A Guide to Not Getting Hacked
motherboard.vice.comEverything that's in this piece that's true is on the Tech Solidarity guide. What isn't, is false.
https://techsolidarity.org/resources/basic_security.htm
In particular:
* Do NOT install antivirus on your computers. Antivirus software is absurdly dangerous. The closest you'll come to benign AV is Microsoft's, but that's an asymptotic kind of safety.
* Do NOT go out of your way to funnel your traffic through a commercial VPN provider. If you need a VPN for your NGO or journalism outlet, let me or someone else trustworthy know, and we'll set up Algo for you. No commercial VPN provider is safe for at-risk users.
* Do NOT EVER use Tor Browser. It's the least safe browser you can use: a lagged fork of Firefox for which whole classes of security bugs are potentially WONTFIX'd, and also the only browser that goes out of it's way to collect high-value targets.
* Do NOT install Adium or Pidgin to speak to people over OTR. It's difficult to find exploitable bugs in libotr, but it is not difficult to find them in libpurple. Use Signal, WhatsApp, or Wire.
* You would have to be out of your fucking mind to install mobile AV.
Recently, on national TV, the Director of Cyber Risk Services from Deloitte Netherlands told people that they shouldn't be using free virus scanners, but that they should invest in their security. I was flabbergasted, because this is a person that is being hired by the government to advice on cyber security matters and is often involved in public discussions.
Do NOT EVER use Tor Browser.
Is that a general recommendation against Tor? Or would you recommend another tool to someone who wants to use Tor? Tails?
One advantage of Tor Browser is the standardization. When using the Tor Browser, you look just like every other user of the Tor Browser.
I don't think Tor is a good idea in general, but my categorical "never" is about the browser bundle.
What's so bad about AV, and what makes Windows Defender an exception?
Windows Defender doesn't need to compete in the AV marketplace as it's bundled with every single copy of Windows, and also its maker is the same one who makes Windows, and therefore it is in MS's interests to make their AV light and unobtrusive (relatively). Other AV vendors compete fiercely with themselves and this leads to feature creep and bloat, as well as trying to grab the user's attention to sell their features and upgrades. All this leads to a subjectively poorer experience with non-MS AVs under Windows.
So it's a question of UX, not security?
No, it's a question of security. AVs are huge and therefore significantly increase the attack surface. They also auto-update all the time which means your computer now talks to one more update server that can be compromised.
Windows Defender is relatively small, doesn't really have any features or fancy UI and updates come from the same servers that your OS updates come from (presumably). That's about as close as you can get to not making it worse by installing an AV.
Is tor browser inside whonix good? Would you recommend a different browser inside of whonix instead?
It is explicitly warned not to use the Tor Browser under Whonix because the browser starts its own instance of Tor while Whonix already funnels every network request through its gateway Tor and Tor over Tor is supposedly undefined behaviour. So you have to go the additional step of disabling Tor Browser from starting its bundled Tor...
Or under Whonix just use any normal browser like Firefox.
That's not what I see on https://www.whonix.org/wiki/Tor_Browser
It explicitly says "There is no Tor over Tor scenario in the Whonix environment." when using their modified Tor Browser.
Thanks. I stand corrected. I didn't realise they supplied their own modified Tor Browser...
> any normal browser like Firefox.
This is very bad advice. Do not use Firefox. It is not as secure as Chrome.
If you use your browser for more than one site per execution, having your browser process owned up is devastating. Don't use Tor Browser.
What's the better alternative?
https://medium.com/@thegrugq/tor-and-its-discontents-ef51648...
You really just want to use Chrome/Chromium.
I've lately only been using Linux on my laptop and desktop, but my grandparents recently asked me about advice on a new computer. Is the current best practice to avoid all antivirus software and assume Windows 10 is secure with whatever is built in?
Grandpa thinks Avast makes his computer secure and is using their custom browser for his banking. Is my great distrust in all antivirus systems as worse than the viruses they theoretically find still valid?
I think so. Antivirus systems are a huge attack surface. Maybe have windless defender installed; make sure Windows automated patching is on; use the latest version of Chrome or Firefox with an ad blocker installed, and don't give them access to the admin account.
And if you're paranoid like me get a managed switch and setup Snort to monitor your network. That'll protect you more than an antivirus will.
I'll second the recommendation for Windows Defender, based on how well it blocks the bad stuff. But to be clear, 1) Windows Defender isn't any more secure than other AVs, e.g. [1], and 2) the risk from AVs is negligible and far outweighed by the benefit, for the average user.
1. https://arstechnica.com/information-technology/2017/05/windo...
Windows Defender is at least unobtrusive. Got hit with a cryptolocker last year, and then mandated usage of some garbage WebRoot product that brings a quad-core i7, 32gb RAM and SSD workstation to its knees. Not sure which was worse...
Makes sense. For some adblocking on steroids, put all of this in your hosts file: http://someonewhocares.org/hosts/
12,000 domains of ads and tracking blocked at the OS level!
I've used https://github.com/StevenBlack/hosts for years now, and any close- and extended-family laptop or computer I touch gets it either silently or with some explanation if they ask me what I'm doing. Noone has ever complained. My only gripe is that I haven't written a cron-type update script for my extended family members who use Windows.
Which means I only update it for them periodically. It's still better than not doing it.
It aggregates someonewhocares.org and many other sources into a combined hosts file, to the point where it actually slows down DNS lookups noticably on most computers.
I even use it on my phones, and all other devices where I can access the filesystem.
Almost all devices in the world support a hosts file, becase most of the network stacks in use today spring from the same code.
EDIT: It has 40-55 thousand host entries, depending on which version you use. In my scripts I just curl https://raw.githubusercontent.com/StevenBlack/hosts/master/h...
Oi! Thanks for this. I am going to start using it from now on.
Grandpa should probably use a chromebook. It's cheap, it's not as targeted as windows systems, and doesn't need AV. On the downside he'll be locked into the Google ecosystem, but for his needs that might not be so much of a problem.
If it becomes a problem, GalliumOS is actually good enough in most cases to use as a daily driver on a Chromebook.
Grandpa will be better off with an iPad since iPad has way more apps than Chromebook and is more intuitive and user friendly than Android or Chromebook. iPad can can work offline, more portable and convenient to read (pinch and zoom etc) and to write, type with a keyboard that you can connect or touch type on screen. Not to mention Apple will protect his privacy more than Google will.
Chromebooks and iPads are both fine. Both are vastly better than general-purpose computers of any kind.
I see where you're coming from and my (then 76 year old) Gran loved using my iPad mini, but she found the screen too small and a full sized iPad too heavy to hold. She did like her iPhone, but would still routinely send random messages to the wrong person.
She would've also found the jump from iOS 10 to iOS 11 confusing, as she did from XP to Windows 8.1.
I'm only posting this because I went down the exact route you mentioned for exactly the same reasons and it backfired spectacularly, and expensively.
I share your intuition. Absent credible evidence to the contrary, I would not use anything on Windows other than the default from Microsoft. On the other hand, I probably wouldn't expend a lot of energy arguing with Grandpa when Grandpa has decided Grandpa knows better.
However, my first level advice would be not to do banking online, but that's another story.
> However, my first level advice would be not to do banking online, but that's another story.
Yeah just don't use one of the greatest conveniences of the Internet — that solves it.
Or, only do banking from a Chromebook which is never used for anything else.
This is a pretty thorough introduction to personal digital security. It starts by emphasizing Threat Modeling, which lay users often forget.
Most of the recommendations are standard (password manager, two factor authentication, basic OPSEC, ad blocking plugins) but it also has a fairly detailed discussion about the TOR browser. The recommendation to use a VPN may be controversial, but it includes a discussion of the relevant threat model, which helps.
> Do use antivirus
I think the standard advice from the security community is to not use any antivirus at all and maybe only Windows Defender if you're on windows.
The advice to use Tor browser is also terrible. The Tor browser is based on an older version of Firefox ( currently version 52 vs 57 for upstream Firefox ) and so might contain known bugs.
On a side note what does the security community think about Qubes OS [0]? The approach of security by isolation is interesting.
Firefox 52 is a special Extended Support Release version and will continue to get security patches.
ESR releases get a subset of security patches. Don't use Tor Browser.
Not true. It’s based on the long-term-support version of firefox, called ESR. The ESR branch typically eschews new features for stability but certainly receives any security bug fixes alongside evergreen firefox.
> The advice to use Tor browser is also terrible.
Mozilla uses tracking scripts in Firefox, which in some versions (such as Firefox Beta, Developer Edition, and Nightly) can not even be disabled (If you go to about:config, you’ll notice that toolkit.telemetry.enabled is "locked:true").
So Mozilla themselves suggests that if you do not trust Google Analytics to hold up their agreements with Mozilla, you should instead use another browser (e.g. Tor Browser).
Isn't it datareporting.healthreport.uploadEnabled (still unlocked and visible in the "options" -> "privacy & security" panel) that controls the upload, and toolkit.telemetry.enabled is only about whenever something is collected or not?
Either way, thanks for the pointer. Didn't knew that setting was revamped.
> Isn't it datareporting.healthreport.uploadEnabled (still unlocked and visible in the "options" -> "privacy & security" panel) that controls the upload, and toolkit.telemetry.enabled is only about whenever something is collected or not?
I’m not actually sure – I’ve heard conflicting reports from Mozilla volunteers and employees in the past, but the general statement is that Beta, Dev, and Nightly contain tracking, and you opt into that when downloading, because the smallprint below the download button tells you that they will track you.
I've experimented with changing `toolkit.telemetry.server` to my own server. Not a single request for the last 18 hours (since I've read your comment and changed the settings)
Using nmap, and not changing the destination server, I've seen numerous outbound requests in a given hour.
Tor Browser is based on ESR releases of Firefox which have security fixes backported.
Why not use antivirus ? they are a good protection against downloaded content (email attachements, downloaded file) no ?
Non-tech users should antivirus
If you're highly technical and no one else touches your machines, then you may be fine.
The claim that no one should use it is trendy right now. The idea that your in-laws Windows box should be left with nothing on it is misguided. But all you do need is to make sure Windows Defender is running and up to date.
The last leg for me was TLS MiTM as an antivirus service. And so I don't use 3rd party antivirus on systems that I care about. I do use active firewalls and connection monitoring though, and I only install software that I've purchased (or open source software) on those systems. Perhaps ironically, I do have antivirus on my old laptop dedicated to watching ahem massage videos.
> Mac users can install Adium, PC (and Linux) users will have to install Pidgin and the OTR plugin.
No word about OMEMO[1] or Conversations[2]. I think running your own XMPP Server with end-to-end encryption should be pretty safe (if needs to be safer run it within a VPN). After that the unsafest part is probably to device you use your app with (closed source firmwares nobody has ever seen).
https://xmpp.org/extensions/xep-0384.html https://conversations.im
This is overwhelmingly terrible advice.
It even tells you to install a mobile antivirus!
Most of the advice seems to be very sound to me other than the mobile anti virus. I've used Lookout several times on Android, and it does nothing to prevent malicious software, I know from personal experience when I Android got Malware and lookout scan reported everything is fine.
Why else is it terrible?
It also recommends running an antivirus on desktop, using a VPN, using tor browser, pidgin and goes as far as discussing android as a viable option.
The “lock up your SIM” part is simply ridiculous too, this has never ever stopped anyone.
This article is terrible because it has clearly been written by non-experts who should not be writing any security guides.
Your comments (this one, and others downthread) get downvoted to hell yet tptacek's comment [0] -- which says basically the same thing -- is at the top. WTF?
Interesting. I'm not an security expert, but believe locking SIM card with a PIN code is a reasonably good idea to ensure in case of a stolen smartphone (non-targeted) it would be more likely thrown out as useless rather than used for any nefarious purposes.
Or I'm wrong?
SIM card PINs are not discussed in the article. Instead they recommend asking your telcos support rep to attach a note to your account to prevent sim swapping, which doesn't work.
I’m out of the loop, what’s wrong with pidgin?
libpurple suffers from very poor code quality, leading to tons of exploitable vulnerabilities. Just as you would expect when writing C parsers for lots of complicated protocols.
> libpurple suffers from very poor code quality, leading to tons of exploitable vulnerabilities. Just as you would expect when writing C parsers for lots of complicated protocols.
Is this your personal feeling or do you have something to back this up? A quick look at the source code suggests it's basically like any other glib based program.
These are just public ones:
https://www.cvedetails.com/vulnerability-list/vendor_id-6938...
Filter by CVSS > 6, note the number of execs. Enjoy.
This is a commonly known fact, not just my personal feeling.
Regarding web extensions like Adblock or others, this seems to be quite risky I'm using because the developers of the plug-in could get hacked and silenly release a version that captures your password fields.
Are we really ok giving full read/write access to our webpages from companies we know nothing about?
I'm considering removal of all web extensions that have read/write access.
Thoughts?
uBlock Origin is GPL licensed. It collects no analytics. The code base is concise and highly legible. The primary maintainer (Raymond Hill) appears to be a principled man. I don't think that it has been independently audited, but I trust it more than most of the software on my computer.
Right, but do you trust that his entire system is locked down. Wouldn't this be the ultimate target by a hacker at the highest level. They might even go so far as to physically breach his location if they knew they could gain access to his machine. Installing keyloggers, etc.
This might allow them to change the plugin at the last minute if he made an update and pushed it out.
Yes, but your parent is afraid that an extension's account may be hacked. Now that going forward Mozilla will be doing only minimal manual code review on AMO, this is not an entirely fanciful concern.
We talk about reducing the attack surface of every other program out there, but funnily enough, almost no one mentions reducing the attack surface of the single program that's more exposed than almost any other to exploits: the web browser.
On the contrary we pile it with addon after addon and even the browser makers have long succumbed to feature creep.
"Camera access" - let's discuss this in more detail. So I am not convinced that I need to put that ugly piece of sticker onto my laptop camera. Is this really a big problem on Mac or no. Is there another alternative than putting some ugly sticker on a beautiful laptop?
I printed a blank strip of "White on Black" label tape and stuck it over on my MBP. I only see it when I'm in a super bright environment, such as in sunlight. Otherwise I forget its there.
If you don't want an "ugly sticker" on your laptop, you can get some nice laptop camera stickers [0] from the EFF. I have them on all of my laptops.
[0]: https://supporters.eff.org/shop/laptop-camera-cover-set
If you don't use it you can disconnect it from the motherboard. ifixit.com can help you find the connector.
....With my 32 years and tech affinity I simply can't imagine owning a credit card. The missing security being one thing, but it may also have to do with relatives being perpetually short on money for debt they accumulated themselves.
I don't understand why their first point for mobile was "Get an iPhone" but they didn't do something similar for desktop. Why didn't they say "Run OpenBSD"?
Because an iPhone is easy to use for the vast majority of people and OpenBSD is not.
I've installed Xfce/Gnome/Mate on new computers for senior family members and they don't even notice half the time. They just think it's a new version of Windows or Mac.
In age ranges from 40-72+.
The "vast majority" you speak of probably mostly use a web browser and a mail client, so their interactions with the actual OS are minimal.
Sometimes I get calls about digital cameras (or phones nowadays), so then I either go there and set it up, or have them open external access in some manner (usually Teamviewer, because it's easier for them). But this is rare, and of course I don't mind talking to them and helping them anyway.
And it would also happen when they used Windows.
Probably fine until they try to install Spotify, or some other life critical piece of software.
One is good advice, the other is not.
HN: The only place where you need to explain the difference between iOS and OpenBSD.
But nobody really wants to understand anything. They want a turn key solution. An intro to threat modeling is good. But it’s lost on deaf ears. The weakest link in compsec will always be the person using the device.
"It is a profoundly erroneous truism, repeated by all copy-books and by eminent people when they are making speeches, that we should cultivate the habit of thinking of what we are doing. The precise opposite is the case. Civilization advances by extending the number of important operations which we can perform without thinking about them. Operations of thought are like cavalry charges in a battle — they are strictly limited in number, they require fresh horses, and must only be made at decisive moments." - Alfred North Whitehead
I have been programming computers for twenty-two years right now, using them for twenty-five, and I don't understand much of anything. I probably understand more than, what, 95% of the population? More? And I still do things that I am sure are stupid and clueless.
Whether people "want to" or not is not relevant or meaningful. People have stuff to do. Wringing one's hands about "oh, but they don't want to understand" is the toxic kind of elitism.
Everyone should appropriately consider the source (and their security concerns), but this also exists:
It provides some advice and references a number of other government sources once you dig into it.
Ban China, Russia and India IP space. Problem solved.
Edit: what’s with the downvotes? Burned much? Hey, try looking at your failed ssh login attempts before and after doing this. You’re welcome.
Pretty solid guide, considering sharing this with all your family and friends on Facebook, email etc as an average Joe can learn a lot from this.
For the parents and grandparents:
Do as much as you can with just a Chromebook
Use 2 factor authentication
Don't go anywhere near Windows