Thoughts on Security

For a long time I was a believer that if you don’t have something to hide then you don’t need to worry about hiding what you do.  But this is missing the point and I have since revised my beliefs about personal security and it’s importance.

There are many aspects to security:  Using encrypted communication, and a password manager and storing your files encrypted on your computer are all technical aspects to your security.  Hiding from security cameras, using clean phones, using cash to purchase things can prevent external actors from tracking you.  Taking money out of the bank to buy physical gold is a bit of security against a financial collapse.

We all have to draw a line on how far we are willing to go for our security.  Some people don’t care at all, while others need to go to great lengths to ensure the NSA hasn’t hacked their computer.  The line you draw has to do with what are easy enough security measures to make and what you feel your risk is.

There are some fundamental technology measures that I believe are critical.

  1. Encrypting your phone and computer
  2. Use a password manager
  3. Use end-to-end encrypted communication whenever possible
  4. Use 2 factor authentication when possible

These are important for different reasons.

Ensuring that your computer and phone are encrypted and password protected is protection against loss.  When you leave you phone in a taxi or someone steals your laptop from the coffee shop while you use the washroom the lost hardware is secondary to the loss of your work, personal photos, contacts etc.  You won’t be easily blackmailed to get it back and the thief won’t easily steal your passwords stored in your emails.  An encrypted hard drive costs nothing and protects you from accidentally leaving your laptop bag behind. Here’s some instructions

Password managers protect you against the multitude of bad developers out there who don’t secure their websites well enough.  There is a continual stream of companies that announce they’ve been compromised (who knows how many don’t announce it). By using the same or similar passwords on many websites you increase your risk.  Given a list of user passwords for one site it’s easy to write a quick script to try those same passwords on facebook, linkedin, amazon, gmail etc.  A password manager allows you to use unique passwords on all the websites you use so that if one web site you signed up for 5 years ago gets hacked you don’t suddenly find everything else broken into. Sign up for LastPass

Two-factor authentication is another tool to improve your security against automated scripts that might try logging into your accounts.  While possible to use a script to login with a username and password, it’s impossible to do so if it requires a physical device to verify as well. This has saved me already from being hacked and having my bitcoins stolen.

End-to-end encryption for communication falls into a category of security for me that is about traceability and possible correlations within a big data context.  It’s a precaution about the future you cannot predict. While you may trust Google, Apple, the NSA or CSIS today, CEOs change, laws change and technology changes.  

One risk with the abundance of security cameras is that a single breakthrough system with facial recognition could tie everything together. What was once a collection of disconnected cameras with VHS tapes could become much more integrated and intelligent.

The big data aspects have some scary implications.  With today’s technology it’s possible to trace every single person’s path through a city (given enough camera coverage).  There is no technical reason why this couldn’t be done in realtime.  Finding correlations becomes possible – you were in a park where a known terrorist was yesterday and another member of the terrorist group hung out by your office building last week.  Now there are two data points to connect you to terrorists.  This is evidence that could be used against you.  You never know what kinds of things may correlate with your communication patterns and so it’s best to simply hide everything from those who may be looking.

This week the UK announced that they are giving access to personal internet browsing history to lots of government ministries.  Now a webpage someone visited last year might show up on a government search about them.  Something they thought was private and safe could now be used against them. Or if they shared their internet with friends or family, or had their computer hacked it would look the same in a report.

The revelations that Edward Snowden presented really paints a scary picture of the capability of state actors.  The Russians, Chinese and Americans have built a considerable infrastructure that they have used to infiltrate systems worldwide.  And even if you trust the current leaders of those countries to act responsibly, the next person in power may use the information they collected years ago to target you!

Sites like facebook present a problem for our security.  Much of what we put online has to have our identity tied to it (or else the sites fill up with spam).  But then we are actively sharing things that would in another context seem a crazy breach of security.  The amount of information you can get out of a network graph query on facebook is staggering.  I don’t think it’s even possible to understand what the possible risks are of sharing things on these platforms may be in the future.

I have seen computers connected to the internet get found and hacked in less than 24 hours. IP addresses are getting port scanned continually looking for vulnerabilities.  Two-factor authentication prevented me from losing $3000 this year.  There are risks out there and your privacy and security are important.