not an expert
100% security is not possible
- these methods are like "locks on the door", designed to deter 99% of the population
- if someone really wants to break into your house, a lock won't stop them
- but you can make it really hard and not worth their while
- and it increases the per-capita cost of mass surveillance
(multiple paths and increasing cost diagram)
if you have a serious need for cryptography (i.e. activist/journalist), talk to orgs like EFF, Tactical Tech, AccessNow
- security is a process
- not something you install
- it's something you do
tangent: zero-days
crypto is inconvenient. why?
one scenario:
- you have a message than you want your friend to receive
- an attacker is trying to intercept your message
- how do you get your friend the message without the attacker seeing it?
- you and your friend each have a lock and a key for that lock
- you put your message in the box, lock it, and send it to your friend
- your friend puts their lock on and sends it back (so it's double-locked)
- you unlock your lock and send the box back
- your friend unlocks their lock and sees the message
threat modeling
who are you defending yourself against?
e.g. a hacker in a cafe is very different than the NSA
some real-world scenarios
- public wifi (man-in-the-middle attacks)
- stingrays
in the case of public wi-fi, encryption helps.
it helps in the stingray case but police can still collect metadata about your phone, identifying you at the protest. in some countries that's enough to get you in trouble.
in that case, leave your phone at home, or get a burner.
security is not just about computers
there are other ways of getting sensitive information
- legal ways: e.g. national security letters
- you need keys for encryption. if facebook has those keys, the gov't can send a NSL and get those keys and your crypto doesn't matter
- social engineering:
- "the easiest way to get info is to ask"
- "walk fast and carry a clipboard and you can get in anywhere"
- example: @deray twitter hack
- carelessness: e.g. going to the bathroom and leaving your computer unlocked in a public place
- trust:
- you can't cover all your bases
- you're not in control of every service you use
- "do I trust X?"
- but sometimes this isn't enough. maybe you trust apple's icloud but that got hacked anyways
HTTPS/SSL
protects against:
- attacks on open/shared wifi
what to do:
- install HTTPS Everywhere (Chrome & Firefox)
VPN
protects against:
- attacks on open/shared wifi when HTTPS is not available
- can provide browsing anonymity (depends on who the VPN provider is)
what to do:
- install a VPN like TunnelBear (free) or AirVPN (recommended, what I use)
Password managers
protects against:
- creating weak passwords
- forgetting passwords
- drastically decreases the attack surface
what to do:
- use a password manager (e.g. 1password, keepass)
- don't repeat passwords
- avoid common patterns
- generate complex passwords with a password manager
- if you hear about a breach on a site you use
- change your password for that site
- change passwords on other sites that use the same password
tangent: password hacking
2-factor authentication
protects against:
- if your password gets stolen, it's not enough for the attacker to get in
what to do:
- set it up on any site you use that has it available (esp. gmail, twitter, etc. check https://twofactorauth.org)
- use Authy instead of SMS 2FA so that you don't need a phone signal to login
Signal
protects against:
- SMS messages from being intercepted
what to do:
- install Signal on your phone
other topics we probably won't have time for
- email encryption with PGP
- (I haven't found an easy way to do this unfortunately)
- keeping track of PGP keys and verifying identities with keybase.io
- Tor
- hard-drive encryption with LUKS (linux) or FileVault 2 (OSX)
- phone encryption (built-in to Android, though you may need to turn it on, on by default in iPhones)
- ad-blocking (install uBlock Origin)
- drive encryption with VeraCrypt (tangent: TrueCrypt)
some other great resources:
- A DIY Guide to Feminist Cybersecurity
- Surveillance Self-Defense (EFF)