The New Oil

Book Review: Click Here to Kill Everybody by Bruce Schneier

September 12, 2020

I’ve been pumping out a lot of book reviews lately. I guess I’ve just had more time to read them finally.

About the Author & the Book

Bruce Schneier is an internationally renowned cybersecurity expert. He has written over a dozen books on the topic, as well as “hundreds of articles, essays, and academic papers.” Schneier has testified before Congress, served on several government committees, made numerous appearances on TV and radio, and sits on numerous boards of various non-profits and educational societies. He has also been heavily involved in the creation of several cryptographic algorithms, the most notable being Blowfish and Twofish.

In his latest book, Schneier explores modern cybersecurity (or lack thereof). He explains why Internet of Things (IoT, or “smart devices”) security is a serious matter, the reasons that led us to where we are today (aka why modern cybersecurity blows), and offers some ideas on moving forward and changing the path.

The Good

This book is incredibly accessible. Without skimping on accuracy or details, Schneier shies away from in-depth technical analysis, instead offering a bird’s eye view of the current cybersecurity landscape. His goal is not to explain to how asymmetric keys work, but rather explain why we don’t use them to secure our fridges and toasters. This makes the book a great read for even those with the most limited technical knowledge. If you’re smart enough to understand “try turning it off and on again” – even if you don’t know why that works – you’re smart enough for this book.

I’m also a fan of people who offer solutions. I don’t believe that offering solutions is mandatory. You don’t have to know how to fix a toilet to know that it’s not working right. But I personally find it refreshing, constructive, and thought provoking to say “the toilet’s broken, here’s a few things that might fix it.” I also appreciate Schneier’s occasional reminders that he’s not trying to claim he has the answers. While his book his chock full of ideas and suggestions, he regularly reminds readers that his ideas may or may not work, and probably aren’t the only solution. He says at the beginning and periodically reiterates that his goal is to start a discussion, because we as a digitally-connected world desperately need to have one before our toasters kill everyone.

I think perhaps the best praise I can give this book is that it almost never discusses privacy. Some of my more privacy-centric readers know that getting people to care about privacy is a lot like getting a pig to care about the nutritional content of the slop you’re feeding it: people just don’t care. But cybersecurity, that’s something people care about. People are deeply concerned about identity theft, stolen bank numbers, and stalkers. This book is almost completely about that stuff (at least, on a high level), and as such it should be of interest to nearly anyone reading this.

The Bad

For one, I think Schneier relies a bit too much on government and regulation in his proposed solutions. Let me be clear: Schneier changed my views. Without being too political, I consider myself Libertarian. I consider small government with massive margins of individual freedom to be the best route, at least here in the US. But Schneier presents evidence in his book that I’m wrong, and while it’s hard to admit when you’re wrong I’m not too proud to do it. Schneier argues that government regulation on things like business, industry, and consumer protection have resulted in a lot of good that corporations would otherwise be too selfish and greedy to implement out of concern for their consumers in the past. Sorry, that was sort of wordy. In plain English: sometimes you need the government to force companies to do the right thing. Schneier has examples of this and proved me wrong, I accept that.

The reason I brought that up is this: while Schneier obviously has evidence to back up his claims and he did win me over to his line of thinking, I also think that the law is not bulletproof. Lawbreakers, by definition, do not obey the law. Whether that’s breaking into a house and stealing all the valuables, or storing customer data improperly and abusing it. While I think regulations and fines would go a long way towards fixing the current state of things, I’m a little disappointed that Schneier’s almost universal proposals are “we need a government regulation.” I think that people should take personal responsibility for their data whenever possible and that we should force these companies into compliance with things like end-to-end encryption, metadata obfuscation, and other plugins and tools I discuss on my website.

To be fair, Schneier is on board with these things. He does explicitly talk about E2EE and he does admit more than a few times that there will always be companies who break the regulations, but I still personally would’ve like to see at least a chapter or even a section about taking matters into your own hands.

Final Verdict

I whole-heartedly recommend this book. Schneier has an exhaustive list of sources in the back, but he writes in a very easy-to-grasp way. This is not a research paper for the hardcore privacy nerd, this is an introduction for everyone. Schneier says over and over in his book that his goal is to start a discussion. He repeatedly states that his ideas may not the best ideas, his goal is simply to get us all talking about ideas. This is a discussion we desperately need to have. As I sit here writing this, I have a smart phone next to me. I have a smart TV in the living room, and two PlayStation systems (3 and 4) behind me that are both network-connected. My girlfriend’s computer across the room is network connected, as is her phone. And we’re on the low end of the technologically connected. Many others I know also have home assistants, smart thermostats, and Ring doorbells. This stuff, as I’ve been saying on this site for a while now, is incredibly insecure and yet we trust it so much. This is a discussion we need to have badly, and Schneier’s book is a great introduction to get those who don’t know as much about it up to speed.

More on the Book

Click here to kill everybody, or to purchase the book. That site will also link you to Schneier’s site and blog, which I follow daily via RSS feed, and any of his other social media accounts or other works.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Sanity Check: Threat Modeling

September 5, 2020

Last week I reviewed Michael Bazzell’s Extreme Privacy book. One thing that Bazzell mentions from time to time is what he calls a “sanity check,” basically a moment to take a deep breath and a step back and ask yourself “am I overdoing it?” Let’s do one of these right now. And no, I’m not out of blog ideas, but lately I’ve been seeing people ask some (in my opinion) really paranoid questions. So let’s take a sanity check.

First off, take a breather. Go take a bubble bath, watch your favorite movie, have a beer, play some video games, read a book, do whatever it is you do to relax. There’s no wrong answer here, just some self-care. I’m a big believer in self-care. I don’t think you can be useful to anyone if you don’t take care of yourself first. If I’m neglecting myself I get snappy and moody, I make sloppy mistakes at my work, etc. So go take five (or thirty, or sixty, or whatever you need) and go take care of yourself.

Now that you’re back, let’s re-examine ourselves. Let’s start with a threat model. I have a whole page dedicated to this topic and I’m sure there’s lots of other great resources, too. The TL;DR (Too Long; Didn’t Read) version is this: “what am I protecting and from who?” We probably all want to protect things like financial information, most of us probably want to protect personal, intimate communications and media, and some of us may also have other individual aspects of our lives that we want to protect for our own reasons (maybe someone is gay or bi and not ready to “come out” yet, or maybe someone else is a conservative in a heavily liberal area and doesn’t feel comfortable saying that publicly). There are no wrong answers here.

The third step in building a threat model I think gets a little bit glossed over sometimes, even by me, but this is really where the sanity check comes into play: “What are the consequences if I fail?” Let’s be real: probably 90% (or more) of the people reading this have very little at stake. If I fail in my own privacy model, Google sends me some personalized ads. Annoying, invasive, but really not the end of the world. Worst case scenario if I fail: someone drains my bank account. That can be overturned, and while it’s annoying I’m fortunate to have a good social support system in my life – in other words, if a hacker stole all my money, I think my friends and family would help me cover rent until I got it back and repaid them. That’s a worst case scenario.

Once again, I suspect 90%+ of my readers fall into this category, and that’s totally okay. Be real about it. And as I’ve said in numerous other blog posts, I don’t think that’s a reason to be lazy. I don’t think that’s a good excuse to not use two-factor or strong passwords, or to not take the risks of your smart TV seriously. But it does mean that there’s absolutely no reason to work yourself into a paranoid frenzy over a small mistake. Don’t let this stuff negatively damage your mental health. I see people regularly posting things like “I accidentally opened my browser with my VPN off, how screwed am I?” The answer, in most cases, is “not much, really.”

When privacy and security start to negatively interfere with your life, there’s a problem. And I mean any area of your life: your job, your relationships, your mental health. One person once posted that he felt like he was going to be alone forever because of his privacy posture. Upon reading his post, he mentioned how girls online wouldn’t download a messenger that required verifying PGP keys and he has a strictly anti-DRM house, meaning no Netflix or YouTube or anything. I replied to the person pointing out the absolute insanity of what they were asking. If there’s no DRM in your house, what is a girl supposed to do when she comes over? Are you guys gonna read books together in silence? For some that might be a dream come true, but for most people that’s just not realistic. Furthermore, asking strangers to download a complex messenger and jump through hoops just to chat? I’ve lost count of how many online dates I’ve had that either ghosted me or just fizzled out. It’s a ridiculous demand. (That’s not even including the aspect of society wherein women are much more likely to be victimized, so he’s already giving off some serious “Criminal Minds” vibes with these demands to strange women online.) That’s an example of privacy gone too far.

I do want to point out that with anything, there are exceptions. Some people really can’t afford to have their IP address leaked online. Some people have stalkers – even very capable ones – and they can’t afford to have anything tied to their true home address. They can’t afford to have their picture taken and posted online. They can’t risk using an insecure communication method or a cell phone. That’s fine. I respect that. I also want to point out that some people just enjoy the challenge. I’ve jumped through some considerable hoops to do things like watch an announcement video or sign up for a giveaway. But you know what my boss would say if I had told him at my job interview that I refuse to use Gmail? “Find another job.” I refuse to let this stuff negatively impact my life. I’m not going to pass up on a job that pays well and has a great work environment just because it means I have to use Google Suite on the clock. (I just don’t use it on any of my personal devices, but that’s a rant for another time). You shouldn’t either. I explained to the guy above that I never have any expectation of any of my dates using Signal or any other messenger, but I do make it known on the first date that I’m a privacy nerd and if things work out I’d like for her to eventually use one. In the meantime, I use a VoIP number dedicated to dating.

So take a sanity check. Ask yourself realistically what’s the worst that could happen if you mess up. Sometimes there are real threats and that’s okay but a lot of the time there aren’t. Notice I said “realistically.” The worst that could happen if I mess up my personal privacy model is that some stalker finds me and ax murders my entire family. Is that possible? Sure. Is it likely? No, not really. The worst I’ve gotten in the privacy community is someone calling me a shill every few months. I don’t think anyone has enough of a grudge against me to go that far. The realistic risk of that – for me – is extremely low. Maybe for you that is a risk. But for most of my readers, I doubt it. So stop freaking out and having a complete meltdown when you make a small mistake. Take a breath, learn from it, and do better next time. And if you’re seriously that paranoid when your realistic risk is quite low, then maybe see a therapist. There’s no shame in that. Don’t let this stuff negatively impact your life. I believe we live in a post-scarcity world, meaning I believe there is enough for everyone. If privacy and security are stressing you to the point of hurting your quality of life, that’s a problem. Make sure you take some time periodically to do a sanity check and ensure you aren’t harming yourself, no matter how deep you go. As long as you’re enjoying it and it’s not causing problems, go as hard in the paint as you want. But always keep perspective.

Book Review: Extreme Privacy: What It Takes to Disappear (2nd Edition) by Michael Bazzell

August 29, 2020

I’m going to lay my cards on the table and admit to my bias: I really like Bazzell and I hold him in fairly high regard. Bazzel was the person who introduced me to privacy, and I “cut my teeth” on his work. His podcast and his earlier (now out of print) “The Complete Privacy & Security Desk Reference: Vol 1” introduced me to why privacy matters, how to go about reclaiming your privacy, the concept that there are levels to privacy, and even the idea that not every level is right for everyone. I was sad when I missed Volume 2 of the desk reference, so I was pretty excited when this new revamped book came out. Fortunately by the time I had committed to buying it, the second edition was on the horizon, so I just went ahead and waited.

Well last night I finished the book, and so in keeping with the vision of my site, I’ve decided to go ahead and share my thoughts.

About the Author & the Book

Michael Bazzell describes his his credentials in relatively vague terms (which makes sense given his work), but they are impressive nonetheless. He claims a long career in law enforcement, including cyber crimes. After retiring from the force, he became a privacy consultant and even worked on Season 1 of the acclaimed TV show Mr Robot. His work on that show catapulted him into celebrity circles and he now spends his time as a full-time consultant helping people disappear from stalkers, hackers, doxxers, and more. He also conducts live training and speaks at events.

Extreme Privacy is Bazzell’s latest (relatively) comprehensive collection of his own knowledge and experience. The book takes readers through Bazzell’s process that he would go through upon being contacted by a client who needs a “full reboot.” In other words, pretend someone needed to completely disappear from a very advanced enemy who has resources to spare, and now pretend you’re along for the ride. The book is not about basic cybersecurity or good social media habits, although it does cover those topics.

The Good

This book is incredibly thorough. I can’t state that enough. The book clocks in at just over 550 pages, and every page is jammed with ideas, strategies, instructions, and examples. There’s no fluff or padding to speak of. It also covers situations that, in my opinion, one wouldn’t normally think of. For example, there’s an entire chapter about pet adoption.

I also found the book to be pretty easy to grasp in most situations. Bazzell talks as if he’s having a discussion with another privacy enthusiast. He knows his audience. He doesn’t dumb things down as if talking to grandma, but at the same time he doesn’t get lost in the super technical details as if hew was talking to a programmer. He keeps things – for the most part – at a pretty average level where a typical competent computer user can grasp what he’s talking about.

Another thing I appreciated about the book – and Bazzell in general – is his consistent “sanity checks.” Basically, every so often, especially when he just finished outlining a particularly extreme strategy, Bazzell will make a point of saying that this is an extreme idea and may not be applicable to everyone. He encourages his readers to consider their own unique situation and whether the work involved in each strategy is worth the payoff. He also warns that some of his strategies may have unintended negative consequences and reminds readers that not everything is right for everyone. As someone who shares that sentiment – that there is no “one size fits all,” – I really appreciate that approach.

The Bad

The book can sometimes be a little bit too thorough. While I appreciate Bazzell’s desire to leave no stone unturned, I felt my eyes glaze over on a lot of parts where he gives example legal documents or describes step-by-step installation instructions or occasionally repeats himself (again, purposely in a desire to be thorough). By the end of the book, I found myself skipping certain parts or skimming them. For example, he’s got several pages about how to install and configure a PfSense firewall. PfSense is not my firewall of choice (although there’s nothing wrong it), so I skimmed those pages. If I ever do decide to use PfSense, I can always go back and check his instructions again for a detailed walkthrough.

It also sometimes feels to me as if the thoroughness is a bit disproportionate. For example, when discussing how to get a car anonymously, Bazzell walks through several scenarios and often repeats himself to be thorough. However, early in the book, he decides that his example state of residence is going to be South Dakota, despite Texas (and I think Florida) also meeting his requirements. He does not offer the same thoroughness if you decided to use one of those states for residency. To his defense though, the steps and laws are always subject to change quickly, so even using South Dakota one should make sure to consult current information and not rely solely on his book.

Finally, while his book does occasionally mention money as a factor, it is clearly aimed at people who have relatively large amounts of disposable income. For example, when talking about a home network and setting up a VPN and firewall on the router, he instantly zeroes in on the Protectli firewall, a solution that starts at $150 on the low end (not bad) but can quickly max out at $1600. That can be a high price tag for some people. (The more reasonable packages land in the mid hundreds, but still.) He does mention that you can opt for a different router and flash the firmware yourself, but he offers very little explanation of which firmware he suggests or what to look for in a home router, leaving the reader to wonder if there’s any less expensive options out there and which ones. This is, honestly, kind of nitpicking but it does seem like a bit of an oversight for such a thorough book, and it’s pretty clear from reading it that he’s used to working with clients who have, at the very least, a relatively high budget.

Final Verdict

I would consider this book a must-read for anyone who’s interested in privacy beyond the average “I don’t want my ex cyberstalking my Facebook.” This book is deep, but it’s designed for people who need their privacy. Police, government employees, people who are concerned they might have or someday get a stalker, people who have controversial jobs or opinions and want to keep their families safe. I hesitate to call this book a must-read for everyone because it is so in-depth and over-the-top, but if you are interested in privacy I think it would be good to have on hand. You can always ignore the parts that don’t apply to you, or come back to them later. Personally I put about a dozen sticky notes on various pages that contained information I knew I would almost certainly come back to at a later date for various reasons.

More on the Book

You can purchase the book here. Bazzell also has a blog and a podcast, as well as live events and additional books. You can find all of them on the website I linked.

The Privacy of DNA

August 22, 2020

How insatiable curiosity created an immutable treasure trove of data privacy nightmares, and you've paid for it

While chatting with another privacy enthusiast on the web lately, the topic of DNA testing came up. This person pointed out how very little information exists in a consolidated, easy-to-understand format online for privacy enthusiasts and how this person had to go do their own research so they could discuss the matter with their own family. Given both my interest in true crime and the fact that my own family has performed these tests in the past (though not me personally), I suddenly realized how surprised I was that I had never before tackled this subject. So, with the help of 21x this week I'm going to attempt to dig into this subject.

DNA Testing

I'm sure that if you're reading this, you're familiar with DNA testing, but just in case you're not or you need a refresher, it presents most often in the form of services like 23AndMe or Ancestry.com who offer an inexpensive, at-home DNA collection service (usually something along the lines of spitting in a tube and mailing it in) and in return you get told about your ancestry such as what countries your ancestors may have come from. Some services even offer to identify potential long-lost family members and help put you in touch.

Don't get me wrong, DNA testing has some incredible promise. Full disclosure: Alzheimer's runs in my family and that keeps me up at night. As a child I watched my grandfather deteriorate into a helpless heap who could remember nothing, do nothing. He drooled on himself and got fed by the nurses. I am all in favor of technology that will help me avoid that fate, and I would love to know if I'm at an elevated risk so I can get treatment early. Additionally, I am in favor of using this same technology to help identify victims, find criminals, and help families get closure and justice. But we have to realize that, as with all modern technology, this is a double-edged sword. We can't let mainstream articles of rainbows and butterflies lull us into a false sense of security by painting utopian pictures of early cancer detection and crime prevention.

Not to mention that the reach of consumer grade DNA testing can be incredibly narrow. A person has about three billion base pairs that would need to be analysed to get the full picture of individual's genome; this cannot be done for $100. Instead, your average at-home DNA test sequences only between half a million and one million base pairs. Plenty to identify you, or offer some very limited health insights while at the same time not really giving you a full picture of your genome which would be useful to your doctor.

The Risks

DNA testing carries great benefits, and with it great potential for abuse. For example, in my own life, what happens if I get tested and a health insurance company declines coverage because I'm at risk for Alzheimers? What if they raise my premiums to an unrealistic level? Many countries are still engaged in aggressive, overt racial discrimination, most notably China with their treatment of Uighar Muslims. Imagine how DNA mapping could be used to refine this process. People who would normally not be at risk – maybe people who have left the ethnic community or don't look like they could belong to the said community – would suddenly be proven to have roots and now be targeted. Imagine how this technology could be use to discriminate against transgender people.

The Problems

I think that genetic privacy is not such a widely covered topic because it has no easy technological solutions. As much as we say that privacy is a human right – and it is – so is the right to waive that privacy if you want. I have the right to not put my entire life on display via Facebook or YouTube, but I also have the right to do that if I want. While long term solutions to privacy concerns will always be fundamentally economic and political, there is some comfort in the fact that if you don't want your phone provider reading your text messages, there's something concrete you can do to implement effective controls. DNA is not so black and white. I can strong-arm companies into respecting my privacy by simply opting out, by using encrypted communication and not using their services in some cases. With DNA, I don't have that option. I have to give up some of that privacy in order to get a medical test. In fact, most newborns are tested within minutes of birth for any major problems because many problems can be fixed or treated if caught right away. But rarely discussed is what happens to that blood sample afterwards. Some states require the sample to be destroyed at the request of the parents, but parents often don't know they have that right, or even that the sample is kept. The same can be kept for decades and is often sold or used in research. In time it could even be upcycled into criminal databases for faster criminal identification.

A bigger problem that rarely gets discussed, I think, is the fact that DNA is not one-to-one. In other words, think of Joseph DeAngelo, the Golden State Killer. DeAngelo evaded detection for decades – his last crime was in 1986 – and he was only captured in 2018 after members of his family submitted a DNA test. Family member DNA is so similar to each other that it got flagged and made police investigate the family more closely, at which point they were able to narrow it down and positively identify DeAngelo as their suspect. He would later confess. In this context, DNA is essentially like metadata: if you have enough of it, you don't need the content. If enough of my family members submit DNA tests, my DNA is virtually unneeded. The picture is complete enough to paint in the missing pieces. Or, have you ever considered how the the 4th amendment rights interact with DNA? The law enforcement compared DeAngelo's DNA with the data found on the public DNA sharing website called GEDmatch. As the DNA the Golden State Killer shares with his family is also his, does that fall under the idea that an individual should not be subject to unreasonable searches? Is shared DNA considered to be part of 'persons, houses, papers, and effects'? Even if you fall on the side of 'they do not', it is inarguable that these issues should be tackled through the democratic legislative process.

Ultimately, where do my rights begin and my family members' rights end? If my mother chooses to get a 23AndMe test, that's her right. But what about my right to not have my DNA obtained by third party researchers? Or insurance companies? Police? Private individuals can already buy your geolocation from your phone provider, should they be able to buy your DNA?

This all factors back into the classic “nothing to hide” argument, the idea that if I'm not doing anything wrong I shouldn't be worried about putting my life on display, but the problem is so much deeper. I don't mind that DeAngelo got caught. In fact, I'm sad it didn't happen sooner. The man was a monster and he got to live a long and privileged life. Catching him at this point is a formality. There was a time where IMSI catchers were only used by highest levels of law enforcement, now every police department has one they got off eBay.

We can pass laws requiring health companies not to discriminate based on DNA tests, or requiring research companies to get consent and disclose how the DNA is used, but how often are companies caught violating these laws? The fines are always laughably pathetic, often less than 1% of a company's annual revenue, even to the point where many privacy invading companies simply see this as a cost of doing business. That shouldn't stop us from passing these laws, but clearly we can't rely on them solely as a solution.

The Solutions?

So what is the solution? We don't know, and that's one reason this topic is so rarely tackled by privacy advocates. I can't stop my family from taking a DNA test. I can ask them not to and explain why, but I can't force them. And honestly, I didn't even know my entire family had done them until years after the fact. Some 26 million Americans have taken an ancestry tests so far, and one estimate says that if the growth trend holds, 100 million Americans will have had the test done within next 10 years. If you consider that sometimes even a distant cousin's DNA can reveal meaningful information about you, 100 million Americans being on file is essentially covering the entire country. And, not to sound like a broken record, but that's great for utopian reasons: catching bad guys, catching diseases while still treatable, and even curing some of them. But if surveillance capitalism has taught us one thing, it's that abuse in the name of profit will always be inevitable. It won't be long before the same data used to cure some disease will be used to disqualify health insurance applicants for the incurable ones. Or that someone will try to argue that your DNA makes you more prone to being a criminal, bringing back ghosts of social Darwinist policies we thought we had left in the cinders of the Second World War. Or declare you unfit for some type of job. The discrimination is real, and it will happen. Just this month Toyota announced their intention to track driver data and sell it to insurance brokers. But you can change your car, you can adjust your driving pattern, you can chose not to drive Toyota. DNA is immutable. This stuff happens, it's not as tin-foil-hat as it sounds.

Next steps

So, what can we actually do? My suggestions are as follows:

Speak to, at least, your immediate family and let the know how you feel about issues of genetic privacy. Be on the lookout for ancestry-related conversations or DNA testing commercials and voice your concerns where appropriate. What's more, educate them on these issues. Genetics are complicated, and the pull of insight into our ancestry is strong. Make sure that if they do make these choices on your behalf, they cannot claim ignorance as to gravity of their decisions.
Take steps to minimize what is already out there. Most DNA testing companies allow the customer to request destruction of the existing biological sample. Remember, only a tiny sliver of your DNA is routinely tested, do not allow the technology to advance enough where your already sent sample can be re-tested to violate your privacy further. If your child, or even yourself, were tested as a baby, inquire into what happened to those samples and the results. Do they sit in some storage room somewhere? Inquire if you can request to have them destroyed.
Urge the user to delete the existing DNA service account and data. If you are subject to a jurisdiction with strong privacy laws, such as California or the EU, use these laws to compel companies into destroying your data, if the person who had the test done agrees. If they do not, voice your concerns.
Support organizations which support these causes and champion these issues. I know, pickings are slim in terms of political representation on these issues, but do not let your silence be taken as complicity.

The Self-Destructive Quest for Perfection

August 15, 2020

This week I was reintroduced to a phrase I’m coming to love as I interact with the privacy community: “don’t let perfection be the enemy of good enough.” If you recommend Signal to someone for it’s security, someone else will complain that Signal uses phone numbers and AWS as a backbone. If you recommend Session, someone will complain that it’s based in Australia – a Five Eyes country. If you recommend Matrix, someone will complain about the metadata collected, and if you recommend XMPP someone will complain about, well, something I’m sure.

About a month ago, I went off on someone because they tried to argue that MySudo is a “joke.” I readily agreed with them that MySudo is not open source and is not end-to-end encrypted (unless talking to other MySudo users), and therefore I wouldn’t recommend it for seriously sensitive communication, but I proudly promote the app as a way to have a wide array of both VoIP numbers and capabilities (such as email and SMS) readily available for a low price. This is great for not using your SIM number and for compartmentalizing your life. The person replied to me by saying that a better solution is to buy multiple phones in cash with multiple SIMs and use them as needed. I quickly pointed out that this solution is ridiculous because 1) it’s expensive, 2) it’s not user friendly, and 3) by turning the phones on and off as needed, you’re already creating a pattern that can be tracked back to you.

The fact is, anything can be hacked or traced. You can ask literally any security expert out there and they’ll agree with me. If you cause enough trouble, someone with enough resources will find you. It’s only a matter of time. This is one of the reasons I repeat over and over on my site that I’m not trying to teach you how to do illegal things. That’s not just a disclaimer to cover my butt, it’s because you will get caught. The goal of privacy and security – for the average person – is to find the right balance between protection and convenience. I mentioned in another blog post that if you make your security defense too difficult, you’ll simply never use it, so you have to find the balance between solutions that aren’t ideal but will be used against no solutions and solutions that are so hardcore you’ll never use them, thereby defeating the purpose.

Which brings us back to my first paragraph. The fact of the matter is, no solution is ideal. ProtonMail explicitly says on their website that if you’re leaking Snowden-level secrets, you probably shouldn’t be using email at all (he certainly didn’t). If you’re planning a revolution, you probably shouldn’t be using Signal even if it does have top-level security. You should be getting together in person. Anyone who claims to be perfectly secure or anonymous is – point blank – full of sh*t and you should run from them like Jason Voorhees. You shouldn’t rely on these electronic means which will someday become insecure, and for all we know might be already. State technology tends to be roughly a decade ahead of the public sector, so you should assume that the government can read everything you do.

For most of us, that’s okay. For most of us, the government is not interested in our selfies, bad puns, dinner plans, Starbucks orders, and the fact that we’re running fifteen minutes late. However, the fact that we can’t have perfect communication doesn’t mean we should throw the baby out with the bath water. “Signal requires a phone number and is based in the US and uses Amazon for infrastructure.” Those are all perfectly valid complaints depending on your threat model and what you’re communicating. When my partner gives me her debit card and asks me to pick up her medication at the pharmacy while I’m out, I would rather use than Signal than SMS to ask what the PIN is or to verify that I’m not missing any the medications that are ready. Just because Signal isn’t perfect doesn’t mean that I don’t use it. I wish she would use something a little more decentralized like Matrix or XMPP, but I’m not going to let perfection be the enemy of good enough. For us, for that situation, Signal is good enough.

Of course, it goes without saying that we also shouldn’t let good enough be the enemy of great. Many people fail at their dreams in life not because they fail, but because they say “eh, good enough” without striving for more. Someone who wants a penthouse gets a corner office and says “good enough. I have it better than most and I should just be grateful.” We should be grateful that we have hyper-secure options like Signal, decentralized options like XMPP, free options like Matrix, or metadata-resistant options like Session.

But we shouldn’t stop there. We should demand better. As with privacy and security itself, it’s a fine line. We shouldn’t forgo the pursuit of perfection because these products are good enough, but at the same time we should respect that these products do give us a huge service, often at little or no cost to us, and often at a massive labor and cost to the developers, who can range from a single person in their bedroom to a medium-sized company struggling to keep the lights on. We should also respect that different companies make different products aimed at different people. For example, ProtonMail started with the vision of making encrypted email easily accessible to the masses. They admit that they are not perfect because perfection would run counter to that mission – that is, it would make encryption not user-friendly and therefore not easily accessible to the masses. Just as my own site often chooses not to post certain information because it falls outside my target audience, many popular services are popular for a reason: they’re choosing to make the trade-off between security and convenience. It’s better to give a lot of people a moderate level of protection than to give a few people hardcore protection and alienate everyone else. At least, I think so.

I want to end by saying that you are always welcome to go the extra mile. I encourage “normies” to use various programs and settings to lock down the telemetry on their computers and give themselves a little more privacy and security, whether that’s Windows or Mac. But I don’t see that as a reason that I shouldn’t use Linux. Just because other people are content with “good enough” doesn’t mean that you aren’t allowed to go the extra mile. And yes, people should be making that decision with education and awareness, knowing the risks and benefits. But the answer there, in my opinion, is not to force people to use difficult solutions, but rather to educate them on why those difficult solutions are better. Forcing someone to do something they don’t want to for their own good will only lead to resistance and eventually abandonment of the proposed solutions, but education will lead to good decisions being made willingly and stuck with. At least, that’s my two cents.

Regardless, please stop letting perfect be the enemy of adequate, and remember that not everyone has the same threat model. Respect each other.

Privacy and Voting

August 8, 2020

This year in the United States is an election year. To call this year’s election “contentious” is an understatement. In that spirit, I want to offer some advice on voting and privacy. I completely support the right to vote and the freedom of any American (and ideally any person) to express their vote if they desire to. I also don’t think that voting should cost you your privacy. I think that the only way democracy can truly work is if people can feel confident that expressing their political opinions won’t put them at risk. (Source)

Context

I worked in a county elections office almost a decade ago, during the gubernatorial race. In other words, I worked two local elections and one state election at the county level and I actually read the election law cover to cover. So while I’m far from a legal expert, I do actually know the rules for real from the source, not from “I heard once” or “I read on Facebook.”

Disclaimers: my knowledge is unique to that specific county, so while much of my knowledge is derived from national election law and applies across the board, some of it may also be area-specific. Also, this was roughly six years ago. Laws do change (albeit, quite slowly and with a lot of resistance), so some of my knowledge may be slightly outdated now. However, I do think the broad strokes I’m about to discuss should be universal, and if nothing else I hope I can give you some starting points.

Finally, as with most of my posts, I’m working under the assumption that you live in America and you possess a legal right to vote (not a convicted felon, of age, etc). I’m also working under the assumption that you possess a relatively low threat model.

Is It Even Possible?

In short, not exactly. It is not possible to lawfully vote without the government verifying your identity and location. Unfortunately, I do agree with the government on this one (I’ll take “things I never thought I’d say” for $500, Alex). It is imperative that we as a society make reasonable efforts to ensure that the only people who actually vote are the people who are invested in that vote: aka, people who actually live in the area affected and are legal citizens. Real quick, I do want to note that there’s a lot of issues to discuss here regarding citizenship, voter suppression, ID requirements, gerrymandering, and other related issues. These are important discussions to have, but this is not the place for them. I’m focusing solely on the privacy aspect.

While I recognize the importance of voter identification, I want to point out that I do not trust the government to guard a box of Tic-Tacs. Whatever information you submit, expect it to become public record eventually. In fact, it will absolutely become public record right away because most places publish an online voter log that is openly available to the public. Literally anyone anywhere with no record or oversight can go to your state or county election website, type in a few details about you (usually last name and date of birth are sufficient) and pull up your full name, date of birth, home address, phone number, email, sex, and more. In some cases you can even search the address to see who lives there. If you’re lucky, your county doesn’t digitize these records and someone would have to go in person to view them, but they’re still available.

I also want you to be aware that records are available in bulk for political purposes, however there is no oversight for this. For example, let’s say the city is planning to sell a local park to a private company who wants to build a mall there. I can request the information of every registered voter in that area so I can go door-to-door and ask them to sign my petition blocking the sale. The information requested can be configured and filtered in virtually any way you can imagine: maybe I want only women because it’s a women’s issue. Maybe I only want democrats and third parties, or only one. Maybe I want a specific zip code, or a specific area stretching from Main Street to MLK Boulevard. Maybe I only want active voters, so I want a list of people who have actually voted, or voted in the last two elections (records are not kept of how you voted, but records are kept of whether you showed up to vote or not). More often than not, the only obstacle in my path will be the price: $1 for every hundred or thousand records, $5 per CD or USB of records, which can store up to five thousand records, organized any way you want them. (Numbers are an estimate from memory, and may vary from place to place.)

Required Information

The first thing you should look into when registering to vote is how to keep your name off the public record. Some states – but not all – offer a form that you can submit at any time which will remove your information from online searches. This will not remove your records from the physical in-person searches or bulk purchases I mentioned above. I believe it’s still worth submitting this form, preferably at the same time as registration. Often this means registering separately. The DMV offers a box you can click that simultaneously registers you to vote while updating your license with your new address. However, the DMV rarely has the form required to keep your information off the internet, and may not even know what you’re talking about. It’s best to go to the election office in person and register there. They will be able to verify your ID, the information, and attach the necessary form (if it exists) all at once, and they will be more knowledgeable about the subject.

Again, this will not stop your information from being on file and abused by an employee, caught up in a data breach, or simply taken in and endlessly contacted by a political party. For that, I have a couple strategies. First, fill out as little information as possible. Information like email and phone number are optional, don’t fill them out at all. It should go without saying that I do not encourage lying or the use of disinformation in any way when it comes to voting. Using a VoIP number or masked email is fine. I’m talking about the use of fake names, nicknames, fake date of birth, or fake social security numbers. Never give the elections people fake information, that is a crime.

Address Information

This part is best used in conjunction with hiding your address. This trick requires you to have multi-unit housing – such as an apartment or condo – and simply to leave your address incomplete. For example, if you live at 500 Maple Street Apartment 315, register as living at just 500 Maple Street. Most systems don’t require a unit number, and if you took my advice to visit in person to register you can just leave the apartment number off. By the time they go to type it in and verify it, you’ll be long gone and the staff doesn’t get paid enough to hound you about it. They’ll just override it and leave it blank. Even if they put one in, the original document you filled out will be scanned and I feel pretty confident that you wouldn’t get in trouble for putting in false information when they view the original document (note: I’m not a lawyer, don’t point to this blog as legal defense).

Personally I don’t see this as fraud because you’re still voting in your specific districts and areas (although the law may disagree). When I worked at the elections office, the only time we ever sent mail was to send a sample ballot (which can be pulled online) or to verify an address if mail got kicked back. You can easily ensure this doesn’t happen by using a mailing address. I’ve never seen a voter registration form that doesn’t allow you to pick a mailing address that’s separate from your residential address. I firmly believe that you should have a PO Box that doesn’t point back to your true, current address so I don’t see an issue with using it here. Why not just put that in the address in the first place? Honestly, because that’s fraud and possibly puts you in the wrong voting zones (assuming it even passes registration verification in the first place). Even if your PO Box is only a block away from your actual house, that street could be the difference between District 5 and District 7. You run the risk of not being able to vote on issues that are actually relevant to you, and possibly screwing up issues for someone else who actually is affected by them.

If you live in a single-family house, things become much harder. You could possibly use your next door neighbor’s address, however I would caution you that this is definitely illegal, but I would argue that it’s ethically okay under two conditions: first, make sure you’re on good terms with your neighbor and they are consenting to this, because they will definitely get mail and possibly even in-person visitors looking for you. Second, do your research and be absolutely certain that the neighbor you’ve selected resides in all the same districts as you. As a final warning on this idea, be aware that in some states voter registration is sufficient evidence for certain tax-related issues like tax breaks, or even counts as identification in some scenarios, so this could come back to bite you. Do your research with this idea, and be warned that it comes at a high risk.

Registration and Unregistration

A final, more extreme option that I don’t recommend is to register to vote right before an election, then unregister. If you’re going to do this, make sure you know when to register. There is a cutoff date, usually 30 days prior to the election, to ensure that the election officials have adequate time to process your registration and add it to the voter rolls. If you miss this window, you will not be able to vote in that election. Furthermore, this strategy does not protect you from data breaches. I can’t remember if deactivated voters are included in purchased records or not. Best case scenario, now your data is safe from being purchased by political campaigns as they're usually interested only in active voters. However, your information is still in the system and is absolutely prone to being caught up in a data breach and is usually still searchable online (though it does not that your registration is inactive). Personally I find data breaches to be the much more likely risk rather than a rogue employee or stalker (speaking on a widely applicable, statistical scale).

Conclusion

I mentioned briefly up top that I think it’s critical for you to examine your threat model. If you absolutely cannot risk being exposed, I don’t think you should register to vote at all. Sucks, but that’s the price you pay for life. Ultimately voting comes with risks, both real (data breaches) and potential (possible abuse of voter data in the future). It’s up to you to decide if you want to cast a ballot and if the risks are right for you. But I hope this post has given you some ideas and starting points to consider so that you can – if you so choose – exercise your rights without totally giving up on privacy altogether.

Privacy and Death

August 1, 2020

I’m not trying to bum anyone out, but let’s get real for a moment: if you’re reading this, someday you will die. I don’t care if you’re sixteen, sixty, human, robot overlord, or post-human alien reading this a thousand years from when it was written (in which case, please pause for a moment to be impressed that this tiny little blog post somehow exists in a thousand years). No matter your situation, you will someday die. I hope it’s a long time from now with a happy and full life behind you, but regardless it’s coming.

The only real question, which I want you to think about today as you read this, is what will you leave behind? Maybe you’re a parent with kids and a decent amount of money stashed away for their future. Maybe you’re a billionaire and you want your estate divided up and given to charity after you pass (if you are, please consider my OpenCollective). Maybe you don’t have a penny to your name. But the fact is, unless you’re in a position to have an approximate date of your death (such as a terminal illness or being elderly), you’re probably not going to have warning and other people are going to have to pick up the pieces. Even if you do have your affairs in order, there is still a bit of work that your survivors will have to take on your behalf (such as filing for a death certificate, arranging a ceremony for your remains, and handling your property). So it’s important that you think about your death now. Go ahead and have an existential meltdown, and once you’re done let’s talk about how to balance privacy and putting your life in order.

Basic Stuff

I’m gonna make a few assumptions in this blog post, and if they don’t apply to you I hope you’ll still be able to find some food for thought and adapt the underlying principles to your situation. In this blog, I assume that you live in America. I assume that you have a family – not necessarily children, but maybe parents or siblings or close friends that you would trust with your life in an emergency. I also assume that you are at least upper lower class or lower middle class – in other words, you are not living literally paycheck-to-paycheck and have at least some degree of disposable income. With those assumptions, let’s begin.

Let’s start with the basic stuff that applies whether you’re a privacy enthusiast or not. You need to think right now about what you want to happen after you die. Death is a powerful and traumatic event for most people. When a person dies, things move extremely fast. The body begins to decay within minutes of death (the exact rate is determined primarily by the environment), so it’s important to get the deceased buried as quickly as possible. That means getting a death certificate, arranging a funeral, getting loved ones gathered together, taking time off work, traveling, etc, often in less than a week. That also entails alerting banks, creditors, employers, and others of your passing. And typically, the person handling all this has their own life to continue to live on top of that – a job, a family, hobbies, etc. So right now there’s a lot of things you can do to make life easier for whoever has to handle your passing.

Right now, while you’re still alive, you should start by deciding what you want to happen to your body. Do you want a funeral? Do you want to be cremated? Do you want to be an organ donor or donated to science? Look into this stuff right now and create a simple will. Then think about your assets. Do you own a house or a car? Do you have money in savings or stocks? Decide what you want to do with that. Are you single with kids? Decide who you would want to take care of them. Once you gather all this stuff up, type it up in a word processor, print it, sign it, and get it officially notarized. It only costs about $10. It’s probably not as good as an official legal will, but it will definitely go a long way and unless you’re quite wealthy with a complex array of investments and assets, that’s probably all you really need. The reason it’s important to have this written plainly and notarized is because – again – death is a traumatic and stressful event for most survivors. If you haven’t had this conversation with your family (and even if you have), a fight may ensue. Your spouse may want to cremate you, but your kids may argue that you wanted a traditional funeral and the surviving spouse is just trying to be cheap. Likewise, you may want to cut a child out of your will, or maybe two of your kids want to sell the house and split the money but the third wants to keep the house. The dispute could even make it all the way to court. Again, while a notarized document may not instantly solve this dilemma, it goes a long way and it does save a lot of time and money in the legal system. These examples aren’t as far-fetched as you may think. Call up any local estate planning attorney and ask about it, they see it all the time. (Disclaimer: I am not a lawyer, please don’t take estate planning advice from a random stranger on the internet, contact an actual lawyer for better advice.)

So you should start your planning by plainly stating what you want to happen with your body, your finances, your assets, and anything else you have strong opinions about (I want my Facebook account deleted, I want my dog adopted by my sister, I want my stocks liquidated and donated to X charity or political party, etc).

Account Access

The next important part of planning for the inevitable is to consider access, both to accounts and devices. In some ways, this is really tricky. In others, it’s quite simple.

Let’s start by considering your accounts. There are some accounts you will absolutely want your survivors to have access to. For example, they will probably need access to your bank and other financial accounts to clear and close the account. If you have any sort of life insurance accounts, they’ll need access to that so they can file a claim. Honestly, it’s probably not a bad idea to give them access to your primary banking email account and your work email so they can inform the relevant people of your passing. Other accounts may not require access unless you want them closed. If you come from a very traditional family, you may not be comfortable saying “here’s the login to my PornHub account, please delete it after my death.” The point is, consider all your various accounts and what you want to happen with them. Are you fine with them just collecting dust? Do you want them closed? Do you want the data in them – such as comments and messages – cleared if they can’t be deleted entirely?

Now that we’ve sorted out which accounts are needed and which ones aren’t, let’s talk about accessing them. This is where things get really tricky. You want a way for your executor (fancy legal word for “person who handles your will and affairs”) to be able to access all this stuff, but you also don’t want anyone else to be able to access that information. For example, you could write down all your passwords in a small notebook and stick it in a safe, but what if the safe gets compromised? If it’s a home safe, like a firebox, what if it gets stolen or cracked? If it’s a security-deposit box, what if the bank gets robbed and the thieves just take everything they can? Perhaps a better solution might be an encrypted USB stick, but you have to make sure that the person in question is comfortable decrypting it and has the password stored somewhere safe or can remember it. It’s also good to consider how you’re going to update the backup if you change any of your passwords. A possible solution might be using a reputable cloud-based password manager like Bitwarden and activating the Emergency Access feature. This is where a loved one can request account access and if you don’t deny it within a set period of time (I believe 7 days) the request is approved. The feature was made for exactly this type of situation. In the end I can’t tell you the best solution, just throwing out some ideas and considerations.

Device Access

If you’re reading this, I hope you’ve taken my advice to use two factor authentication. That means that while your accounts are incredibly secure, a backup stick full of passwords may not be enough for your executor or loved ones to access the required accounts. They’ll need access to your device with two factor on it. The solution here really depends a lot on how you execute 2FA. For example, if you use a hardware token, you could make your executor aware of this. Easy peasy. They now have your logins and your token (which they should’ve received when they took over your assets) and they can easily begin to access your accounts. If you use a software token, you could leave your device’s login information in your password backup (this is another reason you shouldn’t use biometric identification to unlock your devices). Going back to the Bitwarden idea, you could also store your 2FA keys there, giving whoever holds your Bitwarden account total access to everything. Overall this is a pretty simple consideration, you just have to make sure you’ve examined all angles and decided what works best for your situation.

Final Thoughts

Once again, I’m not recommending any specific procedures. I’m also not trying to bum anyone out with death talk, but it’s important that we remember that this stuff is inevitable and you can save your loved ones a lot of headache with just a simple document that says “here’s what to do with my body, my stuff, and the information necessary to make that happen.” They’re already going to have a hard enough time coping with losing you, so try to be considerate and make the process a little less stressful on them.

Privacy & Security 101: Compartmentalization

July 25, 2020

When I shared my previous post around, one comment pointed out that compartmentalization is another basic topic worth discussing, but they did note that such a topic is far too big to have been put into the previous post. Well thank you, random Redditor, because you’re right. I do hint at the topic somewhat on the website, but on the whole this is a topic I’ve never really gone into detail on before. So this week, let’s talk compartmentalization.

What is Compartmentalization?

As a true crime fan, I’d be remiss if I didn’t share the story of Dennis Rader (though some of you may already know it). Rader was elected president of his church council. He was a Cub Scout leader. He worked as a dogcatcher for the city, with a bachelor’s degree in administration of justice, and had a wife and two children. Which is why it was pretty horrifying when everyone found out he was also responsible for ten horrific murders. Some of my readers may better know him by his moniker “BTK,” which stood for “Bind, Torture, Kill.” It’s downright chilling to imagine him torturing and murdering a couple in cold blood after breaking into their home, then going home to read his daughter a bedtime story, but it did indeed happen. And this is an extreme version of compartmentalization.

While most of us aren’t killers (I hope), we all compartmentalize. We dress or talk a certain way while at work, but do so differently on days off. We talk to our kids differently than our partners, and them differently than our friends. We may tell our coworkers about the trip to the park this weekend, but not about the fight we had over finances. Compartmentalization is, as the name suggests, the act of separating different aspects of your life – putting information into compartments.

How Does One Compartmentalize?

Before I get into how compartmentalization helps you stay private and secure, I want to explain how it works. I think doing so will answer the next question by itself, but I’ll wrap it up in the next section as well.

The best and easiest way to compartmentalize is to think of every area of your life as a completely different individual. The personal you – the one that has a beer on weekends with your friends, or plays video games, or takes the kids to the park, whatever – is Person A. The work you – the one that goes to work on Monday and turns in reports or repairs engines or flips burgers, whatever it may be – is Person B. Now in most cases, there’s no need to get too extreme with segmenting these people. There’s no need to go by Bob at work and Jim at home (unless your first and middle names are Robert Jim, in which case that’s probably not a bad idea). But there is a need to use one email for all work-related matters and one for personal stuff. And by work email, I don’t mean your actual email issued to you by the company. I mean “BobLastname@Encrypted.Email.” That way if/when you need to job hunt or do anything else work-related that doesn’t explicitly involve your employer (maybe some freelancing on the weekends?) you now have a way to do that without it getting wrapped up in your personal life. Likewise, have you ever sent a text to the wrong person? Maybe you texted your partner to ask if the meeting was still at 8.

The question now becomes how much compartmentalization do you need? As usual, it depends on you and your threat model. There is no clear answer here. Let’s start trying to answer that by talking about levels of compartmentalization. A full compartmentalization might involve a fake name, a separate device, a separate email inbox, and the whole nine yards. This might be appropriate for a spy, but probably isn’t necessary for most people. Most people might prefer a more partial compartmentalization: a VoIP number from work that’s different from their personal number, a separate email for their banking institutions, utilities, rent portal, and other important matters, a different name and number for online dating, etc.

Do you need full-on separate personas for different areas of your personal life? Maybe. As I mentioned above, you may choose to use a fake name (or a nickname) when online dating in case you run into a stalker or a bad date. In such a case, I recommend going all out with a separate VoIP number and email for the online account. Do you need to make a separate phone number to give to your neighbors than you give to your wife and kids? Probably not, but that really depends on how closely you trust them. For most people, having just two main personas – work and personal – will be plenty. Separating them with a VoIP number and an email is fine. There will be other areas where you’re still you but want to compartmentalize information, like giving your doctor a unique email address that you don’t use anywhere else. You’ll have to examine each situation on a case-by-case basis and decide what the risks are, how you can mitigate them, and what steps are appropriate to managing those risks.

How Does Compartmentalizing Help Privacy/Security?

So now, let’s talk about how this all actually helps you. The biggest advantage to compartmentalization is protection against data breaches. Consider a few of the following examples:

Your X-Box email has a data breach. Some bored teenager finds your email, correlates it to your place of work, and files fake complaints about you.
Using a VoIP phone for work allows you to disable it after hours, creating healthy work/life balances and boundaries.
Using a separate browser (or VM) to check your bank means less risk of malicious plugins and trackers getting your financial information.
Using a separate email for your doctor means that if your personal email address leaks, it can’t be easily and directly tied to your doctor, reducing risks of malicious and dangerous social engineering.
You use online dating. You go on a date and decide the person isn’t right for you, but they take it personally and start stalking you. You used a VoIP number, meaning you can delete the number and move on and it has no information tied to you in real life. You’ve effectively ended the situation before it began.

As with my last post, it’s important to note that compartmentalization is yet another layer. It’s not foolproof protection on it’s own. And I’m not suggesting you make life harder on yourself for no reason. Examine the risks and benefits of compartmentalizing in each case, decide what amount is right for you, and how to best group things. There’s often a lot of messy overlap. If your HVAC breaks, do you send an email from your personal account or your home account, which is also the account tied to your bank? Or, if you buy a home, do you use your bank email account since the mortgage is with them, or do you make a new one? It’s very gray, fuzzy stuff but it’s important that you sit down and start working on it. And honestly, you’ll probably mess it up a little at first, but experience comes with time and soon enough you’ll have a solid, effective system in place for helping to keep your life organized and safe.

Privacy & Security 101: Layering Your Strategies

July 18, 2020

I honestly don’t know how long this blog post will be because the basic concept is actually really simple, but I’ll do my best to explain it without over-explaining it.

This morning while collecting links to share on my Mastodon account, I came across this gem. Basically, a VPN provider claimed not to keep logs and then got caught with an unsecured database exposing plain text passwords (let’s not even touch that one), VPN session keys, IP addresses of users and servers, timestamps, geotags, and other stuff. This is not a blog post about VPNs, but this story does highlight the point of this post. This post is about one of the most important yet rarely talked about foundational concepts in privacy and security: layering your strategies.

Points of Failure & Redudancy

In most industries, there’s what’s known as a “point of failure.” In other words, “this is the most likely spot where something will go wrong.” Because of my background, I’m going to use a concert as an example: when connecting a sound system, your points of failure are usually the cables themselves. The more cables you have, the more points of failure you introduce and the more risk you run of something going wrong. The more you have going on, the more points of failure you introduce. Which brings us to redundancy.

Redundancy is simply having two things that do the same thing. Let’s keep with the concert example above: a “snahWKv!EiQLShN{A”%C<gRh{RF^(Q&g-,4f5L2~R6*ke” is basically a super long audio cable that stretches from the sound booth a few hundred feet in front of the stage to the stage itself. This is how the signal gets transported back and forth from the mics to the mixer (where the sound gets processed) back to the speakers. These days, Ethernet cables are typically used as snakes because they’re cheap, fast, reliable, and smaller than a traditional snake. But Ethernet cables are also typically less physically sturdy than traditional XLR, which means they’re more likely to fail than a traditional snake. So many modern sound mixers come with two Ethernet snake ports, an A and a B. If A fails, you can instantly (sometimes automatically) switch over to B and keep the show going with no (or almost no) noticeable gap in sound. This is redundancy. A system that is redundant has more points of failure because there is more going on, but because of overlap there’s also less risk of that failure being a big deal. The odds of both Ethernet cables failing at the same time is almost nonexistent.

Privacy, Points of Failure, & Redundancy

While I do encourage the use of a reputable VPN provider (read as: not one who advertises all over their website that they’re free coughUFOcough), I also don’t encourage that as a single privacy tactic. I mentioned in a previous blog that if you delete Facebook, you’re getting a little bit of privacy. If you use Signal, you get a little bit of privacy and security. If you do both, you’re getting even more privacy and security. This is how privacy and security should be properly executed, by layering one privacy technique on top of another. I use Tor because I trust the decentralized nature of it, but I also layer that use of Tor with things like TLS. I use strong passwords, but I couple that with using two-factor authentication everywhere I can. My passwords are a point of failure. My two-factor is a point of failure. But the odds of both being compromised by the same person simultaneously? Almost nonexistent. The key to successfully being private and secure is to be redundant, to have overlapping tactics that help to accomplish the same goal, and to make sure there’s not a single point of failure in your approach.

Redundancy & Threat Models

Now, I have said from day one that there is no perfect “one-size-fits-all” approach to privacy. It’s important not to be overly redundant for a lot of reasons. For one, it will make things inconvenient, and unless your life is on the line you’ll eventually get sick of the inconvenience and stop doing it, making it useless. Some people preach using a completely separate device to do financial work, but I find that overkill in most situations. Maybe a virtual machine is more appropriate. Or, honestly, just using a separate Firefox container or separate browser is sufficient in many situations. In other cases, too much redundancy actually hurts you more than it helps you. For example, using too many browser add-ons makes your browser more unique and stands out among the crowd. The benefit of using these add-ons (disabling automatic trackers) is minimal: your life is not at risk if Google finds out you like Neapolitan ice cream and adds that to your marketing profile.

The point here is that it’s important to evaluate your threat model and determine how much redundancy you need. A journalist may find it very important – depending on the severity of the information they’re working with – to use separate machines for work and pleasure. An intelligence operative may risk their life if they don’t have two factor enabled. A celebrity may be putting their whole family at risk by not buying a house in an anonymous trust or shell corporation. But for most people reading this, the stakes are much lower.

Conclusion

I hope that I didn’t confuse you with the last paragraph. My point is not “eh, it probably doesn’t matter if you do or don’t do this stuff.” My point is to make sure that you’re not overdoing it. Once again, if you overdo something there’s a very high risk you just won’t do it at all. Let’s take passwords and two-factor as an example: we should all be using strong passwords with a password manager and two-factor authentication whenever possible. End of story, no debate. But if your two-factor of choice is a hardware token, and you find yourself frequently forgetting your token at home, it’s probably safe to use a software token. The redundancy should still be there because the effort is minimal while the payoff is immense. There’s no need to say “the hardware token isn’t working out, I guess I’ll just disable two-factor altogether.” But in most cases, the risks are also minimal. It’s highly unlikely – for most of my readers – that you’re being targeted by a nation-state or a sophisticated hacker that requires an extra hardcore measure of security. A software token is plenty sufficient. There’s no need to make life that much harder on yourself. (Of course, if you don’t forget the hardware token and you find it quite easy to adapt to, there’s also no reason to settle for less).

I hope this post was helpful and gave you some thoughts. Please don’t settle for a “one-and-done” privacy solution. And when you do have a single point of failure – for example, a ProtonMail inbox with multiple addresses – make sure you understand the risks and how to mitigate them. In that example, I would say to be certain that you’re using strong passwords and two-factor, and also keeping backups of your private key locally. Make sure the machine you’re using to access that email account is secure and clean. It’s all a series of overlapping, multilayered techniques that add up to create a more secure lifestyle. Perhaps another way to think of it might be a suit of armor. A helmet is important. A chest piece is important. Either one by itself is better than being naked. But only by combining the entire suit of armor do you achieve maximum protection. And some people may need bulletproof armor (my analogy is kind of falling apart here but just bear with me). Others may just need something that stops small pebbles and dull knives. Ask yourself where you are, what are the weaknesses in your armor, and how you can best patch them up. And remember: even a suit of armor has weak spots. Nothing is ever 100%. But we certainly can and should be aiming for as close as sustainably possible.

I Lost My Debit Card Last Weekend

July 11, 2020

I love sharing stories like this because as much as I love privacy and security and view it as a fun challenge, at the end of the day it’s really all about practicality. This website is aimed at “the average person,” meaning that if this information doesn’t have any real-world applications then it’s no better than watching Mr Robot (great show, by the way, completely recommend it).

So I lost my debit card this past weekend, and I want to explain how the privacy lifestyle I live helped me save the day. Before I go into it, I want to make two things clear: first off, this subject sort of overlaps with personal finance, but personally I don’t find privacy and personal finance to be mutually exclusive. In fact, privacy and security habits will also often improve your financial standing if executed properly (in my opinion). Second, I am writing this from a place of privilege. Not everyone is fortunate enough to put money into savings, or even to have a bank account. I realize that this story involves privilege, and my goal is not to disparage anyone who reads this and goes “wow, must be nice,” but rather to encourage those who are fortunate enough to be in similar shoes to see how this stuff can have real world impacts.

So What Did I Do?

This past weekend my partner and I drove about two and a half hours out of town to visit her mother. It was a birthday visit more than a Fourth of July visit, we’re rather indifferent to the holiday ourselves. At any rate, in our hometown I stopped and used my card for gas (blasphemy to some privacy enthusiasts, I know) and when we arrived I realized my card was gone. So like any sane person in my shoes, as soon as I discovered it was missing I canceled it and ordered a new one through my bank’s automated system. I use MySudo, so I used the VoIP number that I have set aside specifically for important matters – banking, housing, etc – to place the call. Just to fully flesh out my privacy model.

How Did It Impact My Weekend?

It didn’t really. First off, I’m an introvert. I spent the whole week playing Fable (Steam summer sale baby!) and making fun of the movies we watched on TV. But we follow the Dave Ramsey ideology of personal finance. So we have a moderate sum of money in cash for emergencies. We took this savings with us just in case, and we were fortunate enough to be able to dip into this for any expenses like food. As soon as my card gets here, I’ll be replenishing the money. In the meantime I can continue to dip into the savings for things like groceries and gas until my card arrives (sent to my PO Box, of course).

How Will It Impact Me Online?

The real question most people are probably wondering is “how will this impact me online?” Really that’s the big thing. After all, think of all the subscriptions I have to replace now with a new card number, right? First off, not really. I’m a minimalist. I try to keep the subscriptions I actually use to a minimum. From a personal finance perspective, subscriptions are usually a rip-off. They make continuous money off you while providing very little future returns (such as new features and upgrades) and at the end of the day you don’t actually own anything. From a privacy perspective, these companies usually make even more money off of you by harvesting and selling personal information about you. The less accounts I have, the better.

More importantly, I do almost all of my purchases using either cash (such as in-store groceries) or online using prepaid gift cards and Privacy.com cards. I have nothing to update once my new card comes in. Other than not being able to take money out at an ATM, this really has almost no impact on my life.

The Lesson

The moral here is that this privacy stuff has real world impacts. It’s not just about some nebulous abstract like “stopping Google from profiting at my expense” or “what if America turns police state.” There are actual, practical threats that face us everyday: losing our debit cards, bank data breaches, random stalkers. Don’t just brush the information in this site off as “tin foil hat” or “paranoid” because it actually has value in your life.