The New Oil

Limiting Social Media

November 16, 2019

Social media is a ubiquitous part of modern life. I am the last person here to decry the negative effects of it, though for the record there are some we should be aware of address outside of privacy and security. No, for an introvert and avowed hater-of-small-talk like myself, social media is a godsend. I hate calling or even texting someone to go “hey, I have no reason to be bugging you but what's new? Let's chat.” Instead I love the ability to peruse the timeline at my leisure and respond to whatever someone else felt was worth sharing, whether it's their latest meal, their child, or their trip to the brewery.

Still, many of us are aware that social media comes with wide-ranging risks, from cyber-stalking and cyber-bullying to full on identity theft. Many of us likely know someone who was or have been ourselves victims of someone pretending to be us on Facebook. This usually isn't a problem when you can just post “hey, that isn't me, don't give them money.” But what happens when you're a well-known, respected person and your social-media doppelganger is posting things you would never endorse in a million years? Well, it happens. And sometimes, it has nothing to do with you. Another common abuse of social media is to use the information one over-shares for “social engineering.” For example, I can check your Facebook page, see your banner picture is the Green Bay Packers, and if your bank's security question is “who is your favorite sports team?” I now have a pretty good guess. Or on a more complex level, I can assume that the Packers might be part of your password and I can use that for a dictionary or brute-force attack.

So am I here to tell you not to have social media? Well, sort of. Not to be “that guy” but the quality of my friendships has increased dramatically since I deleted Facebook. I find it much more meaningful when my friends personally invite me to hang out rather than send me a faceless, impersonal, mass event invite. We also put more intentionality into our talks, even our texts. It's more engaging than a casual like while lying in bed at night waiting to fall asleep.

At very least, I do encourage you to ditch traditional social medias like Facebook, Instagram, Twitter, TikTok, Snapchat, and others in favor of more privacy-respecting services like Mastodon, Friendica, Pleroma, PixelFed, Riot, and others. Traditional social media companies are terrifyingly abusive in both the ways and extents that they collect data about you and process it. But that's a post for another time. Instead, this post is about how to best-use your social media – be it Facebook or Mastodon – and how to be smart about it to enjoy the best aspects of it while avoiding some of the worst.

-Ditch mainstream. I know I already said that, but I assume some people are going to skim this post, and it bears repeating anyways. Seriously. Here's just one site full of good reasons why Facebook sucks, and there's plenty more where that came from from each major company.

-Think about your privacy settings. This one is pretty well-known these days so I'm not going to spend much time harping on it, but unless you're a public figure intentionally attempting to reach the masses, you may want to consider locking down your profile behind as much privacy as you can. Making your Twitter private may cost you some followers, but it will make you significantly safer and make your experience more enjoyable.

-Think about what's really worth posting. Again, I'm not here to decry “the good old days” and make fun of people who post their lunch on Instagram all the time, but does it really make you happy? Does “vaguebooking” about your unhappiness really fix the problem? Does sharing that link (that you didn't even read or fact-check) actually change anyone's mind? Don't just impulsively dump things into your profile or feed. Take a few seconds to ask “do I really want to share this?”

-Think about what you're posting. Okay, so you've thought about it and you're REALLY feeling that selfie. Your hair has never looked so good. Great! But do you really need to angle the camera in such a way that the company logo is visible on your work shirt that you're wearing? Did you leave any mail or personally identifiable information in the background? Is everyone in the picture consenting to be in the picture? I don't care if my partner posts a selfie to Facebook but I politely ask her to angle the camera in such a way that it leaves me out. Think about what information someone could potentially learn from that photo, such as where you live or work, and remember that people search websites are a tragically real thing. (I'll do a post about that someday too). Again though, it's not just you. When you post a picture of your child to Facebook, that picture stays on Facebook's servers forever. Someday your child will be grown, and they should have the right to decide if they want Facebook to have their facial recognition data on file. Carelessly posting even statuses or location check ins can sometimes reveal more information than you or the people you're with may be comfortable with. Be sure to think about what information you're revealing and be sure everyone involved is okay with it.

-Remember who your audience isn't. One big reason I dislike mainstream social media is the lack of privacy. If your profile isn't set to private, literally anyone can see your posts, pictures, likes, and more. “I don't care if my friends see where I work,” you say as you check-in with your latest tweet, but what about the stranger? The Guardian wrote an article reminding us how easily one can “stalk” someone – even by accident – with how much information social media reveals about us.

-Remember who your audience might be. This story of a nurse who got fired after posting benign comments about her job on Facebook shows how even the best intentions can backfire when you overshare on social media. Even if you make a post privately or in a closed group, you can't guarantee that it won't be screenshotted, printed out, or otherwise shared with someone it was never intended to see. Always assume anything you put on the internet is wide open to the public, even if it isn't.

-The internet never forgets. So you had a little too much to drink last night, or maybe the anesthesia the dentist gave you was pretty strong, or maybe you just were real depressed and it felt cathartic to make some depressing posts. You can just delete them later, or set your profile to private, right? Allow me to introduce you to the Wayback Machine. The Wayback Machine is a free service from Archive.org that automatically creates a copy of every page on the internet it can find at all times for the sake of history. It's not trying to make everyone remember that picture of you in 8th grade, it's trying to ensure that a hundred years from now we have a copy of the front-page news from major events in history and such. The problem is that it's a bot. It doesn't discriminate. Now obviously the bot can't be everywhere at once, and it can't possibly get everything all the time, but it tries hard. The longer you keep something online, the more likely it is to get swept up in archiving services, and the harder it will be to remove. And Wayback isn't the only service that does this. Anything you post, even briefly, has the potential to stay on the internet forever, if not on the social media provider's servers then on an archiving service. The odds of this increase as your social media presence grows – aka, if you're a notable figure of some kind (musician, actor, influencer, etc). Posting something online and then deciding later “nah, I don't really think I want to share that with the world after all” isn't really an option. It's there forever and whatever prompted you to remove it – such as personal information, non-consenting parties, or even just bad lighting – will be there forever to haunt that decision.

Once again, I'm not here to bash social media (this time). I'm not here to tell you to delete Facebook (though I do encourage it). But I do want you to take the time to think about what you're sharing and make sure you know what you're getting into. Be smart with your social media usage. As I said in my first blog post, our goal is to reduce our “attack surface.” We want to make ourselves a less convenient target so that bad actors go after an easier target. Think twice about anything you post on any social media platform, and that alone will get you pretty far. I hope the pointers above have been helpful in that regard and given you some factors to consider. Use wisely!

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

The Case for Linux

September 2, 2019

If you've been online for any time at all, you've probably at least heard mention of Linux. What is it exactly? And is it worth your time?

Linux, put simply, is an operating system, just like Windows or Mac. Linux, however, is open-source and as such there's dozens of variations of it. Some require more technical knowledge than others. Some versions are run by an official team, such as Fedora, and others are purely made on a volunteer basis, like Debian. Some are specialized towards a specific job or purpose, like AVLinux, and others are designed to be used by anyone and everyone.

So first off, why should you consider switching to Linux? For starters, security. Linux has relatively fewer viruses and malware compared to Windows or Mac, mainly due to it's low market share and fewer users. That's not to say it's built more secure, it's more of a “security-through-obscurity” thing so don't go being reckless with your clicking.

Another advantage to Linux is privacy and customization. Linux has no central owner, so there's nowhere to “call home” to. Windows 10, on the other hand, has been caught with a keylogger on even their most minuscule software like Calculator and Office. (Source) That's an incredible jump in privacy right off the bat by ditching all that telemetry. Also, because Linux is open source, there's a million ways to customize it if you feel comfortable messing with that. And if you don't, there's so many flavors that you're likely to find one that feels right for you. There's versions designed to look like MacOS or Windows XP. Even the same version of Linux could have multiple different desktop environments for you to pick from, completely changing the feel of the system.

In light of all that, should you switch to Linux? The short answer I would recommend is “if you can.” Unfortunately some of us have specific hobbies or jobs that require Windows/Mac only software. Hardcore or professional gamers, for example, will be hard pressed to find a Linux distro that can support some of the popular titles or use the same stability as a conventional OS (though I encourage them to check out Pop!_OS, as Linux gaming has a come a long way in recent years). Other people, such as graphic designers and musicians, may find that the software they rely on that most benefit their workflow are not available on Linux. And of course, there are tons of other jobs that rely on proprietary software that are only available for Windows or Mac. So before I give a hard “yes, everyone should switch,” it's important to note that sadly that's not an option for everyone. Of course, there's nothing to stop you from having a work computer and a personal computer that runs Linux (except perhaps finances). You could also try dual-booting if you feel comfortable with that and have the authority to do so on your machine.

How hard is it to use Linux? Again, it depends. Distributions such as Qubes require a high degree of technical knowledge and comfort. Other versions like Mint and Ubuntu are very straightforward and come with a high level of support online through the communities who use them.

Which version do you want? If you're a Mac user, ElementaryOS is probably the place to start. It's gorgeous and looks a lot like MacOS. It will probably feel most at home as an introduction to Linux. If you're a Windows user, Mint looks like Windows XP and will probably be your best introduction. If you're tech savvy and feel comfortable diving right into a different operating system altogether, Ubuntu is by far the most popular Linux distribution. I personally recommend Fedora or Debian. Debian will be the most easily compatible with many of the programs you may already be used to – like Slack or Discord – but Fedora offers significantly better security. Just about any distribution – except perhaps the highly specialized ones – will give you the same basic ability to check your email, watch Netflix, listen to music, browse the web, and create text documents. If you need anything more than that, I recommend checking the program's website to see what operating systems it supports. You could also check “app stores” like Flatpak and Snapcraft.

If you're interested and curious about switching, in addition to just searching “getting started with Linux,” I recommend this site which quizzes you about what's important to you and recommends different distributions based on that. I also strong encourage readers to try Linux out for a test period – either through dual-booting, running off a Live USB, or a virtual machine – to find which one is right for you and if you're even able to switch at all. Good luck, and I hope you're able to find a Linux distro that works for you!

The Rise of Ransomware

August 19, 2019

For those who don't know, this blog is part of a larger site dedicated to providing tools and news about information security for the average person. As part of that mission, every morning I browse the headlines and post privacy/security-related articles on The New Oil's Mastodon account, acting as a sort of news feed for stories I think are important and the average person should at least be aware of. (I try to do that every morning, sometimes the day job gets in the way, so quick shameless plug for my Liberapay where you can help me be less dependent on the day job so I focus more time and energy on The New Oil.) Data breaches, even though I share them, are nothing new to me. I see them multiple times a week, literally almost every day. But lately I've seen an additional worrisome rising trend: the rise of ransomware. And it's becoming a big deal lately, so I want to talk to you about how to avoid it and protect yourself from it.

First off, what is ransomware? Basically it's a virus that encrypts your computer and doesn't give you the password, requiring you instead to pay an anonymous criminal via Bitcoin to get it unlocked. It's becoming an increasingly common attack, especially on governments and government services. So far at the time of this writing South Africa, Florida, Maryland, Ohio, Maine, New York, Georgia, Colorado, and Texas have all been hit, and in some cases the government has agreed to pay to get the systems unlocked. In this post I'm gonna be talking about the really nasty, scary stuff. A lot of the time a virus will claim to be ransomware but in reality it's just a normal annoying virus that requires you to boot into safemode or a use an antivirus USB stick to fix it with no damage to your files. This article is about the scary stuff in the headlines as those will do the most damage if they ever hit you.

How can you avoid it? The same way you can avoid any other virus: don't click links you aren't 100% sure of. If something feels off, it probably is. Don't download anything you aren't 100% sure of. Do regular virus scans, etc.

But what if it happens anyways? We're all humans. Once in a while my virus scan detects stuff, and sometimes my links get hijacked. It's part of life in this digital age. Well if it's already been locked, I'm afraid this blog won't help you. Sorry. You can pay. Or trash it. Or take it to an actual cybersecurity expert and see if they can help. It's up to you. But there's some things you can do beforehand to mitigate the damage in case it ever does happen to you.

First and foremost, backups. This is a tale as old as computers themselves and the only real insurance plan I know if you fall victim to ransomware. Multiple terabyte external hard drives are available for less than $100 these days. Consider it an investment. There are a lot of programs out there that offer automatic backup services (Windows 10 and Mac even have their own built in) but I personally prefer to manually backup everything once per month. I set reminders every month on my calendar so I don't forget, then I set it to go during a couple hours when I won't be using my computer. That way even if I lose my data, I'm never more than a month behind, and which for me isn't a huge loss. Your work may be different, and in your case you may want to back up once a week or even once per day. That's something only you can answer. Additionally, I'm backing up EVERYTHING. Project files, text files, even my movie and music libraries. You may decide those are less important and choose only to back up family photos or text files. That's up to you. Either way, decide what's important to you and create a system to back it up regularly.

Second, don't click any links you aren't 100% sure of. I know I already said, that but it bears repeating. Phishing – where a malicious actor sends you a link and that link, once clicked, secretly allows them access to your computer either directly or as a virus – is still, after all these years, the number one way of gaining access to an otherwise secured machine. Despite years and years of being told not to click links, to double check who the email is from, to be 100% positive, people still fall for it every day. Sometimes an email looks legit and comes from a legit source, I get that. But you can avoid probably 90-95% of actual hacking attempts just by being judicious with your clicking.

Third, I mentioned antivirus. Having a solid antivirus software in place is great. Personally I'm not a fan of the more mainstream options like Norton, AVG, and Symantec. I've had lots of cyber people I trust tell me that there's a lot of stuff going on behind the scenes that isn't virus-related, like telemetry (reporting the usage statistics of the software) and cosmetic stuff. They tend to be bloated and slow to actually add current viruses that are in the wild. Instead, you may be surprised to learn that both Windows and Mac come with built-in antivirus programs that experts agree are plenty powerful. Windows Defender was a joke a few years ago, but these days it's been heavily improved and most experts don't recommend a third-party antivirus. Mac also comes with XProtect buried in the programs menu.

Finally, if possible, you might consider switching to Linux. Now, this isn't always possible. For my day job, I am required to have access to several key pieces of proprietary software that are exclusive to Windows or MacOS. I can (and do) have a personal Linux machine, but I am required to have a Windows or Mac computer available for work. Not all of us can have two computers or dual-boot, and not all of us have the option of switching to Linux. But if you do have that option, I highly encourage you to consider it. Ubuntu is the most common flavor of Linux, and as such has by far the most support. Pretty much any problem you search for in a web search engine will almost certainly be answered for Ubuntu. Mint is another common variation. It looks a little old-school, like Windows XP, and it functions similarly, which means you'll probably feel right at home. Personally I recommend Pop!_OS. There's also Elementary for those who are used to the Mac interface. I plan to do a blog post down the road all about Linux, the popular varieties, which ones I recommend, and why. Again, this may not be right for everyone, but because Linux has a far smaller market share, there's less viruses out there for it. It should be noted that that doesn't mean that Linux is inherently more secure, viruses for it do exist and it's on the user to be judicious, but it does mean attackers tend to focus on bigger, more common platforms which does give you a small measure of security through obscurity.

Admittedly, it's highly unlikely your computer will be targeted directly. In a lot of these state-level cases, I suspect that someone emailed an employee a link which they clicked and downloaded the ransomware. In your case, it's much more likely that you'd be searching an unfamiliar portion of the internet and accidentally download a ransomware designed not for any one specific person, but rather for anyone who accidentally clicked on it. In those situations, your antivirus will be your most likely defense. And, god forbid, if you do fall victim, your backup is your saving grace. Personally if I were to fall victim to a ransomware attack right now, it would be incredibly annoying but not really a big deal. I would just reformat my computer and load the data from my backups without paying anyone a dime. But you can only pull that off if you're consistent with your backups and have good practices for dealing with online content. And as I said before, always be aware that it may just be a scare tactic and it may be something you can fix with a normal virus scan.

Threat Modeling

December 24, 2018

I’m sure this topic will be nothing to new to many of my readers here, however it seems only appropriate to start from the beginning, and this is a fundamental topic to keep in mind as you move through life and your information security journey. The term “threat model” is – in the context of privacy and security – just a fancy way to say “what are you hiding and who are you hiding it from?” For example:

A journalist may want to protect their sources from harm or retaliation. Therefore their threat model will include ways to avoid location tracking, encrypt or otherwise protect the uncensored information they receive from their source, and other similar information that might reveal who their sources is or allow others to track them to their sources.
A member of law enforcement may wish to protect their home location in a variety of ways to avoid putting their families in danger from criminals seeking revenge or just general criminals with a grudge against the system.
An activist in a repressive country make take steps to hide their research, gatherings, or other activities so the government can’t track their real identity and use it against them.

We all share some common threat models. For example, we all want to take steps to protect our bank accounts. Other people may have stricter threat models. While there’s basic “best practices” that do apply to almost (if not) everyone, there’s really no one-size-fits-all solution for everyone. Some people need more protection. Most people want to find a healthy balance between protection and ease of use. That’s why this site exists.

The example I like to use is infamous serial killer Richard Chase. Chase stalked the Los Angeles area between 1977 and 1978. One of the reasons he was so difficult to catch was because he didn’t have a pattern. He said on record after he was caught that he would just cruise around neighborhoods until he spotted a house he felt compelled to try. But here’s what made Chase odd: if the doors and windows were locked, he would go on his way and try a different house. He didn’t force his way in.

We should all be trying to defend ourselves from the Richard Chase’s of the digital world. Many people argue that security is inconvenient. It is. It’s much more convenient to use your daughter’s name and birth year for every single account instead of a randomly-generated password that you don't reuse anywhere. It’s very convenient to stay logged in or not use Two-Factor Authentication. My own VPN drives me crazy sometimes. But it’s also inconvenient to have to unlock my door and open it up whenever I come home, but the amount of security I get from not leaving my door wide open at all times and using a simple $2 key more than pays for itself. The same principle applies with information security. Even little things like strong password practices and 2FA can provide a measure of security that outweighs the inconvenience, and it only takes a few weeks or even days for it to become second nature.

What’s your threat model? That’s a question only you can answer. Maybe you just need to lock your front door, so to speak. Maybe you need to hire a security guard. Maybe you need to move to an underground bunker. Everybody is different and everybody’s threat model is different. Some people may find the benefits of Facebook worthwhile and keep their account despite knowing the aggressive surveillance the company performs. Other people may decide they don’t want any social media whatsoever anywhere. These are personal questions. When crafting a threat model, remember those two opening questions: what am I trying protect and from who? Once you narrow that down, the “how” is usually just a couple web searches away. Even a simple Google search like “how can I protect my bank account from hackers” is a pretty solid starting point that will give you some basic ideas.

In the coming articles I will be posting in the future, I’ll be diving into all kinds of threat models and tools and practices. We’ll talk about secure messaging, VPNs, disinformation tools, and more. I’ll compare different services, the pros and cons of each, and what to consider when using these services. I’ll talk about best practices (like the aforementioned “not reusing passwords” thing). Feel free to reach out with any questions I should cover, products you’re curious about, or any of that. Thanks for reading and good luck!