Ask HN: How do you trust that your personal machine is not compromised?

541 points by coderatlarge ↗ HN
"Compromised" meaning that malware hasn't been installed or that it's not being accessed by malicious third parties. This could be at the BIOS, firmware, OS, app or any other other level.

468 comments

[ 4.9 ms ] story [ 329 ms ] thread
You should assume all devices are compromised
Not helpful
Why not? It still possible to communicate securely using compromised devices and networks.
Could you expand on this? How would I securely communicate from a device that, say, has a kernel level implant? This is one of those cases where SGX/TrustZone would be immensely helpful but nobody has built a messenger that actually somehow fully lives in an enclave.

If you assume every device you use is compromised, how can you possibly use any encryption?

Truths has to be helpful.
*compromisable
I don't think so. While I am not sure about what "devices" means it's common practice for example to assume your root password is always compromised. The consequence here is that you don't allow remote, password-authenticated root.

On a similar note services and networks should be treated as compromised as well, meaning you must use encryption, authentication and in general make sure to limit attack surface.

And all of that boils down that you should make sure you should not rely on services, users, etc. don't for example access personal information they are not supposed to access.

After all the problem with things like Ransomware is exactly that this isn't assumed.

You really can't, anymore. You can watch traffic and hope that anything nasty isn't communicating with the outside world, but then there's all sorts of side channels that you may not know to watch.

At some point you just have to admit there's limits to privacy and work with them. You paper journal could be stolen and read / rewritten too, yaknow? It's not a new problem, its just in a new context.

Noone has drained my crypto from my wallets yet.

So either my personal machine is not compromised, or they think the amount of crypto in the wallets is too low.

Jokes on them though, cause I am moving my crypto to a hardware wallet eventually

Quite an interesting honeypot really.
Joke's on you, you just told them they should hurry up before you do ;)
Of course, a nation state is unlikely to 'tip their hand' so to speak.

If the U.S. has backdoors on every PC, they're not going to bother draining the wallets of "small fish"; they need to keep these things secret so they can go after terrorists

I'm reasonably sure that my personal machine is less compromised than the average, but I can't and will never be able to ensure that it is not compromised because I have no way to know everything the machine trying to do. This remains true even when you have an entirely free and directly inspectable hardware; you simply have no knowledge and time to verify everything. Just keep a reasonable amount of precaution and skepticism.
Reminds me of the time I was watching a creepypasta horror movie about some guy who gets strange phone calls and my phone rang.

I think this guy had gotten my phone number from my HN profile and he thought I might be able to help him. He thought his android phone was infected by malware and he knew who did it. I told him the people who repair cell phones at the mall could do a system reset on his phone…. Unless he was dealing with state-level actors in which case it might be an advanced persistent threat and it might be permanent.

Here's a short, fairly practical guide that you might find helpful: https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-.... It is aimed mostly at small businesses, but I find a lot of the guidance to be pretty relevant to my personal IT.

My even shorter (and incomplete) summary of the document would be: configure your router and firewall; remove default passwords and crapware from your devices; use a lock screen; don't run as root; use a password manager and decent passwords; enable 2FA everywhere you can; enable anti-malware if your OS has it built it; don't run software from untrusted sources; patch regularly.

There are also other controls that you can choose to impose on yourself. For example, I require full-disk encryption, and I will only use mobile devices which get regular updates. Would be interested in hearing other things that HN'ers do to limit risk.

Do you lock your computer every time you leave your desk?

And do you always check for keylogger thumbdrives and such?

Yes. Why wouldn't you?
Because you assess the risk as being low and don’t care that much about low risk things.
Sure, but it is also a very low effort thing with little friction involved.
I have to physically go under my desk to see if my computer has been tampered with.
For me: No, and no. But as that would require someone breaking into my apartment, I don’t worry too much.
I work from home and still lock my screen because I have cats that will walk on my desk if I'm not looking. 4 paws and an open vim or slack window are a dangerous combination!
Yes (I don't bother when I'm working from home)

I haven't used a use usb stick in +10 years.

When I worked at an office, I used to, with a quick: CMD+CTRL+Q
> Do you lock your computer every time you leave your desk?

This was a corporate requirement where I used to work, unofficially reinforced by the local jokers who would rotate the screen and / or send prank messages if you didn't.

When I was an intern at a company, I forgot to lock my screen once when I went to the toilet

My colleagues edited my .bashrc to echo "lock your screen next time"

I like to alias emacs to vim or rm, depending on how charitable I'm feeling.

(Kidding obviously, at least for the latter).

I would alias both vim and emacs to cat

I think at first the colleague might assume it's a bug in the terminal not someone had replaced the command with an alias

or just alias them to echo, so that it prints out the file name, not even the file content

> unofficially reinforced by the local jokers who would rotate the screen and / or send prank messages if you didn't.

Same here. The all time favorite is sending a resignation notice to the person's manager (the manager usually gets a fair warning first and plays along with it).

Yep. I've sent a party mail and free lunch or snacks sponsor to the team. Have got them a couple of times as well. A lesson well learned...
> is sending a resignation notice to the person's manager

Or a message that says "I love you very much"

I was a big proponent of hasselhoffing unlocked computers (set up a wallpaper of David hasselhoff in his Bay watch days sprawling over desktop :)
I heard this was big at Rackspace.
Lock my computer: Always[1][2].

Check for keylogger thumbdrives: I use a laptop so it would be immediately obvious. But now that you say it I haven't checked the charger USB-outlet on the back of my cabled keyboard.

[1]: it has happened I have failed. Once a year or something.

[2]: I sometimes try to allow myself to go downstairs in my own house to fetch a cup coffe without locking when I am alone, but I find it so stressful in practice I always lock it. I don't need to know but it is a good habit. I'm otherwise normal :-)

I've worked in places where that once a year slip-up would mean you sent an email offering to buy lunch for the team or get your background changed to a David Hasselhoff pinup picture from the 80's. I do feel weird locking my computer when I'm alone though.
One place I worked, it was common practice to email something semi embarrassing into a public slack channel from the unlocked pc.
Screenshot of the desktop, rotate that 180 degrees and set as background. Hide all icons and the taskbar, then rotate the whole screen 180 degrees. Maybe a bit of tape underneath the optical mouse.
What bugs me is when this is applied to remote workers in a way that seems optimized for in-office environments.

For example IT enforces that your screen becomes locked after 15 minutes of inactivity and also ties in your local computer 's user login password to your SSO login to access everything. It's a contradiction around password best practices. If you force people to input their password multiple times a day then naturally people will gravitate towards easier to type passwords.

If the idea is "but what if you go AFK in a public place and forget to lock your screen?!?", that's not a valid reason. If you were working in a coffee shop and went to use the restroom for 4 minutes or turned your back for 2 minutes then your machine could be compromised (or even worse stolen). It's extremely reckless to leave your gear unattended in a public place.

It can really break morale to input your password and MFA half a dozen times a day, especially when you're alone in a locked apartment where the laptop hasn't left that location in a year.

TouchID or windows machines with Windows Hello touch solves morale issue.

Then they don't type most of the time and the length of 'memorable passwords' (like correct-horse4BATTERY!staple) isn't a problem.

I suppose you could complement that with a camera + AI that recognizes when you leave your computer.
My Windows Surface unlocks with their depth-camera. I don't know if big corporations allow this sort of thing on their laptops, but it's very handy for us in our small consulting business.
Yea, my work uses touchid for day to day logins and it works really well
Oh yes. Having my machine lock very fast when I wfh is really annoying. Past that, with so many systems to log into, I sometimes feel like all I do is authenticate and authenticate all day long. SSO is probably saving a lot of this, but at my megacorp it still sucks.
> What bugs me is when this is applied to remote workers in a way that seems optimized for in-office environments.

> For example IT enforces that your screen becomes locked after 15 minutes of inactivity

If your OS is MS-Win, try playing an audio file when you don't want the auto-lock to go off. Provided IT's "checkbox security" parameters [1] did not include turning this off, MS-Win does not timeout lock the system if an audio file is playing, which makes playback of an audio file a way to prevent the timeout auto-lock from happening. Note that this won't help with any 'presence' indicators that go "idle" or "away" with no activity for some time.

If this works, then you can create an audio file of 'silence' with sox to use to play back when you don't want the auto-lock to trigger:

   sox -n silence.wav trim 0 10:0.0
Creates a ten minute long wav of 'silence'. If you want it smaller, compress the wav with lame into an mp3 or fdkaac into an aac file. Then launch playback of the silence file, and set windows media player to "loop" when it reaches the end of the file.

[1] Much corporate/govt. IT "security" is "checkbox security". It is the equivalent of IT having a "compliance form" with a long list of "configured settings" with check-boxes next to each, and so long as they can go down the form and "check all the boxes" they deem their setup "secure". Whether it is actually secure is not important, just that it "checks all the boxes" on the "compliance form".

That's really clever. This is a company issued Macbook (macOS is a requirement not a choice btw) but I'm guessing there will be something similar that you could do.

This puts you into a grey area though no? You could make a case this is willingly trying to circumvent security protocols which could be grounds for being fired.

The issue is more other members of your household. Your roommate, kids, spouse, etc. Policy and regulatory requirements don’t allow incidental disclosure to people like that, and the company has no relationship with them.

I dealt with this as a policy issue recently. Controls like aggressive screen lockouts are one of the few options available to allow some categories of workers to work outside of a company controlled premises.

The argument that you live alone etc is irrelevant as I have no idea (and don’t want to know) whether that’s true. I can tell you that people have done shockingly dumb things with remote work and the company has to try to control risk as best it can.

> Controls like aggressive screen lockouts are one of the few options available to allow some categories of workers to work outside of a company controlled premises.

What does the policy really protect against?

If it's being locked out after 15 minutes of inactivity because of roommates or kids it doesn't protect you against anything in the grand scheme of things. For example if I leave my office for lunch and you step in 10 minutes later then you have a solid 40-50 minutes to do whatever damage you plan to do while I'm gone.

The only time it makes a difference is if it locks really fast, such as 30 seconds but then using the computer naturally would be ridiculous because you couldn't stop touching the keyboard or mouse without being locked out.

Also, what if your room mate planted cameras in your office that let them see exactly what keys you're pressing on what screens without ever compromising the machine itself? Now everything is compromised and they have full reign to do whatever they intend to do.

> The argument that you live alone etc is irrelevant as I have no idea (and don’t want to know) whether that’s true

This is the real problem. Everyone gets treated like an equal criminal when in reality none of the measures taken really do anything to provide the security they were designed to do. It reminds me a lot of "for the children" but applied to corporations for "compliance reasons".

I'd be more ok with the precautions if they worked.

It reduces risk by minimizing disruption if you’re following other work rules. If we locked it in 30s, people wouldn’t be able to work.

Re: the “treat people like a criminal” take. A common approach organizations are taking is employee surveillance. I don’t want to know that your girlfriend has a conviction or that your kid sits next to you with sensitive data in your screen, etc. And I don’t want to force you into an office.

There’s a difference between “security” and risk management. If the discussion was pure security with low/no risk tolerance, you’d be working on a locked down terminal server in an office.

> For example IT enforces that your screen becomes locked after 15 minutes of inactivity

If you're on windows, there's a powertoy[1] called "Awake" that can keep your screen on indefinitely despite IT rules. I liberally use this on machines I'm remotely connected to because there's 0 reason why a remote session should lock if I'm active on the computer looking at a different window.

[1] https://learn.microsoft.com/en-us/windows/powertoys/

> [2]: .....

Ah, no mention of water proofing computer to protect against robotic dog innocently spilling moring coffee/tea on computer.

On MacOS, poke the TouchID key to Lock Screen. When back, poke it again to unlock. Make this rote.

On Windows, Win-L to lock.

Yeah, colleagues have happened once, then never again. I use a Laptop with a Dockingstation for work and take the Laptop home with me every time I leave so I would have noticed if this would have happened.

When home, I always have to lock or my cat would typeeeeeeeeawww

Would be interested in hearing other things that HN'ers do to limit risk.

Mostly the same basics as you. The document you linked is a good starting point.

I'd add extensive use of virtualisation and sandboxing. I run less and less software as native, installed applications on any device I use personally or professionally. Instead it tends to run inside things like VMs or Docker containers or cloud-hosted platforms now.

My basic policy is to try and make every device and installed application expendable/replaceable in case anything breaks or gets compromised and then focus on the data. I apply the principle of least privilege for access to any sensitive data, try to keep all important data in standardised formats and avoid lock-in effects as much as reasonably possible, and keep good back-ups under my own control with the ability to redeploy/restore anything quickly and as automatically as possible.

100% with you on the entirety of your last paragraph.

I generally use a device as an access mechanism; a configured window into the data. This configuration is the only thing lost when a device is lost. No data, no function, no service. Configure the replacement device and continue as you were.

Virtualisation and Docker-isation makes backups and restores almost enjoyable.

How do you deal with leaking of data?
Not sure I fully understand the context of the question, but for a device to gain access it needs to be allowed into the local network by being in wifi range or authorised on the VPN, plus have username/password access to the service/data.

If, however, there's a backdoor I don't know about, then I'm pwned.

> enable anti-malware if your OS has it . . . Would be interested in hearing other things

Given the most common network activity is web browsing, it seems like enabling protections in the browser is becoming mandatory for the security-conscious.

For me this amounts to enabling NoScript and uBlock[edit: [0]] plugins in Firefox, desktop and mobile versions, and disabling or locking down various "features".

An additional step I take is to use several browser profiles for different purposes (mail, banking, shopping, default, to name four) so that Firefox always asks me to pick a profile on startup. As well as reducing the possibility of XSS, this lets me relax the settings for some profiles where I restrict myself to a small number of trusted sites. (This may well be overkill!)

0: uBlock Origin, that is, as per instructive commment below[1]

1: https://news.ycombinator.com/item?id=34389942

Firefox multi-account containers can be a more convenient way to isolate things, especially now that the container can be limited to only the allowed sites.

I also made an app and extensions to help me use multiple browsers, one per site. (Browsr Router)

Regards the containers, I started my profile compartmentalization practice before they arrived, so I never explored them. But I'm curious as to whether each container comes with a complete set of browser permissions, like profiles do, which would enable you (for example) to have a location-enabled container specifically for google maps (in reference to[0]) while disabling it on the container used for search, as you could quite easily do with profile compartmentalization? (Which, tbf, is a privacy rather than a security concern.)

0: https://www.simpleanalytics.com/en/blog/google-changed-googl...

Add-ons cross over container boundaries, so I suspect other browser permissions do too.

You're solution is more bullet proof. For similar reasons I am hoping to add better profile support to Browser Routr.

I’ve no doubt you are referring to uBlock Origin but it’s real important to label it as such so the unaware don’t install uBlock.
>> enabling protections in the browser is becoming mandatory

> or me this amounts to enabling NoScript and uBlock

Hard to see how installing third-party extensions that can view and change data for every site makes the browser more protected.

Just little a third party security guard can't make a building more secure. /s

It's about who/what you trust.

>Given the most common network activity is web browsing, it seems like enabling protections in the browser is becoming mandatory for the security-conscious.

What I am looking for is an easy way to run something like a LiveCD OS in a VM for browsing. The problem is that I have never found a decent LiveCD that has Firefox with all of the mandatory extensions (uBlock Origin, etc...). I guess I could customize my own LiveCD, but last I looked into it, doing so seemed complex and too time consuming to figure out.

Posting this in the hopes of being steered towards a simple solution or to inspire someone to create one.

Windows AppGuard is close to this, although it’s a hyper-v silo not a full VM. Edge can open links in AppGuard (which is what this technology is called) right from the context menu, super convenient.

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-...

That sounds interesting and I like that Edge is one of the few browsers that has vertical tabs built in. The thing is that I don't trust MS and assume that they are thieving my data in any way they can...
MS AppGuard is a clone of Bromium, now branded as "SureClick" for Chromium and bundled with HP business laptops/PCs, with a security co-processor ("SureStart") monitoring firmware integrity.
> I guess I could customize my own LiveCD, but last I looked into it, doing so seemed complex and too time consuming to figure out.

Here's a 5m solution whose starting point might be acceptable:

- install Nix

- Follow first two steps at https://nixos.wiki/wiki/Creating_a_NixOS_live_CD to generate iso

That does look simple! Are the steps:

1. Install Nix in a VM or on a clean HD

2. Customize Firefox to my liking

3. follow the two steps you highlight

4. Load my created iso in a VM

Right?

> Install Nix in a VM or on a clean HD

You should be safe to avoid this unless your threat model includes a trusting trust type exploit on Nix generating the ISO.

Also, just realized it'll be a little more complex because you'll want to use home-manager to install Firefox plugins and do about:config configuration.

Here are some examples of that in various contexts:

https://github.com/search?q=language%3Anix+programs.firefox+...

With respect the question is about the machine being compromised, I'm not sure how XSS, phishing, etc. attacks are relevant.
Since you mention routers, I’m curious what brand you use.

Since Ubiquity started fown the cloud-first path I’ve switched to Mikrotik. While they do seem to have regular CVEs (which is good, I think?), they also don’t seem to have a public bug bounty program.

> Since Ubiquity started fown the cloud-first path I’ve switched to Mikrotik

I was thinking about getting a Ubiquity router because it has good support for setting up wired VLANs without needing to go down the path of finding a solid OpenWrt router.

Is it really true that you can't access the router's dashboard and configure things without associating an online account to your router?

That’s not true. You need to use the gui though. I think some folks preferred the cli in the past.
My UDM and UDR aren’t connected to UI’s cloud services, so it’s not really cloud first.
It's definitely still possible to use without cloud now, what I meant by "started down the path" is that it seems like the direction of the company is not aligned with what I want.

I was in the market for more hardware and I had to decide whether to increase my investment in Ubiquity or make a change, and I chose the latter.

They did add back non-cloud support a while ago after the cloud forcing didn't go over well, but it is a second-class experience.

The day after I set my UDM Pro up as non-cloud, it corrupted the login somehow and I had to factory reset it and redo all settings (as it hadn't been running long enough to run any automatic backups first). I capitulated and just set it up again as a cloud login to avoid having the same fiasco at some random point in the future again.

I immediately regretted going with the UDM to save (quite) a few bucks over a OPNsense/pfSense appliance to fit my requirement of handling a full 10G of WAN.

I will admit having the app to monitor usage remotely is a somewhat neat trick. I find the firewall configuration in GUI obtuse enough to be next to unusable.

> I immediately regretted going with the UDM to save (quite) a few bucks over a OPNsense/pfSense appliance to fit my requirement of handling a full 10G of WAN.

As someone who bit the bullet and sold all their UniFi gear on eBay and switched to OPNsense and Ruckus, I'll tell you that it's been absolutely worth it.

> Is it really true that you can't access the router's dashboard and configure things without associating an online account to your router?

That might be true for their UniFi line, but EdgeMAX devices work fine without an online account. EdgeRouters run a fork of Vyatta, with configuration files and command line operations that are fairly easy to work with. They also have a web UI for common configurations, though I have little experience with it.

A bit of warning: EdgeMAX support has been declining in recent years. Security updates are still published, but bugs don't seem to be addressed as quickly or consistently as they were in the past, and some forum users have expressed doubts about what kind of support will exist in the future. That said, my equipment is still doing fine.

I think OpenWRT has been ported to at least one Ubiquiti router, so that might be a good fallback if EdgeOS support ever ends. I wonder if anyone here has tried it.

I bought a Turris Omnia used on ebay for about a hundred bucks. Very powerful, open source hardware & software, good community, adblock server built in if you're too lazy to set up a pihole, enough compute power to host lots of neat services on it.
(comment deleted)
I like your shorter list - but I'd suggest concerned people also avoid the obvious attack surfaces:

* Windows

* storing data on other people's computers (cloud apps)

(Yes, they're all safe under the right circumstances. But the right circumstances are far from universal.)

And loosing access to important stuff can be worse than other people seeing the stuff - anything behind a google (etc) account can be lost in a moment, due their mechanised decision making and inability to meaningfully contact humans.

If you can't always easily contact a helpful and authorised human, the continuing existence of your stuff is a gamble. And no, setting off a twitter storm and hoping that the company will be embarrassed into restoring your data is not a suitable contact method!

> Would be interested in hearing other things that HN'ers do to limit risk.

We have a pretty standard setup at work: screen times out after 15 minutes, and co-workers teach you pretty fast to lock your machine.

At home, where I use a MacBook Air, I work in a physically unstable situation...in a rocking chair, on my lap. Whenever I stand up, I close the machine, which locks it immediately. If not, I risk the machine sliding to the floor.

I don’t have ultimate trust in any software or hardware, but I get to “good enough” by deciding which providers I trust:

* Software: Canonical, Google, Microsoft, Valve, Oracle, Dropbox. I install software from their official repos and keep it up to date. Anything 3rd-party/unofficial/experimental/GitHub goes in a VM.

* Hardware: I built my main PC from mainstream commodity components. I have no way of knowing if there are secret backdoors but I consider it unlikely.

I use a password manager, I enable 2FA, I turn off things I don't use, and generally have a low-risk hygienic approach to computing.

I’m also privileged enough to not be a “person of interest” so don’t feel the need to take any extraordinary precautions.

Yes, I’m aware of VM escapes. Yes, I’ve read Reflections on Trusting Trust. I choose to trust regardless because life’s too short for paranoia. As Frank Drebin said:

“You take a chance getting up in the morning, crossing the street, or sticking your face in a fan.”

What about publicly known backdoors in your hardware?

https://www.techrepublic.com/article/is-the-intel-management...

There is hardware that doesn't contain those at least, but it doesn't break power records.

I don't consider it practical to take any countermeasures to the possibility of this threat. I think there's a ~10% chance it's a backdoor, and if it is, there's a 98% chance it would be at the behest of a branch of the US government, and I'm not currently an adversary of theirs.

(This is not an argument for mass surveillance, it's just a practical assessment of the risk).

Just to be clear, the question of whether it's a backdoor or not doesn't matter for whether bad actors use it. The capabilities are rather well known. Its vulnerabilities aren't, but vulnrabilities do not a backdoor make.
"which providers I trust:

* Software: Google, Microsoft"

I trust that Google and Microsoft won't hack into my bank account and steal money, even though they could, but otherwise I assume they collect anything they want and can.

I assume they profile me, but I don't assume they steal my files.
They (hopefully) won't steal your ip or personal pictures, but there is so much telemetry and other phoning home going on, and without transparency or the option to really turn it off.
Security and privacy are two separate things and not always aligned.
I caught Windows Defender "automatic sample submission" silently uploading places.sqlite out of my Firefox directory despite the assurance in the control panel that "We'll prompt you if the file we need is likely to contain personal information".

So now I disable automatic sample submission via group policy but Microsoft definitely can and will access files that they really have no business accessing.

Yes, but the topic is security, not privacy.
The reality is that you cannot trust that your machines are not compromised.

The only option we are left with is to operate under the assumption that, indeed, our machines are permanently compromised.

Just some generic things that should help avoid or clean up after a compromise.

- clean reinstall every month, just pick a new flavor of Linux to try out. (also helps ensure I have proper backups and scripts for setting up environment)

- Dev work I usually do in docker containers, easy to set up/nuke environments.

- Open source router with open source bios (apu2), firewall on it, usually reinstall once in a while.

- Spin up VMs via scripts for anything else. (games - windows VM with passthrough GPU for example)

- automatic updates everywhere.

>Spin up VMs via scripts for .. games

this is not sustainable. you do this once and then pray nothing breaks!

I just have a clone of a clean windows VM.

If something breaks or I get bored, nuke the active one and start clone, update it and make another backup, then reinstall games again.

On the other hand, gpu pass-through breaks once in a while and is annoying to fix.

so more like an OOBE snapshot?

would be annoying to initiate and wait for all the windows updates, drivers and game installations every time

also runs the risk of reusing the hwid (which e.g. Epic and Ubisoft are cottoning on to and permabanning)

gpu passthrough is a menstrual headache hence the set, forget, pray attitude

Keep it air gapped, only way to be sure!

Only half kidding, unfortunately.

You can get data out of an air gapped machine several published ways (ultrasound, hard drive light, monitor flicker, emf, etc)
Requires proximity and someone very determined though...
Great question. I don't anymore. Decades ago when I had a 286 and knew what each file did and what all the software was, and threats were limited and crude, I had good confidence of controlling my machine. Today, when my laptop has millions of files and each website - even hacker news - could inject something malicious and my surface is so broad (browsers applications extensions libraries everything) and virtually anything I do involves network connections... I just don't have the confidence.

FWIW, I try to segregate my machines for different categories of behaviour - this laptop is for work, this one is for photos and personal documents, this one is for porn, this one is if I want to try something. But even still my trust in e. G. software vlan on my router and access controls on my NAS etc are limited in this day and age.

I feel today it's not about striving for zero risk (for 99.99 of people) , but picking the ratio of overhead and risk you're ok with. And backups. (bonus question - how to make backups safe in age of encrypting ransom ware).

On the backup question, this is one reason why I have a set of backups that are physically disconnected and not automated.
I have a backup NAS that's normally powered off, but it's scheduled to turn on, perform backup, shut down.

It doesn't wake on LAN and there should be no way of knowing it exists outside of checking DHCP static addresses reservations - and now that I mention it, maybe I should remove it from there too.

This minimises the size of the window, and network-snoopable information, required to compromise this set of backups.

If your main computer has had all its files encrypted by ransomware, will the backup NAS know not to replace the good backup with a bad one? i.e. hopefully it's not doing something like `rsync --delete`.
Not the GP but I use ZFS snapshots for such things. Should the files be overwritten or deleted I can always fetch an older copy from snapshots.

The trick is to make sure nothing has access to the backup storage, which is obviously easier said than done.

That's not hard. On my backup server, I have an account with a restricted shell that my backed-up machine has an ssh key for. That restricted shell is simply the following script:

  #!/bin/bash
  cd ~/backups
  tar --restrict --keep-old-files -x
So the only thing that the backed-up machine (or an attacker) can do with the ssh key is push new files onto the backup server as a tar stream - it can't overwrite any files, and it can't put any files anywhere except the correct directory.
For my server I went one step further and set it up so that the server being backed up has no access to the backup system at all and insteady only prepares encrypted (differential) tar archives that the backup system then grabs.
Restic is my current backup solution of choice and that takes snapshots by default. If you took a backup on Monday, ransomwared on Tuesday, your backup volume would double in size (file de-duplication is going to fail spectacularly), but the Monday backup will be unimpacted until a prune operation is run. Suggested prune workflow is to maintain fairly staggered snapshots eg: 1x six-months ago, 1x three-months ago, 3x from last month, whatever makes you comfortable. Which should give a pretty comfortable margin on retaining your files.
I think, perhaps ignorantly, That may prevent some human being or intelligent agent specifically targeting your nas.

I don't think it would help against situations where your primary system is being encrypted for a while, and thus your backups eventually get overwritten with bad stuff.

Replication isn’t backup though?
I would agree, but I feel the GP specifically talked about "Backup NAS", which is where my question pertains.

I do have a set of hard drives I exchange with my friend as "off site" backup. Neither my cloud service nor NAS keep copies/snapshots of previous versions of files; and I have too much stuff to create BlueRay let alone DVD one-off backups :0/

Hopefully they’re taking snapshots!
> and thus your backups eventually get overwritten with bad stuff.

I use rsync's --link-dest to get Time Machine-like backups so they can't be overwritten through the backup system itself. I don't take the "shut it down" precautions with this system the other person does, though I do have a separate in-place one that's strictly manual (as in I have to physically plug it in to update).

The data being backed up is in tiers of importance or 'frequency of change', and based on this the backups are staggered, some daily, some weekly.

I wouldn't often go a full week without checking some file or other, so I think I'd know pretty swiftly if I got infected with an encrypting ransomware virus - hopefully quickly enough to minimise damage.

I also do off-site backups on occasion, so I could roll back to the last full set of off-site backups - so long as I remember where/when the most recent one is.

My main adversary I'm protecting against is hardware failure, however. I think I run a pretty tight ship in restricting access to data that I'd rather not lose.

Maybe some hubris payback will come visit one day though...

Would you mind sharing abit more about your setup? I would want to set it up like this as well.
It's a bit complex and almost always in the midst of a structural change due to new learnings[0][1][2], so describing it in text will be a bit difficult both to read and write. I am planning to do a nice write-up with diagrams once I get myself a proper platform to broadcast myself (which it's taken me ten years to continue to fail to do, so don't hold your breath).

Firstly, as fbdab103 said:

This right here is the key to backups: triage your data to understand what is truly important.

Know your data, know how often it changes, know its level of importance to you, know what duration of loss you're willing to incur (or are likely to incur based on hardware cost limitations).

Hardware:

  - Primary NAS with large internal storage and matched external USB storage
  - Secondary NAS with same storage size as Primary NAS
  - 2x Servers running Proxmox, each with internal storage enough for their VMs data
  - Spare older hardware from past upgrades (not live, but as redundancy in case of disaster)
Software:

  - Proxmox
  - Syncthing
  - rsync
  - NAS software (QNAP, Synology, TrueNAS, or whatever else)
Configuration:

I have a central store of documents on the Primary NAS, protected by username / password access. Each family member has their own directory.

Mobiles backup photos and videos to a temporary / throw away location on the Primary NAS via a Syncthing docker instance hosted on one of the VMs. This destination is then backed up (twice?) daily using a couple of rsync scripts to separate photos and videos into a permanent location on the Primary NAS.

The secondary NAS has a daily wake up and backup of these 'home directories', photos and videos to both its internal and external storage.

Each VM is hosted on the Proxmox server's internal storage (I used to have all the VM disks hosted on the NAS and connected to Proxmox via ISCSI, but the centralisation to the NAS became an issue when the NAS was lost - see New Learnings 1[0]).

Each Proxmox Server has a weekly scheduled backup of all the VMs to both the Primary and Secondary NAS's, and at least 4 historic backups, in addition to the current, are kept, which Proxmox is configured to manage.

(This is actually against what I said earlier about the Secondary NAS only 'fetching' backups - that's how it used to do it, but this went against the 'purity' of having a direct backup raher than a copy of a backup, which is its own interesting topic: a direct backup is more trustworthy than a copy of a backup because there's less opportunity for data corruption, so the theory goes).

The primary NAS has a weekly backup of these VM backups from its internal storage to external storage.

The secondary NAS has a weekly wake up and backup of these VM backups from its internal storage to external storage.

The secondary NAS also has a weekly wake up and backup of other media stored on the primary NAS, which gets copied to both internal and external storage.

The external storage of either or both of the NAS's can be disconnected and stored elsewhere if I go on holiday, then retrieved and reconnected upon return.

In addition, I do ad-hoc backups to older HDDs and SSDs of different tiers of data, where Family Photos and Videos are probably the most import sentimentally, and financial / household-management documents are the most important practically. These get spread amongst friends and family and are poorly documented (which I need to improve, lest they find said 'spare' hard drive or USB and decide to use it for something far less important).

(I have also recently setup backups for docker instance configuration data, but they're a bit redundant given that these are encapsulated by the VM backups, but it helps me sleep easier to have them backed up separately - these are a weekly script, similarly copied weekly from Primary to Secondary NAS internal and external storage)

[0]: New learnings 1: In mi...

>The data being backed up is in tiers of importance or 'frequency of change', and based on this the backups are staggered, some daily, some weekly.

This right here is the key to backups: triage your data to understand what is truly important. I roughly put things into three buckets

- Priority 1 - potentially disastrous if lost. Financials, taxes, legal documents, and password vaults. The nice thing about most of these documents is that they are immutable and likely append-only (eg you only have one set of 2020 taxes). For most people, this amount of data should be well under 1GB and require only sporadic backups. Which means you can purchase a bolus of $10 thumb drives, encrypt the collection, and leave them everywhere. Mail an annual copy to mom, leave one in your bag, at the office -wherever.

- Priority 2 - anything you created which does not fall into Priority 1. Home pictures, videos, your 1000 half-baked programming projects, etc. Potentially a much larger collection for which a real backup system becomes necessary.

- Priority 3 - everything else which is theoretically replaceable. The archive of music you "acquired", backups of youtube videos, personally ripped DVD collection, etc

(comment deleted)
(comment deleted)
> (bonus question - how to make backups safe in age of encrypting ransom ware).

This is actually a solved problem, with many solutions. In a nutshell, you need a system that has enough space to make many enough copies without overwriting the ones that are too fresh. It also must not be controllable by the host that you backup but this is kind of obvious.

> how to make backups safe in age of encrypting ransom ware.

Versioned, offsite backups. For instance, if you have a database in an AWS account:

* Give the backup process write only (I.e. no delete permissions) to a GCP account.

* Create the backup in AWS and timestamp it

* Copy the backup to GCP using the above permissions.

* If you want to be more secure, copy the backup to a USBHDD (daily/weekly) and unplug it.

> Give the backup process write only (I.e. no delete permissions) to a GCP account.

I've looked into this before, and it is just not that easy. "Write" is delete, for most cloud storage systems, for the practical purposes of trying to keep a backup safe. (I.e., you might not be able to delete a blob in some bucket, but if you can write to it, you can just overwrite it with 0s.)

"WORM" (write-once read-many) tends to be the term to search / gets the right documentation from most providers. In GCP's case, it appears to be "set up a retention policy", and that's similar to my experience with other providers. These bring their own set of problems.

That said, encrypting ransomware isn't going to magically determine where your backups are, and for most orgs, having the backup at all (and having it tested) is the priority, not the whole WORM thing.

(Orgs, IMO, also tend to get really uppity about having "database" backups, where "database" == {MySQL, Postgres, etc.}. But then there will be an S3 bucket that also has a bunch of data in it, and that never gets backed up, and nobody even questions that. And half the time it seems impractical to back up, too, due to a mix of cost and S3's design.)

> Today, when my laptop has millions of files and each website - even hacker news - could inject something malicious and my surface is so broad (browsers applications extensions libraries everything) and virtually anything I do involves network connections... I just don't have the confidence.

It doesn't matter how many files your computer has and how many millions of lines of code it runs. There is a concept of Trusted Computing Base (TCB), which is the part of the code that you have to trust.

In Qubes OS it's only about a hundred thousand lines, and doesn't include any browser. The key is security through isolation.

You run your browser and network in virtual machines and assume that they are compromised. You keep your sensitive files in an offline VM.

You mean the case when ransomware encrypts your backups themselves? Normally they skip encryption of executable files, so you can hide backups like that.
I try to follow what others already mentioned, but still, for any personal high-security stuff I use a device whose OS puts strong limits on apps, like an iPad.
The biggest thing is being deliberate about your threat model. Who would want to get onto your systems, and how much do they care about you in particular?

From there, take appropriate actions. For the vast, vast majority of us, that means using good passwords, updating software, and not running weird things from the internet.

If you’re worried about 0 click RCE in Chrome/Windows/iOS, you either should be getting better advice from folks outside of HN, or are being unrealistic about who is coming after you.

You don't. Treat your personal machine(s) as compromised by default and take it from there.
There are two levels here: compromised by some national agency vs. compromised by anyone else.

For the former, I don’t assume anything especially since I’m not an American citizen. I still believe with some certainty that my iPhone is safe from the government but not 100%

I don't. I am real picky with downloading software for my personal machine and I sometimes explore with process explorer and I run sketchy stuff in a sandbox but I don't trust that my personal machine is not compromised.
Bios? I'm not sure I can ever be certain.

For the rest, I run a pretty esoteric setup (compiled-from-source custom configured linux kernel with no binary blobs; all software compiled from source, with no exceptions; aggressive, burdonsome-to-me privilege separation; chroots and VMs for various degrees of potential threat; etc). I have no illusions that it is perfectly safe. What I am comfortable with is that, in order to compromise me, you would have to know a lot about what I run and how I run it. I believe that I would have to be nearly individually targeted to extract any useful data from my machine, and that I am not nearly a valuable enough target for anyone to do so. I think you would have to be a state-level actor or someone with similar capabilities to compromise me, and none of them would care enough.

My security paranoia stems from extremely sensitive work I did as a lawyer long ago, but I am now so used to it that I carry on as a scientist, even though my current work is not nearly so sensitive (if at all). I give up a lot of convenience and some functionality to operate this way, so it is not for everyone. I am not an adversary to anyone, so outside state actors surely don't care about me. And my own government can just get a warrant and knock on my door, so they don't care about me either.

Embedded device firmware besides the bios is probably my main vulnerability, but if you're successfully getting at me through my hard drives or mouse, then I was surely an incidental rather than actual target.

I'm genuinely curious: Do you check/audit the code you compile and run on your machine? Going with the assumption of "no": How is it then different than downloading a prebuilt version from an official source?
It feels like a cargo cult approach to the problem. "I'm safe because I compile from source" is an absurd statement when a million LoC is involved.
The linux kernel is much more than a million LoC. Closer to 30 million.
If anything I think this underscores the parent comment - open source is not inherently more secure than closed, it just adds another potential avenue (source code audit) to ensure security.

If nobody actually audits the source, and the closed-source binary has had other types of testing done on it, it's likely that the closed source binary will be more secure.

Yes, my comment was in support of its parent. If reading a million lines is hard, reading ~30 million is harder.
Much of that is drivers that may be disabled if not needed for current hardware, narrowing the audit scope.
I should say, I will run binaries on VMs and feel very little threat from doing so. The "with no exceptions" referred to the main host OS. I should have been more clear about that.

To answer your questions, oh hell no; definitely I do not audit source code myself. Though I have rarely. I do it this way, and it is different enough for me, because someone could audit the source in theory. If someone did audit and found a security problem, then I could check to see if my source was also compromised. If I install binaries, then I might not ever be able to know if my binary was compromised. Maybe someday if reproducible builds are guaranteed to be bit-perfect, then I would use binaries from reputable sources, but that would only happen in the case where third parties are compiling from source and affirming the reproduction. In that case, why not just compile it myself?

Developers who publish compromised source are going to get burned. Developers who publish compromised binaries are going to say, "omg we must have been compromised by someone else." Obviously it is possible for third-parties to compromise source, but I'll go with what I see as the lesser threat.

If the cost of compiling was high, then that might make a difference. For me, the cost is negligible, which makes it a no-brainer for me.

I think for hardware level code and things link bios the only way is to trust the manufacturer. You could also trust the manufacturer but if they are not large enough to have fully vetted and trusted vendors then you're back to square one. So I think only in this sense it says something about the high degree of security of devices made by Apple.
How does one achieve such security?

Are there guides you found helpful?

QubesOS may be less cumbersome if it works for your use case.
Like others here are saying, you can never be 100% sure. But that doesn’t mean there’s nothing you can do.

If you’re worried about the impact to your broader organization (which is what most of the sophisticated threats tend to target), you should think about risk mitigation through the Swiss Cheese defense model. Each system is inevitably going to have holes, but layering them on top of one another will incrementally improve your coverage.

For instance:

- Your team should be trained about phishing attacks. But inevitably some will get through, so…

- You should implement 2FA in case a password is compromised. But a threat actor may be able to capture a 2FA-passed SSO session token, so…

- Production access should be limited to a small number of individuals. But even they might get compromised, so…

- You should programmatically rotate credentials to make old leaked credentials useless. But a newer one might be captured, so…

- Data should be sufficiently encrypted at rest and in transit, and…

- Your team should have an incident management system and culture in place to quickly respond to customer reported incidents and escalate it to the right level and…

- Audit logs should be tracked to understand the blast radius in case of compromise - and so forth

When you look at incidents like CircleCI and LastPass, a good security organization will understand that there was more than just one point of failure and should talk in detail about how they are shoring up each level.

Exactly this. Security is more about about defense-in-depth, incident response and recovery planning.

Personally, I assume the hardware is already compromised and plan for recovery accordingly, starting with the worse case scenario. Then, I ask myself "If this thing isn't compromised yet, how can I help it stay so?", starting probably with the network access, through firmware, all the way to the browser.

BIOS/Firmware: I just do, if I am compromised then I won't find out anyway.

OS/app level: occasional AV scans, though I don't trust clamav as much as I trust Windows antivirus.

I should really properly set up secure boot on my desktop to make rootkits harder to install, but Linux and secure boot are just too much of a kludge.

Some OS mitigations:

  All: patch, encrypt, backup, track power, isolate workflow by device/VM
  Network: router with OSS firmware, workflow segmentation, reduce wireless
  iOS: (>A12 SoC) Lockdown mode, Brave w/o JS, daily reboot
  iOS: periodic reinstall from DFU mode, Apple Configurator / MDM policy
  macOS: hardening script based on workflow, outbound firewall
  Windows: Secured Core device + SystemGuard + App Guard VM isolation
  Windows: HP device + SureStart (f/w check) + SureClick (browser VMs)
  Linux: vPro device + QubesOS with Anti-Evil-Maid 
  Linux: generic device + non-persistent LiveCD OS image
I always assume my personal machine is compromised.
I run the latest betas of macOS and iOS which means I get exploit breaking changes as soon as possible. I keep all the security mitigations on my mac enabled (SIP, secure boot, etc.) which helps makes a variety of exploit flows and persistent compromise difficult.

But random malicious code in user space? Well, I really just hope for the best :)

Note that betas sometimes fall behind public releases when it comes to security patches.
Ugh, I suppose you're right. They do seem to skip the beta pipeline for ITWs. I wonder if this has changed now that they're leaning on "rapid security response" patches for critical vulnerabilities, which betas do get, and so hopefully there's parity now. I should dig into this, pretty sure there were a few RSRs recently and it'd be neat to verify that a) betas got the same bugs patched and b) the RSR went out to beta and release at the same time.
I don’t. Not sure why I’d do that. I find the risk acceptably low that it is. But more importantly, I don’t have any reason to fear that it is.

So I trust that regular caution and OS security reduces the risk to an acceptable level but mostly I don’t fear anyone reading or destroying my data because I have backups and it’s not sensitive. Sure it would be scary from an integrity perspective, but not in any other sense. Even constant access to my machine and everything I do wouldn’t be a big risk.

So if I’m affected by a ransom Trojan (most likely scenario), I’m happy to just wipe my machine.

I’ve been fairly comfortable since I moved to Mac’s - maybe I shouldn’t be so comfortable but I do mind what I click and open
Hmm, actually, my aging Mac always asks me to install something whenever I connect my newer iPhone - I don’t like that at all, it’s not at all what I’d expect from an apple device, but I always am coming to realise that apple devices really aren’t what they used to be - quite sad