am interested if anyone has a idea.
All secure tasks like handling of IDs, banking, trading, etc. must be done through managed Linux workstations (Landscape with master image), or managed VDI. Keepass is used to store credentials. There is a network storage accessible only to those workstations containing important documents. A second storage area is avaliable for unmanaged and Windows devices.
Windows devices have Group Policy set for update settings, but generally users can do whatever they like. Mobile devices are expected to be patched but they have free reign. Haven't found a good management solution for Windows and mobile yet.
Wifi uses EAP-TLS, no exceptions and no guest devices permitted. As a result IOT and smart home devices are not allowed on the network since they don't support EAP-TLS. Certificates are issued per device and allow access to different services like VPN etc.
I currently don't have managed switches so mobile devices and personal workstations do share the same network as my servers and such, but all local services like network storage are encrypted and require authentication. Ideally I'd have VLAN segregation, but this will have to wait for the next network upgrade.
+ Network is covered by pihole (and in exchange, plex/jellyfin/etc access works nicely)
+ Smart home stuff is managed by me. Everyone has admin rights but shared terminals (eg kitchen panel) are unpriviledged users.
+ Everyone has a home directory on the homelab they can back up to with as much space as they want (4tb+). I help them set it up if they ask.
+ Haven't done this yet but would like some kind of network level monitoring for threats (viruses, cryptominers, etc)
Things intentionally not done:
+ I don't install anything on folks devices.. at all, but never without their consent and without them having an off switch.
+ We have cams but everyone can turn them off and view recordings. Recordings are kept only for a short timeframe. Cams are all visible/known.
+ I intentionally collect no logs of dns or other stuff. When I do occasionally need to debug an issue, I let everyone know I am flipping on logs for a few minutes.
Empower users, don't control them.
I install whatever I can to control/centralize the devices of my wife and parents. The less they know the better. Because your know, I am the 24/7/365 all-knowing support.
I do not do this with my teen kids. They can manage their stupid themselves. Until recently I had them tracked in Google maps but not anymore. They do see me though.
I have found the opposite to be true. If I push them to invest and understand, they are more likely to fix their own problems. I play tech support very infrequently and usually it's just initial onboarding - "Hey, how do I watch movies?"
My users can reset their own passwords, reboot devices, and some of them can even restart stuff on the server.
There's a dashboard with all of our links, so I don't get the "What's the url for..." stuff.
I keep quick docs in the family notes.
Usually my only problem makers are game servers since those are always a bit less than stable once loaded up with mods.
If you always do everything for them, tell them it's complicated or easy to mess up.. well then yeah, they aren't going to learn.
Tech knowledge is not special compared to any other kind of knowledge. You don't have to be "tech savvy" to be a self sufficient user.
Some people feel thr same with computrts.
And I do not argue with my parents or wife, weak as I am, just fix the stuff and hope for the best :)
Jokes aside,
> making sure they have control of their passwords and accounts in a safe matter.
This looks like two requirements. Control your passwords and accounts and safeguard them. Because saving via Chrome, though unpopular, is quite safe but you give up control.
I've found this to be useful lately as I go through and take control of my login credentials:
https://mullvad.net/en/blog/2021/11/15/forget-your-passwords...
opening a malicious pdf on their main machine or a malicious website
the one time all their sensitive info compromises their main gmail/apple account
How is it even possible to help our extremely vulnerable elderly parents and then our very young family members, nephews, nieces
We've probably all been pwned at least once, and we're the more cautious/aware of the population, how do the helpless even fare? Besides locking them down in the apple eco and idk vetting every file/website they use?
If it's not a government agency, it doesn't get any real info.
So, for instance, Amazon has a made-up name and our PO BOX and our "junk" number from Twilio.
As I have mentioned here many, many times:
This is possible because VISA/MC do not verify cardholder name. They make it seem like they do and merchants think that they do ... but they do not. You can just enter "Mickey Mouse" and it will work just fine.[1][2]
Lyft, opentable, Toasttab, Apple ... none of them have ever seen our real names or addresses.
[1] This is not true of AMEX - they do verify cardholder name the way people think they do.
[2] There is a very rare, seldom used "verified by visa" step that some online merchants used to use (mostly in Europe) that did verify cardholder name ... but I have not seen it in years ...
You can call it paranoia. I'd call it a healthy value of privacy.
Nothing stops a company from taking your name from your credit card and using it to build/sell shadow profiles except their word. Companies' words aren't worth shit.
If we assume this information persists forever - and we might as well - it represents infinite liability and risk whereas the mitigations I have proposed cost almost nothing.
Or, to put it another way, it's very cheap insurance.
I like this a lot more than the De Beers campaign popularized in the late 1940s[0]!
[0]: https://www.theatlantic.com/magazine/archive/1982/02/have-yo...
See chaos theory's infinitely long line in a finite-sized circle
If it is truly unpredictable, then you may be diminishing something which may actually be beneficial and necessary in the future.
This obfuscated data which may or may not be linked to you (or the lack of data entirely, a void which certainly is linked to you) is itself forever persistent and represents its own infinite liability.
Not to say that you're wrong or right, just pointing out that your claim of somehow rising above this system is bogus. No matter what we do, our mark (be it a shadow profile or a void) is left, and perceptions will form around it that cannot be predicted.
The data is there, silently, stored for a future use which may come at an unpredictable time.
We live on a ranch at the end of a 2 mile private road.
Lyft is something we use in the city or while traveling.
However, I do understand the spirit of your question and I don't have formal practices for these kind of things.
Like a sibling comment said, life is short ...
Sad.
Beyond that, for the type of tracking and fingerprinting done today, how relevant is your name actually?
Doesn't even have to be that big of a policy change; if Facebook gets suspicious about you using a fake name or various other scenarios, they'll lock your account until you provide a scan of a passport or state ID.
Amazon account gets blocked? He gets a new one. If they block him because they check the PO box against blocked accounts, he gets a new PO box too. Sure it's a hassle because he probably uses it for other stuff too. But nothing really preventing him from doing the fake name+PO box thing for a small likelihood of this ever happening and he'd probably gladly just get a new on if it ever did and there was no other way to convince them.
Same with Apple. Apple id gets blocked? Get a new one. I somehow doubt he's bought (err, sorry, rented) thousands of dollars worth of digital content on either platform that would discourage this. Streaming is fine as you can stream the same stuff again on the new account.
If you're worried about the government prying, using a fake name on a PO box is a great way to rouse suspicion and investigations into whether or not you're doing something nefarious with the post.
I don't think rsync is worried about government prying.
The post office (quasi-government agency) knows who we are.
The only really private way to use these services would be using something like burnermail.io and crypto.
For most things though I dont mind too much about things that are already public anyhow. Like name, address etc.
That said for services that extend beyond that, If i feel the need to go that far i just dont participate. Like facebook for example.
I do carry a google voice number. That is the only thing a company, service or basically anything that gets typed into a computer gets. It has signifigantly cut down on spam calls to my actual cell phone, which friends and family do have.
I also put a basic 2-bay Synology NAS in the basement, and everyone's laptops are set to back up via Time Machine automatically.
Also, got some yubi-keys which I use for aws and gmail. Still have a raincheck for my wife to try those.
Yes, I told her it's not hard to get started, she could do it herself if she wanted to, but she wants to discuss it at length and spend time on it (I agree with that, but geez, it's hard to do stuff like this). Taxes are a nightmare enough for us.
I knew when I saw the title here that there would be multiple stories of folks who have gone ABOVE AND BEYOND AND THEN SOME, HN-style. Ain't going to happen in my house.