- How we could do it better now
- General safety
- Search engines
- Defeating browser trackers
- Minimising tracking of your purchases
- Social networks
- VPNs and encrypted networks
- A separate browser for every privacy suck
- Doing various other things with a modicum of discretion
- Other confidentiality-violating things
- Going deeper.
- Infosec for normal people
- Getting old school
- Academic stuff to read to stay paranoid
- Politics of privacy
TODO: Revise this for Australia. where it is illegal for companies to sell encryption without spyware, and where it is illegal to confess to the spyware. Information in Australia is accessed freely by an unaccountable surveillance apparatus. No worries, mate.
How to maintain confidentiality; the twin to politics of confidentiality. Also known as privacy, if you are thinking about your on data, but that’s a little selfish now. Every time you reveal a secret about yourself, you are also revealing a secret about whomever else is involved, which is a bigger thing.
This is about keeping your exposure to legal surveillance minimal. illegal sureillance is a separate thing.
If you want to know about my unsavoury habits you can just ask me personally; I live in a somewhat-liberal sorta democracy so it’s no biggie if I get up to things that are OK in Australia even if they aren’t elsewhere.
However, if people tell me their secrets that is a different matter. I don’t want my confidantes’s sexuality, personal tragedies or commercial secrets blurted all over the internet. Maintaining the confidences people have placed in me is a serious business.
So, how not to be a shit confidentiality friend: tl;dr Security Planner will walk you through this. Or if you want to feel fancier, Andryou’s beginner-friendly tools or Quincy Larson, How to encrypt your entire life in less than an hour.
Technoconfidentiality is difficult and tedious for our monkey minds to get a handle on. However, it’s not too hard. The trick is, don’t get hung up on thinking you are some kind of secret agent who needs to hide from the NSA. If the NSA cares about you, you are not my target audience; I’m sure someone else in your concrete bunker is way more expert than me anyway. I am sure the NSA are a bunch of shits, but they probably aren’t going to harass you personally unless you are in a very unfortunate geopolitical situation. If you live in a repressive state, I wish you all the best, but don’t expect to get actionable advice from an article I maintain to persuade my mum to protect herself from identity thieves and my friends to stop giving free information to Facebook.
Instead, for us normal people, the rule should be: Start by not giving your information away for free to everyone. And don’t simply surrender because it’s too hard: That’s just doing what big business wants you to do..
And don’t give up because you have ‘nothing to hide’; I can’t be arsed making this argument; many others have. Short version: Even if you personally had nothing to hide, and if you were so committed to leading such a facile insipid life that nothing you have ever done will ever offend anyone with power over you then you still don’t have the right to make that call for your loved ones. Your friends and family don’t deserve to have you spraying their personal histories over the internet for them.
That said, just because I’m talking about what our attitude should be as informed consumers of the addictive drug of single-serve online socialising, doesn’t mean I’m blaming Jane/Joe Public for not getting it right. As long as corporate social networks are permitted to harness their heady blend of plausibly-deniable social engineering on the vulnerable, we are all put at greater risk.
Case in point: A friend of mine just showed me his facebook profile public link before friending me; on open, public display to anyone who googled him, were pictures of his children, his home, his friends, a dying relative in hospital with confidential medical information and records in the background; With his well-intentioned, sociable handphone wielding he has voluntarily compromised the privacy, and credit-worthiness of his cancer-afflicted aunt.
This kind of thing is tricky. How do you stop friends with crappy privacy hygiene? Privacy is a weakest-link kind of concept, and as long as Facebook can rely on a reasonable fraction of the population voluntarily and unconsciously selling the rest out, we are all compromised. I know that everything I do in front of my aforementioned friend will be obediently tagged and put on public display for the use of not only facebook but any passing mobster, data miner or insurance company. The thing is, it is not sufficient if privacy-violating companies are able to get away with it if in principle experts could avoid some of the pitfalls; Social media is a habit-forming drug that potentially transmits ailments such as credit-score-risk, misinformation and confidential data breaches.
Is it consistence particularly consistence stance to regulate, say, alcohol tobacco and gambling but not social media usage?
This is leaving aside the question of companies who sell your information no matter what you do) or government-business alliances that accidentally leak your information.
Anyway, with blame for the abuse appropriately apportioned to the predators, let’s get back to what we, the victims, can do by taking what responsibility is available to us to take, for all that it should not be required of us.
Right now, if you are a typical internet user, you are walking around with no pants on online. Everyone can see your junk. You don’t need to wear a tinfoil hat to hide your junk, not if your anatomy is anything typical; you just need to put some pants on.
This enpantsing will be more tedious than we’d like, because the world is badly designed, but let’s start with what’s achievable, and work towards making it easier next time, eh?
How we could do it better now
So, some baby steps towards a healthier privacy regime. I am going to list some techniques that have aroused my attention. Later I will triage them according to how urgent is the priority of the privacy leak they plug and how onerous to handle; e.g. something like:
first keep my credit card details out of the hands of the mafia, then
keep gratuitous personal data out of the hands of unscrupulous corporations, next
keep nude selfies and pony tail pics out of the hands of potential employers
keep personal data out of the hands of prying foreign security agencies
keep personal data out of the hands of prying local security agencies
These reflect my personal needs; if you are actually a person of specific interest to state security agencies, or a mafia credit card thief, you will probably have different ones.
Of course, these do have relations to one another. How can you keep your data secret if a state actor is compromising the very hardware of the servers that store your information, or just network security in general is shit because of terribly and ubiquitous decision.
Practically, first step, I would like to minimise the amount of information complete strangers get about me for free. For example, I would prefer the mafia not to be able to buy stuff with my credit cards, I’d prefer my personal relationships are not used sell crap to me, I’d prefer not to release those awkward photos from when I had a pony tail.
Broadly, some stuff I’d like to keep private, some stuff I’d like to share, and some stuff, I’m happy to share for the right price to vetted buyers; I want to assign my personal information to the correct publicness categories, and at a better price point. And by “better”, I mean, “not selling off the foundations of functional democracy for all future times to unaccountable interests for a few dollars a year,” which seems steep for kitten pictures.
Don’t leave your computer unattended, because things like PoisonTap mean that anyone who can get to your USB port can log on to your websites.
Prism break is a chaotic list of solutions. Excellent reference, although it really needs to incorporate some idea of how popular their suggested solutions are; after all, most of these things are only of any damn use if your friends also use ‘em.
Currently leaking info. See DNS servers.
You don’t want large search businesses to know what you are searching for?
search engines in general
disconnect anonymises other search engines from their servers
Advanced: run your own search anonymiser:
trackmenot is an interesting solution - it generates random bullshit search queries on your search engines to muddy your user profiling, much like noiszy, mentioned below, does for your news consumption.
Defeating browser trackers
You don’t feel like doing free market research for large multinationals, spilling your friends’ secrets, or facilitating Cambridge Analytica voter manipulation? Good-o, reducing that somewhat is easy.
I really need to tidy the info about these up a bit and explain, because they are so simple and so useful.
Firefox, Multi user container makes separate mini-browsers for each social app so they each live in their own solipsist universe.
Privacy badger is an open source non-profit low-configuration blocker of tracking advertisers
Ghostery disables most of the social media spyware, although its a little opaque.
ublock origin offers fancy script blocking for the obsessive compulsive.
scriptsafe offers aggressive no frills script blocking.
Fuzzify automates and monitors clicking on the “delete my ad data” button in facebook.
HTTPS everywhere is vexing. Every browser should implement this functionality, of being secure by default instead of writing your passwords on the lawn in big letters anytime someone asks. That’s why it’s annoying that you have to install a plugin to make it work. And, worse, a horribly memory-hungry plugin.
torbrowser bundles all the ad-blocking conceivable, although it also makes browsing unpleasant and slow. There is some kind of lesson there, idk.
Left-field solution idea, make your browser do random stuff to hide what you are doing deliberately. Random noise generators attempts to make your browsing data useless to trackers, by making your browser visit lots of nonsense sites, confusing the paper trail.
Minimising tracking of your purchases
Whole other complicated story, TBD.
Se Social media if you must.
VPNs and encrypted networks
See VPNs etc.
A separate browser for every privacy suck
I use a Single-site browser to access Facebook because
Otherwise Facebook would know even more about me than they do
Facebook is a blackhole of timewaste that I don’t want to browse to by accident, so I should make it slightly more difficult for myself.
You can do this too, for social media, or for whatever other website you wish to.
The Browser UI is very minimal, just a toolbar (with site tabs) that disappears in Full-Screen mode.
MacPin apps are shown in OSX’s Dock, App Switcher, and Launchpad.
Custom URL schemes can also be registered to launch a MacPin App from any other app on your Mac.
So, minimal browserlets.
Fluid.app (OSX). No longer recommended because it’s unmaintained and obsolescent. The free version doesn’t isolate your workspace. I reckon the fee for the paid version (USD5) would be well worth it if it were maintained.
Doing various other things with a modicum of discretion
You need one. See passwords.
See transferring money.
See Synchronising files.
Other confidentiality-violating things
Which android phones do not leave gaping unpatched security holes?. tl;dr - Google, LG, then everyone else.
Running your own server? See secure web servers.
Use a paranoid, very secure OS such as Qubes, which can even weather certain BadUSB attacks.
You should be approximately aware of the nasty things that people can and will do to your computer. Don’t do them yourself.
Cracking 1024 bit DH keys
sigh. NSA is reading your comms with keys shorter than 2048 bits.
researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. […] In this post, we present some practical tips to protect yourself from the surveillance machine, whether you’re using a web browser, an SSH client, or VPN software.
You also need to secure ssh.
Blackhat USB port business to be aware of
Malware: Poisontap, lanturtle usbarmory…
countering it? USG.
Infosec for normal people
Infosec is hard for the same reason as ethical consumption is hard: other people bear the costs of peoples’ bad behaviour. Leavin ghtat aside, what can we do?
- Projects like keybase attempt to do it better, identifying people with their social media handles and leting those neworks do the grunt work. See how to encrypt things.
- Keybase also offers host proof git.
Getting old school
Academic stuff to read to stay paranoid
- Genkin, D., Shamir, A., & Tromer, E. (2013). RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. Cryptology ePrint Archive, Report 2013/857, 2013. http://eprint.iacr.org. Online.
Yes, that’s right, deducing your password by listening to your computer. But it gets worse:
Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.
Maybe don’t read this if you are working on reducing your background paranoia.
- Roth, A. (2014). The Algorithmic Foundations of Differential Privacy. Now Publishers. Online.
The mathematical foundations of doing stuff privately. I hope someone else is reading this so that I don’t have to.
- Sarigol, E., Garcia, D., & Schweitzer, F. (2014). Online Privacy as a Collective Phenomenon. arXiv:1409.6197 [cs]. Online.
Your friends have already disclosed secrets about you by disclosing they know you on social media, secrets that will be further disseminated by random grad students in Switzerland when the social media company you entrusted with this information goes bust.
Politics of privacy
See the quantified other.
I2P seems to be hot right now
freenet is somewhat hot