More than half of that I wouldn't advice or would have serious caveats about the advice given...
This is really a strange document...
Just a few examples:
"Don’t open emails, texts, ]...] from anyone you don’t know, don’t recognize, or weren’t expecting" <- sorry, that's not how email works. I want to get emails from strangers that care about what I do.
"Don’t use unsecure Wi-Fi networks" Largely outdated due to HTTPS and completely impractical. Everyone uses the Wifi at starbucks.
"Even better, get a VPN (virtual private network) — but, just like with antivirus software, don’t use a free VPN." How should an average user know if the VPN is a scam? (More than half of VPN providers are scam and there's little reason to believe that payed providers are always better.)
"Use tough passwords and change them frequently." Changing passwords frequently is considered deprecated advice. The single most important rule about passwords is to use unique passwords. Which they don't say at all...
I agree and I'm glad that it was taken down. However, an appeal to popularity, "Everyone uses the wifi at starbucks" is strange to see from someone who is advocating better security practices. Most phones should have certain network sharing features disabled before accessing an unsecured network. Among people I know it is common for someone to ask if anyone is currently running a mobile hotspot before opening their own. Questions like "Why not just use the cafe's (or bar's) WiFi?" don't even need to be asked.
Many people click the links at the bottom of a news article, open every email they get and click their contents with abandon and generally ignore they privacy and security on the web. That does not mean that that behavior should go unchallenged or that we should dismiss basic personal security with the old phrase, "Everyone is doing it."
>However, an appeal to popularity, "Everyone uses the wifi at starbucks" is strange to see from someone who is advocating better security practices.
I would call it an "appeal to practicality"
I mean, sure, you and I carry mobile plans with tethering capabilities; my iphone/verizon combo is nearly always better than your average free or included with purchase wifi network. But I also have a device that was like a grand up front and the service is north of $100/month. It's a totally reasonable and practical solution for me, sure, but for someone who doesn't work in tech, or for someone who has kids, etc, etc... for a lot of people, spending that much on connectivity is not particularly practical.
(you can get cheaper tethering setups, of course; those that I've tried have been worse in the areas where I've tried them; it has been more than a year since I tried, so the 'verizon is the best if you don't care about price' statement may be out of date, and of course, different areas have different coverage. YMMV, of course. My main point is just that if you want tethering that is consistently better than free wifi... that's going to cost you an amount of money that might be impractical for most people.)
I mean, sure, you could still just not use data... my computer would be more secure if I left it off. But it would also be a lot less useful.
I don't see any problem with the article but almost all the points you raised show there are things hardware vendors, operating system vendors, application developers, and essentially our world should fix on our end and not burden users with it.
For example, some web browsers (Google Chrome and Apple Safari) offer to create randomized passwords.
Revolut allows you to generate "virtual" credit cards which are just disposable credit card numbers linked to your account. You can spun one for every major online service you use (Netflix, Amazon, etc.) in case it gets hacked or for any transaction you're making on a less trusted site.
Mozilla seems to have a habit of occasionally demonstrating really poor judgment in the areas they are supposed to be leaders on, like privacy and user control.
I think it was well intentioned, and given the size of their audience/reach, I hope they revise it and provide a new version with solid advice. I think the general population could really do with more modern understandings of security like using very long passwords, a basic understanding of using 2FA/MFA methods, and obscuring their identity by using temporary/throwaway emails and phone numbers.
> At best, there is negligible evidence that major non-MS AV products give a net improvement in security. More likely, they hurt security significantly; for example, see bugs in AV products listed in Google's Project Zero. These bugs indicate that not only do these products open many attack vectors, but in general their developers do not follow standard security practices. (Microsoft, on the other hand, is generally competent.)
In the linked Project Zero issue tracker, all 3 of these "reputable sources" have exploits in their anti-virus software.
BTW, why would Microsoft even need to release an antivirus if they can patch the bugs in the OS the viriuses exploit as soon as they get discovered instead of just adding them to the virus database?
I think you're missing the cost/benefit calculation. Using any software makes you vulnerable to your software being compromised. But we take that risk because we get something out of using software. If you want to run Windows apps, you need Windows. AV software is different because they open up vulnerabilities, but don't give you any benefits. You can't run Excel without Windows; you can run it without AV software. So adding AV software requires some careful thought as to whether or not the cost/benefit is worth it. What the above comments are saying is that in a world where Windows Defender exists, installing third-party AV software is not worth it. The cost outweighs the benefit.
Defender doesn't get updated as fast as other AV that is why it is free and if you actually get a MS enterprise AV is a ton of money compared to other enterprise AVs. I have had Defender not find viruses other AV will caught as long as a week. Also defender also opens up vulnerabilities. I didn't miss the cost/benefit calculation.
https://www.cvedetails.com/vulnerability-list/vendor_id-26/p...
I did not define vulnerability,I only explained security.
This is security101. Risk is measured by multiplying vulnerability by threat.
Maybe an analogy might help. You are vulnerable to bullets. But your security with respect to your bullet vulnerability is measured by multiplying it against active threats that might shoot you with bullets. So,your security decreases when in a warzone as opposed to lying in bed at your suburban house due to reduction of threat.
Insecurity is having a vulnerability. Whether a threat actor exploited it and what results you can detect are part of a useless variant of Schrödingers cat that everyone prefers you focus on to sell useless software.
Are you redefinig the field of information security? Please read some basic material on information risk and security.
I mean,even just reading vulnerability bulletins and CVE descriptions should familiarize you with explotability and complexity of attack,they exist to help remediators prioritize more insecure vulns.
Quick example: 'ls' has an easily exploitable code execution vuln. On a shared terminal server,this vuln translates to severe loss of security. On a firewall,this is nothing more than a house keeping item with no real loss of security as there are no threats that can run 'ls'.
You are moving the goal posts. The issue I take is with "threat actor". If a threat actor wasn't detected you have no idea if they exist. Only windows crapware tries to make the warped perception that what it doesn't know doesn't exist and priority obviously goes to where exploits provably exist. But insecurity is being attackable not being aware you are attackable (and certainly not knowing you are attackable but seeing no frequency of attacks).
Would you want your electric company to use these products knowing that another country will attack with 0 frequency until war is declared?
Look,the concept is not subjective. I didn't say a threat actor,I said threat.
I highly recommend looking these things up on your own but the goal of Information security is to reduce the risk that vulnerabilities will be exploited to where a breach of your security goals occurs(i.e.:CIA triad,confidentiality,integrity and availability mostly). It's not to make your system impregnable to all conceivable attacks.
My electric company should have well resourced nation state actors as part of their threat model. They should not only remediate known vulns,they should also employ EDR solutions that perform ML and behavioral detections/preventions. They should be part of their industry ISAC for threat intel sharing (which includes 0days) as well as have a comprehensive threat hunting and incident response program. Your average consumer,howevet has different types of data and attackers to worry about.
A banking trojan cleaning out your account,ransomware demanding payment for your family pictures, an ex installing RATs to monitor what you do are what consumers are threatened with.
Being attackable is not insecurity
Right now you're attackable by an endless list of threats. Your local gang,serial killers,crazy people who shoot up schools,terrorists,etc... But your security is measured by a number of factors including where you live,what you're doing and specific attacker's cost-benefit analysis of attacking you.
Physical security and computer security don't really connect usefully by these kinds of analogies. I suggest you look higher up in the thread for where you brought up threat actors.
Ok,better analogy:There's a 0day vulnerability in a specific device driver you happen to be using,crafting a workable exploit requires a significant amount of skill and the exploit can only work under specific configurations. A well organized and talent-resourced attacker performing targeted attacks would exploit the vulnerability. Realistically,you'll have to take into account the likelihood of someone exploiting this vulnerability when prioritizing remediation(grading insecurity).
A simpler example: apache2 has a RCE but known exploits require PIE disabled for an exploit to work. You have one apache server in a segregated vlan that is facing your admin vlan with PIE enabled. In contrast you have an IIS server with DOS vuln facing the internet. The IIS server is more insecure because there is a significantly higher likelihood of a security compromise(availability) against it and the org will face reputational and revenue(?) Impact.
The whole point I want youbto get is that real (in)security is context aware.
That’s a somewhat minor issue compared to the fact that the major anti-virus products appear to be effectively adware with a dubiously secure scanning engine built in.
Whenever I help clean up someone’s Windows computer, I treat any antivirus product other than Windows Defender as malware and get rid of it.
As for resident antiviruses I would generally agree (even for purely logical reasons - that means adding another 3-rd party to the 100% trusted list, you grant their app godlike access to your computer and everything on it and let it talk freely and secretly to their vendor), nevertheless a live-cd version of something like Dr.Web can be of great use in such cases, Windows Defender a well as other antiviruses ran under an infected system can often be futile against viruses infesting it. Perhaps open-source ClamAV can do the job too but I'm not sure.
Agreed. I'm not only uninstalling third party AV software - I always actually reimage the machine if its preinstalled. Even Windows Defender does sketchy things but at least it's the same vendor as the OS - so hopefully not adding on tons of risk.
I have the feeling that security software is often the most insecure one, because of bad design choices and lack of quality engineering.
Windows itseld is a proprietary software. MS Defender does an ok job but for most malware that target consumers,those av softwares are not a negative.
As a techie you might have nation state actors employing sophisticated attacks or corpirations spying on users. But the most immediate threat to consumers are things like phishing attacks,ransomware and banking trojans.
That's been my understanding too, and I've seen security professionals say the same. But possibly, their advice was intended for likely targets, such as journalists, and not the general public.
On the other hand, I'm not sure I'd trust a typical end user to protect themself otherwise. Are they going to secure their OS profile? Avoid malware?
It's pretty simple that they are looking to protect the user from the everyday threats (hint hint: Bare Minimum in the title). Also while I'm sure your superman with a "security degree" that looks down on all the mere mortals. You would stand no chance against an government agency with all the time in the world and a blank check.
I agree. The section on "Use tough passwords and change them frequently", except for the final suggestion to use a password manager, felt like antiquated password advice.
As long as the password manager is trusted. Some are run by a single person nobody's heard of. I met a woman in Vegas who ran one and who couldn't believe that people trusted it so much.
And then there are ones like LastPass that people on HN seem to recommend even though their TOS basically says they spy on all your browser behavior and sell it to 3rd parties
I trust 1Password at present. Everything they’ve done so far (including the structure of their financial incentives) has indicated to me that they are both willing and able to protect my privacy (even from future untrustworthy management) via their software.
1. In terms of “strong passwords” it’s better to use the words “paraphrase” which if they get past 4 words are almost always stronger than traditional “passwords” humans actually use. It’s a nitpick, but using the better term leads to better results in my experience. “Do I need a new password? No, you need a new passphrase”
2. In terms of rolling credentials frequently and on some time period, NIST specifically recommends against that now.
And the average secured WiFi isn’t secure in a useful sense. Anyone else using it can pwn your unencrypted traffic just fine using standard techniques.
As soon as you are on the same collision domain as an adversary I think the risk of being attacked and exploited increases drastically. Many do it, but it's not a very safe thing to connect to untrusted Wifi.
Can you explain further? Are you saying SSL doesn’t provide the security a normal person thinks, there is more unencrypted traffic outbound than a normal person thinks, or that the unencrypted headers of the otherwise encrypted traffic are more valuable to a hacker than a person might think?
An adversary doesn't have to decrypt the traffic, they just reroute to their own TLS site to trick users. Or they do broadcasts like LLMNR to grab things and there are some WPAD attacks. Firewall on many computers might also allow things through, to perform relay or direct password bruteforce attacks. There are so many attacks that are possible, decrypting traffic really isn't so interesting.
> Use tough passwords and change them frequently. The best practice for passwords is to use real words or phrases you can remember easily — but spell them incorrectly. They should be at least eight characters and have a combination of letters, numbers, and special characters, such as 5pEAzhawh$ for “five pizzas.”
The result of encouraging frequent changes: 5pEAzhawh$, 5pEAzhawh$2, 5pEAzhawh$3, 5pEAzhawh$4, 5pEAzhawh$5, ...
> Even better, use a password manager like Lastpass.
Yes, they clearly didn't consult (and/or use) security researchers' most recent recommendations about passwords.
Password managers have become a nearly non-negotiable necessity. Telling people just use a password manager is becoming kind of like telling developers just use source control 15 years ago. You just won't know how important they are (or the true cost/benefit) until you start using one yourself.
> Source control was very, very standard 15 years ago.
For commercial shops, perhaps. But back then the bar for using source control was much, much higher, so for many small projects, people didn't bother. There wasn't anything as simple as `git init`.
There were a few public CVS and SVN servers that were appropriate for open source projects, but for anything personal or commercial, you had to use a local, single-user repo or set up your own server. (Back then, the only viable DVCS systems were commercial.)
Sourceforge is almost 20 years old now, and offered version control free of charge. For a while it was almost as dominant in the free software world as github is now. The FreeBSD CVS archive is 25 years old. Version control was absolutely mainstream back then.
That was like 5 minutes of work, though. Maybe an hour or two if you hadn't done it before. It's absurdly easy to set up and use SVN. CVS was easy to set up, but a nightmare to use.
> you had to use a local, single-user repo or set up your own server.
That's the opposite of having no source control, that's having source control.
When will LastPass stop being recommended? It says right in their TOS they collect all your browser behavior and sell it to 3rd parties. Why should I trust them?
Can you highlight where in the TOS they say this? I’ve used LastPass for several years and this would be concerning if true. I didn’t seen any such language in their ToS: https://www.logmeininc.com/legal/terms-and-conditions
> You may use our Services only as permitted in these Terms, and you consent to our Privacy Policy at https://www.logmeininc.com/legal/privacy, which is incorporated by reference.
pp:
> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data to help us support the Services.
> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.
> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.
> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").
and
> Some specific examples of how we use the information:
> * Conduct research and analysis
> * Display content based upon your interests
> * Market services of our third-party business partners
and
> 4. Information Sharing
> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure and (d) as needed for legal purposes.
and
> Examples of how we may share information with service providers include:
"Use antivirus protection. Buy and download antivirus software from a reputable source such as McAfee, Norton, or Symantec. Beware of free antivirus software, as it can contain malware. The iOS operating system has antivirus software built in..."
Do people still really install anti-virus? Isn't it just another vector for attack since they themeselves use exploits to manipulate the OS?
Linux for desktop,
pixel or iOS for phone.
Signal for communication,
fastmail or Gmail on g suite for email.
Minimize installed apps on phone
Run JavaScript blocker on Firefox if you're using an Android (and on your desktop).
Not only do people install it, I see it required in corporate IT all the time. As in, they even set a VPN policy that checks your anti-virus definitions for currency and will refuse to connect if the definitions aren't current or if anti-virus is not installed. These same corporate IT who force 90 day password changes, and nonsense like 5pEAzhawh$ instead of fivepizzassoundsgoodbutdontforgetthebeer because no matter what longer is better.
I was on a site the other day, which I won't share publicly, that required "NO MORE than 6 characters, including precisely 1 number and 1 capital" (paraphrase, my emphasis) ... I definitely WTF-ed at that.
My default is 20 characters of alphanum, or 16 of "graph" (though I drop look alike characters; 32 chars if I'm entering payment details).
One has to hope they have a small limit on retries. They definitely carry commercially sensitive data and do payment processing.
What worries me is they used js to catch my attempt to use 20 chars, so they're not operating completely naively -- all I can think was it was a misinterpretation and s/most/least.
This is not so great advice, especially as a "bare minimum." What setting would a user really want to change here?
The only advice should perhaps be the last sentence "Consider using plug-ins like Privacy Badger or HTTPS Everywhere to block tracking or keep your activity safer from snoops." And then explain what they do.
Do not change passwords frequently. Do not use short passwords and try to compensate by using special characters and nonsensical word obfuscation, instead use long passphrases, the longer the better.
Ok so you have kids who play say Minecraft, they download all mods they can in zipfiles and install all the other games packs from weird internet forums.
What is bigger threat and attack vector, McAfee, Symantec or modding forums for 10 year old?
For me installing AV is silly I don't download and run random crap from internet that friend from school also installed. But If I would have kids having installed AV and updated is quite good idea. I also wonder all time how my non technical close ones break their computers, I don't know what they are clicking but I do not get unusable windows 10 every 3 months. My gf is not technical but she almost never install anything on her laptop and it works fine, so for this one I am quite happy.
Yeah, the antivirus recommendation sticks out like a sore thumb, and makes me wonder if anyone with a good background in security vetted the rest of it.
Ironically another advice to protect your privacy would be not to use Firefox - considering all the new telemetry, newtabpage, beacons, and calling-home that Firefox nowadays does.
This is a futile advice, no sane person is ever going to follow it. You can memorize a tough password or two but change them and memorize the new ones frequently... nope.
> Tweak your home assistants.
Don't use home assistants unless you are a kind of person who really doesn't mind broadcasting their whole life as a reality show without even being informed when you're on air. I can't imagine a reasonable privacy-caring person who would.
Have you run into any issues that required tweaking of the PiHole set-up? I'm running PiHole + a hand-rolled VPN on Digital Ocean but I'm looking to put together little PiHole boxes for my family who live across the country. It needs to pretty much be perfect out of the box or they'll unplug it.
I've only had to disconnect once or twice to unsubscribe from spam lists, but I doubt my family would even bother.
The only thing that almost annoys me is that Google ads are blocked on the redirect, but not display. So sometimes I click them and have to go back and click the organic result. I could probably tweak it.
I am running it on a old Pi B (the old one with an RCA jack). No issues. if I was sending to family across the country, I'd probably add remote access of some sort for myself.
If you don't want web sites to track you, you better not use a browser with JavaScript. eg. you better not user Firefox :P
Also to avoid tracking you are better off using other peoples internet connection, eg. not your own.
The advice was basic high level advice which at this point should be common knowledge for anyone using the internet. I can see why they took down the blog post because it was disappointing content
I don't find any sort of value in DNA services, but I don't feel "compromised" one bit that my brother uses them.
Anyway, the idea of "family" when we get into DNA is not useful, a skilled person can track you down because a total stranger who you share great great great grandparents with uploaded their DNA into an open source DNA database, which is what happened with the Last Area Rapist.
And if GINA was repealed, (and it wouldn't be, it was passed the House 420-3 a and passed the Senate 95-0), the insurance companies aren't going to beat around the bush and try to hack 23andMe, they'd just demand DNA samples directly as a requirement of being insured.
Even if you don't commit the crime, you become more vulnerable to being false-flagged for it by a combination of lab contamination and a DNA database search.
Of course, if you go down this line of reasoning, you need to weigh the probability of this versus the probability of dying to an undiagnosed/late-diagnosed genetic condition.
Everyone who doesn't want their genetics searched has a murder to hide.
The punchline: the series of rapes and murders that was used to institutionalize mass DNA collection turned out to have been done by a cop who didn't have DNA taken.
I'm by no means and expert is this field, but I thought at some point I had heard that using words like the xkcd comic were actually less secure, I thought what I heard was that there is a type of dictionary search that can be more efficient in cracking those "all words" passwords (as in, you don't really have 44 bits of entropy). Again, I've got no source, and am not very knowledgeable in this space, so someone correct me.
Assuming you pull these four words randomly (not-human-random, actually random) out of a dictionary of at least 2048 words, and separate them by a space, you have a password of (at least) 44 bits of entropy. There's no way a "dictionary" attack can reduce the possible password space to less than 244 possibilities.
Your first link uses a few assumptions that are very good security practice but may confuse the unexperienced reader:
It assumes that the attacker has complete knowledge of the password generation method. This is good security practice and provides you with a worst case boundary. In reality, though, an attacker seldomly has that advantage. Before an attacker spends x hours/days/weeks to crack pure word-based passwords, they will spend time to crack "passw0rd". If you remove the advantage of password generation method knowledge, all numbers in this article are very different. The reader should know about that!
It assumes that whoever is storing the password may do so badly. It even states "assume the site stores our credentials in the weakest possible way". Which is a dangerous assumption since the weakest possible way would be plaintext and then the whole article would be moot. So, obviously we exclude plaintext. The article goes with simple, single md5 hashes instead. While some kind of worst case, it's pretty unrealistic nowadays that someone makes an effort not to store passwords in plaintext and then fails so miserably in googling how to do so. This worst case is probably chosen to have easier and more impressive cracking numbers. The reader should be aware of this.
It assumes that the attacker obtains the password database. Again, good security practice and a worst case scenario. But still not exactly 100% realistic. If you argue with this assumption, the reader should be aware of that.
In essence, this article proves that the "3 word method" is not secure enough when absolutely everyone uses this exact same method (with knowledge of the exact same words) with a service who incompetently stores passwords and got its password database stolen.
While that is true, the advice it gives "Don't use words in passwords. Ever." is just another example of great oversimplification that is harmful in the end.
Instead of bashing methods for being not secure enough (whatever that means), we should provide users with practical methods to come up with usable passwords that are reasonably secure for the service in question.
As someone who has dropped almost all social media (mostly so I can get more done, but also for privacy), I can point out some non obvious consequences. This blog post mentions that stopping the use of Facebook will prevent you from seeing your nephews baby pictures... This is true.
My extended family and remote friends actually got upset when I dropped Facebook. They asked why I didn't want to be part of their lives, asked why I was choosing not to talk to them anymore... All while texting me on phones that allow instantaneous communication of any type of election media imaginable, more so that Facebook allows.
Moral of the story: Facebook and other social media makes most people socially lazy with continuous use. If you don't believe me, go try to meet someone under the age of 30 "out in the wild", at a bar or venue. Bars used to be easiest places to meet anyone at, just walk in, sit at the front, and start chatting. I'm not talking about people who are on their phones ignoring the outside world; even people just chilling and having a beer just don't know how to talk to someone outside of their social media platforms.
This is really a strange document...
Just a few examples:
"Don’t open emails, texts, ]...] from anyone you don’t know, don’t recognize, or weren’t expecting" <- sorry, that's not how email works. I want to get emails from strangers that care about what I do.
"Don’t use unsecure Wi-Fi networks" Largely outdated due to HTTPS and completely impractical. Everyone uses the Wifi at starbucks.
"Even better, get a VPN (virtual private network) — but, just like with antivirus software, don’t use a free VPN." How should an average user know if the VPN is a scam? (More than half of VPN providers are scam and there's little reason to believe that payed providers are always better.)
"Use tough passwords and change them frequently." Changing passwords frequently is considered deprecated advice. The single most important rule about passwords is to use unique passwords. Which they don't say at all...
I could go on...
Update: Mozilla deleted the post after criticism, see https://twitter.com/asadotzler/status/1068961020540899329