Practical Privacy, Sane Security

Practical Privacy, Sane Security

Blog Categories: 

A friend once told me that if everyone is sending envelopes, then sending a package looks suspicious.  Earlier today, I spoke at the 2017 DaVinci’s Faire & BarCamp with the goal of getting more people sending metaphorical packages since if everyone sent packages, packages would no longer garner suspicion.  Today, it is not completely unheard of for an ISP to send cease and desist notifications to people using TOR--a system that provides privacy and anonymity for online interactions.  And many systems out there, including CloudFlare and Atomic Secured Linux, are now purposefully blocking access to people using it.  While TOR is often used to mask malicious activities online, TOR is also used by universities and laboratories...simply being a private person and wanting to keep one's online activities private SHOULD NOT BE CONSIDERED A SUSPICIOUS ACTIVITY!

If web and internet services have a problem with malicious activities, then they need to improve those systems that detect such activity, rather than assume anyone that wants to have some privacy is a Russian hacker.  ISPs who may chastize you for using TOR have no problem turning around and logging all your browsing behavior and then selling it to advertisers without your express approval on each foray into the internet.  You sign away your rights once and for all when you sign the Terms of Service at the time of install.  You potentially have no privacy from that point forward as there is no mechanism to allow you to approve or disapprove network traffic information collection by your ISP.  These web and internet services need to focus on improving IDS (Intrusion Detection System) software and detection of vulnerability scanners rather than just outright blocking all traffic desiring to be private.  Anonymity is definitely one factor that should be used in determining the intent profile of a user, but it should not be the only one.  Privacy, itself, is not a malicious act.

In an age of NSA metadata collection, identity thieves, and advertiser tracking, people should have a right to a sanctuary from constant surveillance.  However, if you have a cell phone, live in a city, and, in general, are not a hermit, you pretty much have none.  And when you learn that it is theoretically possible for the government to remotely install apps over a cellular connection directly onto your phone's SIM card that run completely separately from your other apps and have no indication they are even running, you can begin to feel pretty helpless in this modern society.

So in this talk, I strove to provide a strategy that one should use to come up with an easy recipe that works for them to provide them with a reasonable sense of security given that complete security is not possible.  In this session, I provide a strategy and suggest specific ingredients.  But it's up to each person to come up with the right combination that works for their needs and addresses their largest security concerns.  I tried to choose software that is available across multiple platforms and situations.  However, I do admit to having a bias towards the systems that I personally use.  If something I've suggested isn't available for your specific platform, I've added a link to "alternativeTo" in the Additional Resources slide for you to see if an alternative piece of software is available for your situation.

I specifically chose ingredients that don't require a master's degree in computer science to implement.  These are things that just about anybody can easily do within only a few minutes.  And I've tried to make sure that they are things that are mostly free since I don't think you should necessarily be having to pay a premium on your privacy when web surfing.

Obviously not all the details from the talk are in these slides, nor was a 30-minute session a sufficient amount of time to address all the caveats and details one would like, but the links to the software found in these slides can definitely help to reduce your exposure to those entities looking to extract data from you without your approval.  It should be possible to implement almost all of the items listed here in about an hour or two.  And it's my hope that everybody takes at least an hour or two out of their lives to significantly improve their privacy and security in this world.  Just because 100% security isn't possible doesn't mean that you have to make it easy for them!  Take back some control over your data and your privacy and start sending some packages today! 

Slides in PDF format (with clickable links to all resources):