= Device and Personal Privacy Technology Roundup :title: Device and Personal Privacy Technology Roundup :author: der.hans - https://www.LuftHans.com/talks/ :copyright: 2007-2017 der.hans --- CC BY-SA 4.0 unported :date: 2018Mar @ LibrePlanet :max-width: 60em :website: https://www.LuftHans.com/talks/ :source-highlighter: pygments :data-uri: :imagesdir: resources // Proposal // Would you like to avoid spying digital eyes? Has news about identity theft, phishing scams and ransomware got you worried about the safety of your devices? // This talk is a walk through of steps to take for improved online privacy and security. I'll recommend concrete Free Software to keep your personal information from leaking ( being exfiltrated ) from your personal devices. // This non-technical survey of security and privacy tools and settings is for people with an average threat model. // Topics: // // * Browser privacy and security addons // * Secure connection tunnelling ( https, SSH, VPN, TOR ) // * JavaScript, Cookies, Super Cookies, Super Deluxe Chocolate Chip Cookies // * Email client configuration // * Encryption // * Data escrow // * IoT == IANAL IANAL == Specifically Specifically... == IANYL IANYL == EPNYLBMTCB EFF is probably not your lawyer, but maybe the can be ... EFF is a great resource, specifically the Surveillance Self-Defence guide https://ssd.eff.org/ == Time Saving Tip There a new, new, new *huge* time-saving tip for personal security == JBNH Just buy new hardware Pipeline Speculation Happens // My talk will now be 5 minutes, then we'll spend the rest of the time cutting network cables and wrapping all our devices in aluminum foil... == Two Words Remember two words == The Words Meltdown image::meltdown.min.png[Meltdown__image_height_90_] Spectre image::spectre.min.svg[Spectre__image_height_90_] //image::keepitsecret300_preview.png[] == The Right Words // Goblin from Labyrnth image::say_your_right_words.png[say_your_right_words__image_height_240_] "Say Your Right Words" == Threat Model // dun dunt, dun dunt, dundunadun Threat Model: what are the likely security threats you need to worry about? == What is being threatended? ---- "They could have used my e-mail accounts to gain access to my online banking, or financial services. They could have used them to contact other people, and socially engineer them as well.“ – Mat Honan ---- == What is at stake? ---- "more than a year’s worth of photos, covering the entire lifespan of my daughter“ – Mat Honan ---- ---- "including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life“ – Mat Honan ---- == Types of Threats * theft: someone copies your data * loss: someone destroys your copies of data or steals physical devices * spying: someone is spying on you, perhaps from your own devices == Threat Model Examples * TLA: most people don't need to worry about a Three Letter Agency * TSA: they get your hardware, but theoretically don't try to grab it * Nosy Neighbor: shoulder-surfing, stealing your WiFi * Phishing: cast a wide net, see who bites * Espianage: directly and intentionally attacking you == Threat Modeling Basics * Identify assets at risk * Envision potential attackers * Determine acceptable risks * Determine acceptable precautions * AARP: assets, attackers, risks, precautions == Determine Your Threats * old, fat male ** heart attack is a big threat ** several friends have gotten diabetes recently ** my risk of diabetes didn't go up ** my awareness of the consequences of diabetes skyrocketed == Types of Data * Financial * Locational * Medical * Authentication == Privacy and Security Note: *and* not *vs* == Security Updates Install Security Updates! Use only trusted software sources == Encryption and Privacy * at rest * in transit * 3rd party == 3rd Party * cloud ** cloud is forever * corporate affiliates ** who are these people and why are they raiding my fridge? * advertising networks ** eyeball tatoos for everyone * IoT ** the little spies who infiltrate == Browser Loophole Like a 1st grader, lives inside your firewall, imports lots of viruses // snotty kid image Locked down device and network is circumvented by a little JavaScript Current trends * Crypto Mining * Ransom Encryption * Spying IoT is also an internal to outside risk == Cookies, Flash Cookies, Super Cookies, Super Deluxe Chocolate Chip Cookies * cookie * flashcookie - in $HOME * supercookie - ISP-based, use VPN * beacons - aka web bugs * browser fingerprinting == Browser Privacy and Security Addons // JavaScript, Cookies, Super Cookies, Super Deluxe Chocolate Chip Cookies // flash cookies * uMatrix == NoScript ++ ** better UI ** controls JavaScript, cookies, iframes, etc * HTTPS Everywhere ** redirect to HTTPS via whitelist ** blocks JavaScript insertion == Browser Privacy and Security Addons II * Privacy Badger, AdBlock+, Ghostery and others ** block trackers * Lightbeam ** shows 3rd party connections == uMatrix image::uMatrix.png[uMatrix__image_height_240_] == Browser Profiling * use multiple profiles ** use one profile for search blocking cookies and JavaScript ** use different profiles for services from the search engine that require cookies and JavaScript, e.g. mail or social media ** use a seperate profile for banking ** setup only one profile that allows flash *** also use random strings for username == Browser Profiling II * EFF's panopticlick * containers and VMs * Qubes == Authentication * Password Manager ** KeePassXC * Random strings *everywhere* ** usernames ** subaddressing for email ** security questions and answers ** birthdates == Multi-Factor * offline MFA ** SMS is not safe ** use token-based MFA == Secure Connections and Tunnelling * HTTPS Everywhere * SSH tunnels ** Foxy Proxy ** requires some knowledge and diiligence * TOR ** web and some other services == VPN * tunnels all traffic * Private Internet Access sponsored LibrePlanet and is releasing client code as Free Software, also sponsored SCaLE two weeks ago == Email client Internet access * Email clients should never run JavaScript * Email clients should never allow cookies * Email clients should show fullish email address * Email clients should have easy config to block all email driven network access ** no web bugs ** no remote images ** no remote anything without specific approval * Use subaddressing == Magic 8 Ball * Outlook not good * If you absolutely have to use Outlook, please don't == Email client configuration * show full email address == Phones and Tablets - OS * Full and free distro ** Librem 5 * Freedom respecting forks ** Replicant ** Lineage OS == Phones and Tablets - apps * Snowden ** Introspection Engine ** Haven - detects movement * check all package access before installing ** flashlight apps do not need Internet access * F-Droid * Firefox and TOR browsers * VPN == Cameras and Microphones * hardware switch ** physical cover for camera works ** need internal physical switch for microphones *** listening in *** sonic trackers == Data Sharing and Storage * Freedom Box * Nextcloud * SSH == IoT // Cars to toasters * most IoT can't be audited * most IoT phones home * should be intrAnet of things * put on a seperate network segment * block by default for that network segment * use a proxy for IoT device access, both ways * just saw a good, depressing talk about IoT at SCaLE == Messaging * Signal * jmp.chat == Anti-Social Media // Weekly there's a Facebook revelation sufficient for a doctoral thesis // Mark's Propaganda Machine ---- In a few short days, the stories have called into question the entirety of Facebook’s ad platform, the data collection practices of its API-using third-party services, and the company’s commitment to user privacy and the policing of its platform. ---- https://www.theverge.com/2018/3/20/17140422/facebook-personal-data-deletion-how-to-cambridge-analytica-privacy-scandal-trump-campaign == MPM * Um, no. There was already no question that Facebook is a propaganda machine :) * Just because you're paranoid doesn't mean Facebook, Cambridge Analytica and Equifax aren't using your data against you == Social Media * Mastodon * GNU social * pump.io * Diaspora == Data Liberation * It's your data * Can you get a copy of it? * Can you use the copy without reverse-engineering the format? == Contacting Hans Thank you! * https://mastodon.social/@lufthans ** Mastodon * https://gnusocial.de/lufthans ** GNU Social * https://plus.google.com/106398898073454924098 ** G+ * LuftHans on Freenode, usually in #LOPSA ** IRC == Resources https://ssd.eff.org/