I do not think signing up for a commercial VPN service is a good plan for improving your security or privacy, nor do I think using Tor Browser is particularly smart. This seems like a security checklist compiled by someone who has read a lot of popular writing about security, but hasn't consulted very much with security people.
By comparison, the Tech Solidarity checklist is the result of a survey of a bunch of different security people and is both generally more sophisticated and sound than this checklist and also manages to be a little shorter (in word count):
I feel like this has some conflicting advice. Use Gmail but don't put sensitive information on Google Drive, but do use Chrome?
> Do as much of your work as possible on an iPhone or iPad rather than on a laptop. Use a bluetooth keyboard for easier typing.
Is that serious? I mean sure, iPhones and iPads are generally less prone to viruses and such, but I feel like it is generally safe to use computers, and if you do other things on this list you won't end up with an infected computer. In addition, if you are doing most your work on these, it is almost guaranteed that all the information is going to be sent to iCloud / another apps 'cloud'.
* Google Mail is, for most people, the safest email service, with the most mature and comprehensive 2FA, direct connectivity to GDocs to make viewing attachments safer, and a gigantic security team. Note too: this guide also suggests avoiding email as much as possible.
* If you work with sensitive documents (this checklist was originally devised for journalists and the airport lawyers), all the cloud drive services (not just Google Drive) are a bad idea.
* Chrome is the safest browser with the most mature and reliable anti-exploitation hardening and the most responsive security team.
* iOS devices are, for most people, far more secure than computers, which aren't locked down at all and for which any kind of local code execution is almost invariably game-over all the way through the kernel, and at least game over for all of the user's data. Most computer users are never more than an errant couple of clicks away from losing their whole machine to an attacker, which is not the case for someone reading their mail on an iPad.
I feel like there is conflicting information still.
> Google Mail is, for most people, the safest email service, with the most mature and comprehensive 2FA, direct connectivity to GDocs to make viewing attachments safer
> If you work with sensitive documents (this checklist was originally devised for journalists and the airport lawyers), all the cloud drive services (not just Google Drive) are a bad idea.
So is Google Drive a good idea or a bad idea? Maybe for normal people Gmail is good, but in the next point you say this list is for journalists and airport lawyers, wouldn't you advice them to use something more secure like fastmail/proton mail, or if you are serious, your own mail server or something? Why does this list not talk about TOR / PGP, the most fundamental tools for security for journalists?
> Chrome is the safest browser with the most mature and reliable anti-exploitation hardening and the most responsive security team.
I don't think this is true at all. What is wrong with Chromium or Firefox open source alternatives? Why doesn't it mention things like no-script and ublock origin?
> iOS devices are, for most people, far more secure than computers, which aren't locked down at all and for which any kind of local code execution is almost invariably game-over all the way through the kernel, and at least game over for all of the user's data. Most computer users are never more than an errant couple of clicks away from losing their whole machine to an attacker, which is not the case for someone reading their mail on an iPad.
My fundamental problem with this is that if you are going to be doing things on an iPad you are almost certainly going to be using cloud services. Weather it is Google Docs or Pages or Word or anything, it is very difficult to keep things 'local' to your hard drive on a iPad, where on a computer with dropbox it is much more clear that files in there are going to leave your computer.
First, no, I would never advise that anyone use ProtonMail, and if your primary objective is to gain security, I wouldn't recommend FastMail. The comment you're replying to provides the reasoning for that.
For most people, including technically inclined people, running your own mail server will almost certainly lose you significant amounts of security.
If you deal with sensitive documents like legal artifacts in immigration cases, you want to have control over which of your documents wind up in the cloud and which you retain custody over. So while viewing attachments in the cloud is very good practice (viewing them locally is a good way to get owned), running a service that generally slurps your local drive (or big chunks of it) into the cloud is not a good idea.
If you want to run a Chromium build rather than Chrome, that's fine.
I provided the reasoning for preferring iOS devices to general purpose computers already. The additional concern you just added doesn't come close to offsetting.
I'll add, though this isn't in the Tech Solidarity checklist, that if the goal is commercially reasonable security and not security in the public interest, Chromebooks are another good option for end-user computing.
So if I follow all this advice, how am I supposed to receive or send sensitive documents?
> If you deal with sensitive documents like legal artifacts in immigration cases, you want to have control over which of your documents wind up in the cloud and which you retain custody over.
This is incredibly easy with Dropbox or Google Drive. Everyone I know who uses these services has an intuitive knowledge for 'stuff in this folder goes in the cloud', and if they wanted to keep sensitive data off it they would know exactly how.
I am on an iPad, so no mature options for encrypting it myself with pgp or something really exist. I shouldn't upload it to a cloud service (although chances are that it already is, because pretty much every iOS app uses a cloud of some sort). I shouldn't email it. I can't plug in a physical usb device because iOS doesn't have File reading access to. I guess I convince everyone to use Signal? That is pretty impractical for 'normal' people to convert everyone over to their own messaging app.
Also, on your phone, what browser do you use? Chrome? Well, not really because it is all webkit under the hood, so you are going to be using Safari no matter what.
That's correct, we're not suggesting people use Chrome on their iOS device (but is a good question and a super common bit of feedback we got doing training for this stuff with end-users, who assumed that's what we meant). The subtext for the Chrome recommendation is "that's the browser you use on your general-purpose computer". WebKit on iOS benefits (imperfectly, but vs. a general-purpose machine it's probably a wash) from iOS's built-in application sandboxing and security controls.
Regarding sharing of sensitive documents: if you have to do it over the Internet, use a secure messenger to do it. Email attachments are probably the second most dangerous attack vector facing end-users (after phishing). That's why we tell people to use Google Mail; attachments open in their browser viewer and are rendered Google-serverside.
You don't need to convince everyone to use Signal; it's adequate to use WhatsApp, which, again, is already one of the most popular messaging applications in the world (this is one of the reasons getting Signal Protocol baked into WhatsApp was such a monumental achievement).
The "conflicting" advice is to be expected. I can easily imagine someone putting Sony headphones on a "good options" list but the same person saying under no circumstances buy a Sony CD player. Brands are not a monolith.
In the particular case you mentioned they aren't picking on Drive, they're saying that if there are copies of your messages that's less secure in the sense that now somebody could get those copies, not the originals you have. Doesn't matter how, write an NSL, break into a server, trick a customer services agent - the problem is you allowed copies to exist, so it's not that Drive is specifically bad but that you shouldn't use anything at all.
For the iOS reliance, I personally wouldn't do this but I can see the sense of the advice. Full blown personal computers are not easy to secure against unsolicited garbage, why take the risk?
This is much more geared towards privacy then security. From a security standpoint there is nothing wrong with using google search or email, but it is obviously not very private. I suppose it also depends some on your threat level. For someone committing crimes, is much more worried about law enforcement, tor or similar is a good idea. For someone trying to avoid hackers it doesn't get you very far.
Mmm. Maybe it's off their mission, but the first thing I expect somebody serious about security to think about is the question: What exactly are we trying to achieve here?
That Tech Solidarity checklist does say who it's for, which is a start, but it doesn't tell them what it's aiming to achieve for them if they follow the advice.
For example, maybe WhatsApp makes the list because it uses the Signal protocol design and they assessed that this was especially resistant to attacks on the confidentiality of individual messages. Or, perhaps they felt WhatsApp would protect a journalist's sources especially well due to the large volume of other WhatsApp users acting as cover for any analysis. Maybe they felt the method users follow to confirm that there's no MITM was better (easier to use, better documented) in WhatsApp than competitors, or maybe they felt its owners were more likely to tell the FBI to fuck off if they turn up with a warrant.
I don't think I understand any of this comment. WhatsApp is on that list because it's one of the most popular messaging services in the world, lots of people already use it, and it uses Signal Protocol. (I was "in the room" while this was being drafted).
To the extent that's true, his argument is with the author of the article we're commenting on, not the Tech Solidarity list, which is actually much clearer about its threat model.
I don't love that recommendation, but would have a hard time arguing that bluetooth keyboards with iPads are less secure than any desktop OS with a wired-in keyboard.
Creator here - thanks for bringing this up. I was concerned about the message here as well. I'm not getting paid for that ad. I had a couple companies offer sponsorship of this list, but I decided to not pursue. In the end, 1Password simply offered this discount to visitors. For me this felt like the best thing I could do from a user experience point of view (switching to a password manager is hard for most people, and giving the extra nudge to do something really important for their online security might just do the trick) and from an ethical point of view (I'm not getting paid, and will continue adding competing password managers to the list).
How do lesser known all-in-one password managers like BitWarden compare to the more mainstream options? I specifically picked them when migrating from KeePass because I liked that they were open source and that I could create my server instance if I wanted.
If someone hacks your webcam, they probably installed a keylogger as well and helped themselves to whatever files you have, etc. In other words, if that happens, you have a bigger problem.
You should of course not be using a compromised laptop. Covering the light that goes on when they activate the camera would be one of the few signals that something like that is up; that is of course assuming they did not manage to disable that.
Otherwise solid list.
I'd add a few items:
Plan for the worst and have a contingency plan for breaches. E.g. have a list of phonenumbers handy that you can call to get cards blocked, critical accounts that you need to verify the integrity off, secure backups of essential documents, etc. Also consider what can happen to you when you travel. Phones, laptops, etc. get stolen all the time. Hardware tokens are easy to lose. Bags get stolen, etc.
Keep your 2fa recovery codes in a sane place where you can access them but no-one else can. An encrypted file on a drop box folder with a sufficiently strong key might do the trick.
Be careful with paper copies of anything. Burglaries do happen and in case you are targeted, this may be the most valuable thing to steal in your building.
Require passwords to be entered whenever you access your password manager or 2fa app (e.g. authy). It only takes a few seconds to access your password manager if somebody gets their hands on your unlocked device while you visit the restroom or grab a coffee.
Have an aggressive screen lock policy (it should be locked whenever you are separated from your laptop/phone). Many devices have all sorts of convenient features that boil down to them being unlocked when they shouldn't.
I used to think this way. Its not an accurate assessment of the situation. Its not about code execution on the OS leaking access to the camera, its that Spyware browser you use grabbing the camera via its js APIs. Malversting; Video Conf Apps; Browser Bugs. Don't take a nihilistic view on the Camera cover. Its saved folks from embarrassment many times.
I cover my webcam because a lot of conference software starts it up by default and I'd rather know that it's black even if the camera is on. Not really "my computer is hacked" kind of threat but more casual privacy for a real and repeated scenario.
Total side note and blatant plug but if people are interested in open source checklists and lessons on digital and physical security (from how to send a secure email to how to detect physical surveillance) checkout Umbrella Security, a free open source app we built. It’s on Google Play and you can find out a bit more at https://www.secfirst.org. iOS and totally new version due out in Feb!
I’ve always thought that if someone gained the ability to surreptitiously capture my devices’ camera feed, I have bigger problems than just my image getting leaked or used as blackmail (because that would necessitate something blackmail-worthy). Also, they’ll get some pretty boring pictures. What else should I consider here?
It's hard to know what kind of information could leak in advance. It gives the attacker more information on your surrounding. They could take mug shots to craft a fake profile. Or maybe see a credit card flashing by... it doesn't have to be blackmail-worthy material necessarily.
Granted, if the attacker can access the webcam then most likely your system is compromised, 1password is compromised (including the 2nd factor as advertised on the site), so you might have bigger problems already. It all depends on the intent of the attacker.
I came here to write that exact comment. If I don't trust my computer to not be infected, I should not use it at all. Having someone watch me picking my nose is far less privacy-invading than someone accessing my photo library for example.
Where does disabling javascript fit into this picture? I was interested to notice that I had to create an exception for this site to enable 1st party javascript in order to be able to read their security suggestions.
Am I making my own life harder than it needs to be by having a default setting to block all javascript? I use uMatrix to quickly enable javascript for each site that requires it.
No. 3 months ago I started using NoScript and my life has gotten so much easier on the internet. I hate it less now. Usually you can get away without Javascript, and if not, it only takes a second or two to fix. The biggest risk is Javascript. You are literally blindly executing code somebody else wrote on your compute for a website you may or may not trust.
One thing I would like to figure out is how can I 'trust' JS for google on google maps (required to work), but4 not anywhere else? It seems like Noscript is per domain but not based on what page you are on.
>>The biggest risk is Javascript. You are literally blindly executing code somebody else wrote on your compute for a website you may or may not trust.
I understand why you used this language, but I think it's worth noting that, unlike blindly executing a program on the operating system itself (such as by running an .exe file you receive via email, torrent, download, etc.), you are executing a script inside a program that is, or should be, sandboxed. So, even though something can still go wrong, the potential impact is a lot smaller.
Yes, that is true in a certain sense, but for example, a lot of fingerprinting can happen with information gleaned via javascript. Granted, having javascript turned off is also a way to finger print poeple.
Frankly, most web pages should not be interactive in any way. There is very little gained by using javascript on pages you aren't interacting with, and a whole lot to lose.
I compromise often with NoScript, but it changes the way you think about running code on your computer. Block first, and adjust later is a good approach for me, especially because I only visit a few of the same sites regularly. On new sites, I definitely do not want any type of javascript being run.
This is about risk assessment. Most vulnerabilities in browsers are either in JS or in media support. Pure-HTML+CSS exploits are rather rare these days. Therefore, disabling or limiting JS and media reduces risk drastically.
We are not disagreeing? What I'm saying is that not all "blind code executions" are the same. The distinction between running an exe file on the OS and running a script inside a browser does matter, for risk assessment.
I'm disagreeing on "the potential impact is a lot smaller", because we have seen time and time again that executing a script in a sandboxed environment can quickly turn into running machine code with the user's privileges instead.
The problem with stuff like uMatrix (not specifically, but in general) when compared to Google services is that large, bureaucratic services have oversight where more than one person is responsible. Small services based on 'trust' rather systematic checks and balances (maybe rotating staff, management oversight) get compromised when guy's (sole dev) buddy asks for 'a favor'. You have these niche, word-of-mouth trust system that are anything but trustworthy when there is really nothing to stop a small group of devs doing 'favors' for each other because their morality is more based on personal philosophy and personal networks than anything objective. This used to be known as corruption, but I think that term has lost all meaning.
People always go on about covering up your camera, but what should I do about my hardwired microphone? I'm vastly more likely to say sensitive data out loud than I am to mime it out or write it down and hold it up on a sign.
Since I realized that I never actually use my laptop's built-in camera or microphone, I disabled them both at a bios level and made sure that the necessary drivers are not installed. If I need to get on a video or voice call with my laptop (once in a blue moon), I have a USB webcam and microphone that work just fine.
Recently I was sent a blackmail email that contained a password that I used to use in the past and the sender was claiming that they had also gained to my laptop's camera and had recordings of me watching porn or other "embarrassing" stuff. They threatened to send these recordings to my contacts on email and/or facebook etc, unless I paid them $1082 in bitcoins (apparently they read that if you ask for a non-round number you have more chances of getting it :P).
Covering your camera is supposed to protect you from this kind of things, especially for younger ages or for people less technologically inclined.
I knew all of that too, but it didn't prevent a very unpleasant visceral response in the pit of my stomach when I saw that email come in with the old compromised password on the subject line. The content of the email made me laugh, though.
But the point of the “cover up your camera” intervention is that it’s “out of band” from your system software. Even if there’s a root/administrator-level compromise, light just won’t get past the piece of paper/cardboard onto the sensor. I don’t believe there’s an analagous intervention for the microphone.
What I like about this list, is that it's opinionated and thus terse.
Take note that some of these tips are either not considered good practice or even harmful depending on your locale.
E.g., the data protection standards in the EU are so high, that there's no need to worry about DNS or ISP snooping for advertisements/tracking. This makes using a VPN or using a different DNS less useful. I might even go so far and call it harmful, because you're introducing a party that you don't have such a strong contract with.
That is if every company that is in the chain follows those strict data protection laws.
It wouldn't be the first time that bad actors exploited legally protected browsing.
VPN's need to be resolved regarding the following points:
1) Currently, only financially gifted people can even afford to consider privacy at this level.
2) Is complete, non-logged privacy even a desirable outcome?
3) Who should be able to request or correlate log data (governments, the company employees)?
In its current incarnation, VPNs and security in general only changes who can be easily targeted or prosecuted, much in the same way that residents of poor neighborhoods are routinely arrested/searched for drug use where a rich person just doesn't have to worry about getting caught for the same actions. So paid VPNs contribute to an 'internet ghetto', or more accurately: disproportionate enforcement.
I think the point is more about if you're on uncontrolled wifi (i.e. internet cafes) access points or other nefarious things like mobile providers that rewrite CSP policy (vodafone.pt). These things happen and some safety via a VPN may help.
It's quite funny to see a security checklist "designed to improve your online privacy and security", which has on top of the page a "Share on facebook" button.
Furthermore I find it contradictory that the site uses Google Analytics while encouraging the use of DuckDuckGo.
Do we not want more people to be privacy conscious? Does every facebook user already know all this information? Did Jesus tell his disciples to recede into a private community of solitude and never interact with the unwashed masses of sinners and keep the good news to themselves?
My scepticism isn't against the act of sharing this information. The "share on facebook" button just reminds me of the actual facebook button, which, as included inside the source code, makes facebook collecting data. This is against the idea of "improved privacy" of the checklist.
Yeah, there is no "real" facebook button. Nevertheless one can find a Google Analytics Script inside the source code. IMO this is really sarcastic.
And that's how 2FA is supposed to be, if you put eggs into boxes and those boxes into one basket you still technically have all your eggs in one basket, which was what 2FA tries/d to fix.
Often, you may be stuck with your particular ISP, and with one or more ip's uniquely tied to you, your identity, and your address.
A VPN can at least mitigate that, and you can swap them at will, nothing to do with your current residence.
We don't necessarily trust our VPN provider[s] more than we do our ISP.
This. I fail to see how an issue, which is essentially about trust, can be solved by trusting someone else. If you don't trust your ISP you should switch. If you don't trust your ISP and can't switch then you should be using VPN or TOR.
ISP's can do awful things to traffic. I'm not sure why you should trust your ISP and if anything trusting makes you blinkered to some of their practices.
For me the point is: why would you trust a VPN provider any more than you trust an ISP? There might be specific reasons for specific providers, but in general you're putting the same amount of trust in either way.
Maybe you are not in the United States, but for those that are, the answer is pretty simple.
It is reasonable to trust a VPN provider more than an ISP because you have a choice of VPN provider, you can vet them and choose the one that you feel provides the best safeguards to your privacy and security. Most Americans have between zero and one choices for high speed internet. Even in major metropolitan areas it is common to live in a cable monopoly, with a phone company providing sub-par "competition". You cannot vet your choice and choose the one that provides the best experience because you have no options. Even those that do have a choice may still connect to coffee shop or hotel WiFi on occasion, losing choice again.
In short, VPN providers are a) competitive and b) portable.
You're not wrong that you're putting the same amount of trust in them, but these properties mean you would not be wrong to do so.
Some VPN providers have paid for external audits to verify their processes; they can also exist in countries with more favorable privacy laws. ISPs of course are local to you and your jurisdiction.
And that is a fair point. I don't see why you would simply use an alternative DNS resolver in that case and not get a VPN or an SSH tunnel or something?
As for the DNS resolver it may be the case if you have an ISP that sends you to pages full of ads if it can't resolve a name or is slower than your local ISP. There's a good tool to test it and compare the various providers from your location: https://code.google.com/archive/p/namebench/
Because ISPs are desperately trying to be more than just "dumb pipes" that carry our traffic. To expand their revenue many of them track DNS and domains visited to sell ad data to other companies.
If your ISP is also a media conglomerate, you may have a problem. Fortunately, that's not always the case. My ISP is just an ISP. Their growth is in providing more and better internet services to more high-value clients.
I trust them a lot more than I trust some VPN provider.
I've paid to have CentOS installed over the "free" (included) Windows OS on business machines.
Dell also sells Ubuntu desktops and laptops that cost more than their Windows equivalents. The cost difference is presumably because the Ubuntu machines do not include the crapware bloat that comes with Windows, such as antivirus trial subscriptions.
Negotiating / psychology 101: give a reason, any reason, for why you need something done. Feel free to add a comment to the issue request about why Linux is important to you personally.
Except I didn't do anything like that. Show me where I claimed to give an exhaustive list of what motivates people to use Linux. I gave one reason why some people use Linux. That I thought might motivate the author of the project. Besides that, it's a friggin issue on github, not an essay on why people use Linux. Get over yourself.
And already on the live site. Impressive. I've already changed a few things on my Ubuntu laptop thanks to your checklist. I'm going to pass this around to friends and family.
Cloudflare DNS as an action item here is bizarre. Why would sending all of my DNS queries to a black box service be any more secure because it’s now Cloudflare and not Comcast or Google?
>Who knows what dns provider is being sent from DHCP.
What's the concern here? That it's set to some DNS provider that does evil things? If they intercept DNS requests (not unusual as even my home router can do that), this migitation is useless and you're sending your DNS requests to a third party.
For developers looking for application security information, I can't recommend PentesterLab[1] strongly enough. It has changed how we approach security education internally and has made going through security code reviews and penetration testing audits much less stressful.
I don't get it. The word "whitelist" doesn't appear anywhere on the page, for me. Has the content changed? Or are you sincerely suggesting that nobody should ever load a webpage from a non-trusted domain?
BItwarden does offer the ability to use on-premise hosting [1] rather than using their infrastructure to store/sync your data. Admittedly, I personally use their infrastructure so I can’t speak to the experience (config/maintenance/etc.) of their self-hosted offering.
There is an iOS app available for password store. I’ve been using [1] which has sufficed for my needs. Set up password protected PGP and RSA keys and it hasn’t had an issue yet.
I have a question about using 1.1.1.1 for DNS. The claim is that this stops my local ISP knowing which websites I am visiting. However, my connection by definition goes through my ISPs equipment. Can't they log my DNS queries even if the DNS server is not theirs?
And why should I trust CF any more than I trust my ISP? The latter is a European company which is bound by all kinds of privacy protection laws, and which I have to trust to at least some degree because I pay them. The former is an entity which is largely unknown to anyone who isn't tech savvy.
Oh in Western Europe you'll be mostly fine.
But I can tell you I noticed the change when I moved to the US. I had no mean to change my ISP-provided router DNS settings, and I couldn't access certain sites, while other would land me on pages filled with ads.
Even in Western Europe, the list of stuff being meddled with isn't empty, it's not large but it does exist. And presumably everything is recorded to be used against you later.
All "normal" UK ISPs (I use a tiny boutique one that doesn't do this but anything advertising on TV is big enough to have agreed to participate) voluntarily filter DNS. Right now in theory they just try to filter out child pornography, "extreme" pornography, and whatever Hollywood told them was a copyright violation. In 2019, in the event they find time to do something other than bickering about their ludicrous "Brexit" the British government wants to upgrade this to let them filter out anything they want.
Their 2018 white paper about this supposes that DNS blocking will be effective against ordinary users, though it notes if you have Tor you aren't blocked. Coincidentally at the same time they were publishing that paper, there was an IETF in London discussing DPRIV which is a set of protocols like DNS over HTTPS designed to er... make such filtering impossible.
> Using an all-in-one solution like 1Password for both password management and 2FA creates a single point of failure. Take this into account when picking your 2FA client.
I strongly disagree with that statement, though I don't necessarily advocate use of a password manager for 2FA. When 2FA is in use, you have 2 points of failure, since the failure of either will lock you out of your account. Reducing that to 1 point of failure actually increases your overall resilience.
It's like a car: reducing the number of necessary parts decreases your car's overall likelihood of breaking down.
Not really. Having your password manager store both the tokens and the password increases the odds of all your logins being compromised in one swoop. Separate them out and you’ll at least be able to hedge against some account compromises given that your 2FA solution doesn’t fall apart.
For the user it doesn’t really change much. Loss of password manager or 2FA client will lock them out of their account. This is easily hedged against because a lot of providers provide easy access to reset a password and provide backup 2FA tokens or fall over to SMS/Email tokens.
> increases the odds of all your logins being compromised in one swoop
Yes... but if someone has access to your 1Password account, they most likely gained physical access to or otherwise pwned your computer. Sure, it's slightly easier for an attacker to do that than to get 2FA tokens off your phone, if that's where you keep them.
So the increased risk of using 1Password for 2FA (given you're already using 1Password for passwords) would be roughly quantified by taking the risk of computer pwnage and subtracting the risk of phone pwnage given they already pwned your computer -- not much in my opinion, if you're reasonably security-conscious on your computer. Note that I'm ignoring the risk of 1Password's encryption being broken or insider threat at AgileBits, which in my opinion is vanishingly small at present.
Nice list and well designed, too. I dislike the "sign up and get 3 months free" ad for 1Password. I like 1Password and I am using it myself. However, to me, this gives off a wrong vibe on a security focused website.
One thing I read somewhere and previously never thought about: if you are _really_ about security, you should use a password manager and should enable 2FA.
But: you should not use one program for both (1Password offers this), because you are creating a single point of failure.
Creator here - thanks for bringing this up. I was concerned about the message here as well. I'm not getting paid for that ad. I had a couple companies offer sponsorship of this list, but I decided to not pursue. In the end, 1Password simply offered this discount to visitors. For me this felt like the best thing I could do from a user experience point of view (switching to a password manager is hard for most people, and giving the extra nudge to do something really important for their online security might just do the trick) and from an ethical point of view (I'm not getting paid, and will continue adding competing password managers to the list).
I thought about buying privacycheckli.st at the same time and pointing it here, but ended up deciding that "security" feels like a broader umbrella and might reasonable capture privacy concerns of an average person.
> Not sure we can safely promote Australian-based Fastmail thanks to their backwards new laws.
Disclaimer: not an Australian citizen, not a lawyer, etc.
All the coverage I've heard about this law has focused on the idea that companies and service providers are expected to "assist" with government access to encrypted communication. In that context, I'm not sure how this particular law really impacts Fastmail. For the basic use case, their service is built in a such a way that it already has access to all your unencrypted data. So the Australian government didn't need this law specifically to get at your data, they just needed to issue a lawful order. If you're taking the additional steps encrypt your data before it reaches their service (e.g. using a third-party email client with PGP), then there's not really anything Fastmail is going to be able to "assist" with beyond providing access to the data you've encrypted.
I have a question and maybe someone here can answer me.
For the "Use a privacy-first email provider".
I currently use G Suite for business emails within my personal business.
Are there any alternatives that offers something similar to G Suite but with the expected privacy of the listed provider.
I'm aware that I won't be able to get all the features of G Suite, but I primarily only use the email part (Of course with multiple users so it has to have support for that.)
I think the main question is what kind of alternatives are you looking for. Calendar service is provided by most of these companies already. Anyway I'm not sure who qualifies as privacy-first provider. E.g. Zoho has a quite good privacy policy at first glance: https://www.zoho.com/privacy.html
Is there even a difference between main Google PP and G-Suite PP? Is Office365 PP privacy first?
I like both FastMail and Protonmail. Take note of where the infrastructure is hosted for both however, if your privacy concern is one of nation-state actors.
I’ve been working on something similar[0] aimed at your average technology user. To that aim, it’s very opinionated, which I also like about this list.
The mobile carrier PIN is the big downfall here, most ISP's don't have this type of option. Some might claim they do but don't have a formalised process to maintain it. Whereby a comment is simply placed on your account on the Goodwill the next consultant will enforce it.
*Having worked for a large telecommunications provider
Create a new login entry, then create a new field under the Section header. By default, it's a text field, but you can change it to a 2FA code. Then it will prompt you to scan a QR code.
2FA in 1Password is premised on (1) 1Password use (with 2FA) being more secure in general than using 2FA and not a password manager, and (2) your 2FA key is more secure within the 1Password vault than it would be in Google Authenticator or similar. I think these premises are mostly correct, especially because 1Password enables use of practically uncrackable unique passwords for each service, and because getting into the vault requires 2 auth factors.
If there's any risk of an attacker breaching your 1Password vault, I don't know if it's even worth talking about whether you have 2FA enabled for accounts -- at that point it's very likely they also have access to whatever you'd have used for 2FA also.
(One exception might be if a AgileBits insider were to install malicious code into the 1Password client. In that case, those who use 2FA outside 1Password would be significantly less vulnerable.)
By comparison, the Tech Solidarity checklist is the result of a survey of a bunch of different security people and is both generally more sophisticated and sound than this checklist and also manages to be a little shorter (in word count):
https://techsolidarity.org/resources/basic_security.htm
> Do as much of your work as possible on an iPhone or iPad rather than on a laptop. Use a bluetooth keyboard for easier typing.
Is that serious? I mean sure, iPhones and iPads are generally less prone to viruses and such, but I feel like it is generally safe to use computers, and if you do other things on this list you won't end up with an infected computer. In addition, if you are doing most your work on these, it is almost guaranteed that all the information is going to be sent to iCloud / another apps 'cloud'.
* Google Mail is, for most people, the safest email service, with the most mature and comprehensive 2FA, direct connectivity to GDocs to make viewing attachments safer, and a gigantic security team. Note too: this guide also suggests avoiding email as much as possible.
* If you work with sensitive documents (this checklist was originally devised for journalists and the airport lawyers), all the cloud drive services (not just Google Drive) are a bad idea.
* Chrome is the safest browser with the most mature and reliable anti-exploitation hardening and the most responsive security team.
* iOS devices are, for most people, far more secure than computers, which aren't locked down at all and for which any kind of local code execution is almost invariably game-over all the way through the kernel, and at least game over for all of the user's data. Most computer users are never more than an errant couple of clicks away from losing their whole machine to an attacker, which is not the case for someone reading their mail on an iPad.
> Google Mail is, for most people, the safest email service, with the most mature and comprehensive 2FA, direct connectivity to GDocs to make viewing attachments safer
> If you work with sensitive documents (this checklist was originally devised for journalists and the airport lawyers), all the cloud drive services (not just Google Drive) are a bad idea.
So is Google Drive a good idea or a bad idea? Maybe for normal people Gmail is good, but in the next point you say this list is for journalists and airport lawyers, wouldn't you advice them to use something more secure like fastmail/proton mail, or if you are serious, your own mail server or something? Why does this list not talk about TOR / PGP, the most fundamental tools for security for journalists?
> Chrome is the safest browser with the most mature and reliable anti-exploitation hardening and the most responsive security team.
I don't think this is true at all. What is wrong with Chromium or Firefox open source alternatives? Why doesn't it mention things like no-script and ublock origin?
> iOS devices are, for most people, far more secure than computers, which aren't locked down at all and for which any kind of local code execution is almost invariably game-over all the way through the kernel, and at least game over for all of the user's data. Most computer users are never more than an errant couple of clicks away from losing their whole machine to an attacker, which is not the case for someone reading their mail on an iPad.
My fundamental problem with this is that if you are going to be doing things on an iPad you are almost certainly going to be using cloud services. Weather it is Google Docs or Pages or Word or anything, it is very difficult to keep things 'local' to your hard drive on a iPad, where on a computer with dropbox it is much more clear that files in there are going to leave your computer.
For most people, including technically inclined people, running your own mail server will almost certainly lose you significant amounts of security.
If you deal with sensitive documents like legal artifacts in immigration cases, you want to have control over which of your documents wind up in the cloud and which you retain custody over. So while viewing attachments in the cloud is very good practice (viewing them locally is a good way to get owned), running a service that generally slurps your local drive (or big chunks of it) into the cloud is not a good idea.
If you want to run a Chromium build rather than Chrome, that's fine.
I provided the reasoning for preferring iOS devices to general purpose computers already. The additional concern you just added doesn't come close to offsetting.
I'll add, though this isn't in the Tech Solidarity checklist, that if the goal is commercially reasonable security and not security in the public interest, Chromebooks are another good option for end-user computing.
> If you deal with sensitive documents like legal artifacts in immigration cases, you want to have control over which of your documents wind up in the cloud and which you retain custody over.
This is incredibly easy with Dropbox or Google Drive. Everyone I know who uses these services has an intuitive knowledge for 'stuff in this folder goes in the cloud', and if they wanted to keep sensitive data off it they would know exactly how.
I am on an iPad, so no mature options for encrypting it myself with pgp or something really exist. I shouldn't upload it to a cloud service (although chances are that it already is, because pretty much every iOS app uses a cloud of some sort). I shouldn't email it. I can't plug in a physical usb device because iOS doesn't have File reading access to. I guess I convince everyone to use Signal? That is pretty impractical for 'normal' people to convert everyone over to their own messaging app.
Also, on your phone, what browser do you use? Chrome? Well, not really because it is all webkit under the hood, so you are going to be using Safari no matter what.
Regarding sharing of sensitive documents: if you have to do it over the Internet, use a secure messenger to do it. Email attachments are probably the second most dangerous attack vector facing end-users (after phishing). That's why we tell people to use Google Mail; attachments open in their browser viewer and are rendered Google-serverside.
You don't need to convince everyone to use Signal; it's adequate to use WhatsApp, which, again, is already one of the most popular messaging applications in the world (this is one of the reasons getting Signal Protocol baked into WhatsApp was such a monumental achievement).
In the particular case you mentioned they aren't picking on Drive, they're saying that if there are copies of your messages that's less secure in the sense that now somebody could get those copies, not the originals you have. Doesn't matter how, write an NSL, break into a server, trick a customer services agent - the problem is you allowed copies to exist, so it's not that Drive is specifically bad but that you shouldn't use anything at all.
For the iOS reliance, I personally wouldn't do this but I can see the sense of the advice. Full blown personal computers are not easy to secure against unsolicited garbage, why take the risk?
That Tech Solidarity checklist does say who it's for, which is a start, but it doesn't tell them what it's aiming to achieve for them if they follow the advice.
For example, maybe WhatsApp makes the list because it uses the Signal protocol design and they assessed that this was especially resistant to attacks on the confidentiality of individual messages. Or, perhaps they felt WhatsApp would protect a journalist's sources especially well due to the large volume of other WhatsApp users acting as cover for any analysis. Maybe they felt the method users follow to confirm that there's no MITM was better (easier to use, better documented) in WhatsApp than competitors, or maybe they felt its owners were more likely to tell the FBI to fuck off if they turn up with a warrant.
> Use a bluetooth keyboard for easier typing.
Creator here - thanks for bringing this up. I was concerned about the message here as well. I'm not getting paid for that ad. I had a couple companies offer sponsorship of this list, but I decided to not pursue. In the end, 1Password simply offered this discount to visitors. For me this felt like the best thing I could do from a user experience point of view (switching to a password manager is hard for most people, and giving the extra nudge to do something really important for their online security might just do the trick) and from an ethical point of view (I'm not getting paid, and will continue adding competing password managers to the list).
You should of course not be using a compromised laptop. Covering the light that goes on when they activate the camera would be one of the few signals that something like that is up; that is of course assuming they did not manage to disable that.
Otherwise solid list.
I'd add a few items:
Plan for the worst and have a contingency plan for breaches. E.g. have a list of phonenumbers handy that you can call to get cards blocked, critical accounts that you need to verify the integrity off, secure backups of essential documents, etc. Also consider what can happen to you when you travel. Phones, laptops, etc. get stolen all the time. Hardware tokens are easy to lose. Bags get stolen, etc.
Keep your 2fa recovery codes in a sane place where you can access them but no-one else can. An encrypted file on a drop box folder with a sufficiently strong key might do the trick.
Be careful with paper copies of anything. Burglaries do happen and in case you are targeted, this may be the most valuable thing to steal in your building.
Require passwords to be entered whenever you access your password manager or 2fa app (e.g. authy). It only takes a few seconds to access your password manager if somebody gets their hands on your unlocked device while you visit the restroom or grab a coffee.
Have an aggressive screen lock policy (it should be locked whenever you are separated from your laptop/phone). Many devices have all sorts of convenient features that boil down to them being unlocked when they shouldn't.
not to mention they're probably recording everything you say, which is probably more valuable than pictures of your face.
Total side note and blatant plug but if people are interested in open source checklists and lessons on digital and physical security (from how to send a secure email to how to detect physical surveillance) checkout Umbrella Security, a free open source app we built. It’s on Google Play and you can find out a bit more at https://www.secfirst.org. iOS and totally new version due out in Feb!
Granted, if the attacker can access the webcam then most likely your system is compromised, 1password is compromised (including the 2nd factor as advertised on the site), so you might have bigger problems already. It all depends on the intent of the attacker.
Am I making my own life harder than it needs to be by having a default setting to block all javascript? I use uMatrix to quickly enable javascript for each site that requires it.
One thing I would like to figure out is how can I 'trust' JS for google on google maps (required to work), but4 not anywhere else? It seems like Noscript is per domain but not based on what page you are on.
I understand why you used this language, but I think it's worth noting that, unlike blindly executing a program on the operating system itself (such as by running an .exe file you receive via email, torrent, download, etc.), you are executing a script inside a program that is, or should be, sandboxed. So, even though something can still go wrong, the potential impact is a lot smaller.
Frankly, most web pages should not be interactive in any way. There is very little gained by using javascript on pages you aren't interacting with, and a whole lot to lose.
I compromise often with NoScript, but it changes the way you think about running code on your computer. Block first, and adjust later is a good approach for me, especially because I only visit a few of the same sites regularly. On new sites, I definitely do not want any type of javascript being run.
Covering your camera is supposed to protect you from this kind of things, especially for younger ages or for people less technologically inclined.
Note that they may have gotten the password from a hacked website--not from your webcam/microphone.
Check out https://haveibeenpwned.com/
[0]https://www.obdev.at/products/microsnitch/index.html
Take note that some of these tips are either not considered good practice or even harmful depending on your locale.
E.g., the data protection standards in the EU are so high, that there's no need to worry about DNS or ISP snooping for advertisements/tracking. This makes using a VPN or using a different DNS less useful. I might even go so far and call it harmful, because you're introducing a party that you don't have such a strong contract with.
...or even impossible in some cases.
* 1.1.1.1 is blocked in Turkey.
* Most VPN providers are blocked in Turkey.
My personal opinions:
* I don't like the promotion of Brave over Firefox. Change my mind if you can.
* Stressing the importance of HTTPS (extensions like HTTPS Everywhere) should really be included in this list.
Furthermore I find it contradictory that the site uses Google Analytics while encouraging the use of DuckDuckGo.
Yeah, there is no "real" facebook button. Nevertheless one can find a Google Analytics Script inside the source code. IMO this is really sarcastic.
Bitwarden or KeePass for password management
FreeOTP for 2FA
cut off headphone jack plugged in in your laptops mic port complementary to the webcam covering
It is reasonable to trust a VPN provider more than an ISP because you have a choice of VPN provider, you can vet them and choose the one that you feel provides the best safeguards to your privacy and security. Most Americans have between zero and one choices for high speed internet. Even in major metropolitan areas it is common to live in a cable monopoly, with a phone company providing sub-par "competition". You cannot vet your choice and choose the one that provides the best experience because you have no options. Even those that do have a choice may still connect to coffee shop or hotel WiFi on occasion, losing choice again.
In short, VPN providers are a) competitive and b) portable.
You're not wrong that you're putting the same amount of trust in them, but these properties mean you would not be wrong to do so.
I trust them a lot more than I trust some VPN provider.
https://github.com/brianlovin/security-checklist/issues/40
often used by people in preference to other operating systems due to a variety of reasons
Linux being available free of cost is certainly one of the least relevant features for me.
Dell also sells Ubuntu desktops and laptops that cost more than their Windows equivalents. The cost difference is presumably because the Ubuntu machines do not include the crapware bloat that comes with Windows, such as antivirus trial subscriptions.
Edit: https://github.com/brianlovin/security-checklist/pull/46
What's the concern here? That it's set to some DNS provider that does evil things? If they intercept DNS requests (not unusual as even my home router can do that), this migitation is useless and you're sending your DNS requests to a third party.
[1] https://www.pentesterlab.com/
I work in embedded systems, mostly C code, and I find this area is often missing from general "security guidelines" type of resources.
Sorry, securitycheckli.st I can't see your content because you fail this basic test.
I think they're suggesting we should default to no JS anywhere by default, other than sites one whitelists JS usage on.
IOW what NoScript (and maybe uMatrix?) does.
Perhaps the authors felt, storing passwords in their own infrastructure is beyond many users (or) unavailability of iOS app is a downer.
[1]: https://play.google.com/store/apps/details?id=com.zeapo.pwds...
1: https://help.bitwarden.com/article/install-on-premise/
1: Pass - Password Store by Mingshen Sun https://itunes.apple.com/us/app/pass-password-store/id120582...
You can read more about it here: https://developers.cloudflare.com/1.1.1.1/dns-over-https/
All "normal" UK ISPs (I use a tiny boutique one that doesn't do this but anything advertising on TV is big enough to have agreed to participate) voluntarily filter DNS. Right now in theory they just try to filter out child pornography, "extreme" pornography, and whatever Hollywood told them was a copyright violation. In 2019, in the event they find time to do something other than bickering about their ludicrous "Brexit" the British government wants to upgrade this to let them filter out anything they want.
Their 2018 white paper about this supposes that DNS blocking will be effective against ordinary users, though it notes if you have Tor you aren't blocked. Coincidentally at the same time they were publishing that paper, there was an IETF in London discussing DPRIV which is a set of protocols like DNS over HTTPS designed to er... make such filtering impossible.
I strongly disagree with that statement, though I don't necessarily advocate use of a password manager for 2FA. When 2FA is in use, you have 2 points of failure, since the failure of either will lock you out of your account. Reducing that to 1 point of failure actually increases your overall resilience.
It's like a car: reducing the number of necessary parts decreases your car's overall likelihood of breaking down.
For the user it doesn’t really change much. Loss of password manager or 2FA client will lock them out of their account. This is easily hedged against because a lot of providers provide easy access to reset a password and provide backup 2FA tokens or fall over to SMS/Email tokens.
Yes... but if someone has access to your 1Password account, they most likely gained physical access to or otherwise pwned your computer. Sure, it's slightly easier for an attacker to do that than to get 2FA tokens off your phone, if that's where you keep them.
So the increased risk of using 1Password for 2FA (given you're already using 1Password for passwords) would be roughly quantified by taking the risk of computer pwnage and subtracting the risk of phone pwnage given they already pwned your computer -- not much in my opinion, if you're reasonably security-conscious on your computer. Note that I'm ignoring the risk of 1Password's encryption being broken or insider threat at AgileBits, which in my opinion is vanishingly small at present.
One thing I read somewhere and previously never thought about: if you are _really_ about security, you should use a password manager and should enable 2FA.
But: you should not use one program for both (1Password offers this), because you are creating a single point of failure.
* Keep your software updated.
* Restrict & remove online access as needed. After the 2nd time she gave out her password, Granny's web banking was turned off.
* Lock users down to just the access they need; if managing devices for kids or the elderly or less technically savvy, consider removing admin access.
* When using any tool, get the paid version. Free means your privacy is what it cost.
* Keep backups, and know how to restore in case you are compromised.
* Set up access alerts going to a separate email account for as many of your accounts and services as possible.
Things to question:
* Not sure we can safely promote Australian-based Fastmail thanks to their backwards new laws.
* Mobile browsers, like Firefox Focus, are great - not sure that I'd put Brave ahead of Firefox.
* Not sure VPNs are really all that helpful, feels more like a personal preference vs. a real security measure.
Disclaimer: not an Australian citizen, not a lawyer, etc.
All the coverage I've heard about this law has focused on the idea that companies and service providers are expected to "assist" with government access to encrypted communication. In that context, I'm not sure how this particular law really impacts Fastmail. For the basic use case, their service is built in a such a way that it already has access to all your unencrypted data. So the Australian government didn't need this law specifically to get at your data, they just needed to issue a lawful order. If you're taking the additional steps encrypt your data before it reaches their service (e.g. using a third-party email client with PGP), then there's not really anything Fastmail is going to be able to "assist" with beyond providing access to the data you've encrypted.
I'm not affiliated - not even using their product.
For the "Use a privacy-first email provider".
I currently use G Suite for business emails within my personal business.
Are there any alternatives that offers something similar to G Suite but with the expected privacy of the listed provider.
I'm aware that I won't be able to get all the features of G Suite, but I primarily only use the email part (Of course with multiple users so it has to have support for that.)
Is there even a difference between main Google PP and G-Suite PP? Is Office365 PP privacy first?
* Signal >> Blog >> Setback in the outback || https://signal.org/blog/setback-in-the-outback/
* Advocating for privacy in Australia || https://fastmail.blog/2018/12/21/advocating-for-privacy-aabi...
* Honest Government Ad | Ass Access (anti-encryption law) | The Juice Media || https://thejuicemedia.com/honest-government-ad-ass-access-an...
iCloud email.
[0] http://www.pepperparadox.com/privacyguide/privacyguide.html
*Having worked for a large telecommunications provider
https://martinfowler.com/articles/web-security-basics.html
https://softwareengineering.stackexchange.com/q/46716
Cloudflare is suddenly better than Google? Not a fan of either company but I suppose it's possibly the best public dns provider.
Create a new login entry, then create a new field under the Section header. By default, it's a text field, but you can change it to a 2FA code. Then it will prompt you to scan a QR code.
Also the answer to your question is the first result when googling "1password 2fa".
If there's any risk of an attacker breaching your 1Password vault, I don't know if it's even worth talking about whether you have 2FA enabled for accounts -- at that point it's very likely they also have access to whatever you'd have used for 2FA also.
(One exception might be if a AgileBits insider were to install malicious code into the 1Password client. In that case, those who use 2FA outside 1Password would be significantly less vulnerable.)
cool... sounds great
Maybe just have people set up Google advanced security with a yubikey and call it a day.