Device and Personal Privacy Technology Roundup

SCaLE 17x
2019Mar10
der.hans
https://floss.social/@FLOX_advocate
https://mastodon.social/@lufthans

IANAL

Specifically

Specifically …

IANYL

EPNYLBMTCB

EFF is probably not your lawyer, but maybe it can be …

EFF is a great resource, specifically the Surveillance Self-Defence guide

Time Saving Tip

There a new, new, new huge time-saving tip for personal security

JBNH

Just buy new hardware

Pipeline Speculation Happens

Two Words

Remember two words

The Words

Meltdown

Spectre

The Right Words

"Say Your Right Words"

Threat Model

Threat Model: what are the likely security threats you need to worry about?

What is being threatened?

"They could have used my e-mail accounts to gain access to my online banking, or financial services. They could have used them to contact other people, and socially engineer them as well.“ – Mat Honan

What’s really at stake?

"more than a year’s worth of photos, covering the entire lifespan of my daughter“ – Mat Honan

"including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life“ – Mat Honan

Types of Threats

theft: someone copies your data
loss: someone destroys your copies of data or steals physical devices
spying: someone is spying on you, perhaps from your own devices

Threat Model Examples

TLA: most people don’t need to worry about a Three Letter Agency
TSA: they get your hardware and theoretically don’t try to grab it
Nosy Neighbor: shoulder-surfing, stealing your WiFi
Phishing: cast a wide net, see who bites
Spear-Phishing: pinpointed attacks
Espianage: directly and intentionally attacking you

Threat Modeling Basics

Identify assets at risk
Envision potential attackers
Determine acceptable risks
Determine acceptable precautions
AARP: assets, attackers, risks, precautions

Determine Your Threats

old, fat male
- heart attack is a big threat
- several friends have gotten diabetes recently
- my risk of diabetes didn’t go up
- my awareness of the consequences of diabetes skyrocketed

Types of Data

Financial
Locational
Medical
Authentication

Privacy and Security

Note: and not vs

Security Updates

Install Security Updates!

Use only trusted software sources

Encryption and Privacy

at rest
in transit
3rd party

3rd Party

cloud
- cloud is forever
corporate affiliates
- who are these people and why are they raiding my fridge?
advertising networks
- eyeball tatoos for everyone
IoT
- the little spies who infiltrate
- spying on your friends

Browser Loophole

Like a 1st grader, lives inside your firewall, imports lots of viruses

Locked down device and network is circumvented by a little JavaScript

Current trends

Crypto Mining
Ransom Encryption
Spying

IoT is also an internal to outside risk

Cookies, Flash Cookies, Super Cookies, Super Deluxe Chocolate Chip Cookies

cookie (uMatrix)
flashcookie - in $HOME (uMatrix)
supercookie - ISP-based (VPN)
tracking pixels - aka web bugs, beacons(uMatrix)
browser fingerprinting (uMatrix, Panoptclick)

Browser Privacy and Security Addons

uMatrix == NoScript ++
- better UI
- controls JavaScript, cookies, iframes, etc
HTTPS Everywhere
- redirect to HTTPS via whitelist
- blocks JavaScript insertion
- from EFF
LetsEncrypt

Browser Privacy and Security Addons II

Privacy Badger, AdBlock+, Ghostery and others
- block trackers
Lightbeam
- shows 3rd party connections

uMatrix

Browser Profiling

use multiple profiles
- use one profile for search blocking cookies and JavaScript
- use different profiles for services from the search engine that require cookies and JavaScript, e.g. mail or social media
- use a seperate profile for banking
  - also use random strings for username
- setup only one profile that allows flash

Browser Profiling II

EFF’s panopticlick
Firefox Containers
OS containers and VMs
- Qubes

Authentication

Password Manager
- KeePassXC, KeePassDroid
Random strings everywhere
- usernames
- subaddressing for email
- security questions and answers
- birthdates

Multi-Factor

offline MFA (TOTP)
- SMS is not safe
- use time-based MFA

Secure Connections and Tunnelling

HTTPS Everywhere
TOR browser
VPN
- consumer-ready service
SSH tunnels
- Foxy Proxy
- requires some knowledge and diligence

VPN

tunnels all traffic
Private Internet Access sponsored SCaLE and LibrePlanet and is releasing client code as Free Software

Email client Internet access

Email clients should never run JavaScript
Email clients should never allow cookies
Email clients should show full email address
Email clients should have easy config that blocks all email driven network access
- no web bugs
- no remote images
- no remote anything without specific approval
Use subaddressing
- ex: myname+randomstring@example.com

Just a reminder

Email clients should never run JavaScript

Magic 8 Ball

Outlook not good
If you absolutely have to use Outlook, please don’t

Email client configuration

show full email address
- yes: Thunderbird, alpine
- no: Thunderbird, gmail, Outlook, office365
block JavaScript
block Internet resources
- yes: alpine
- no: gmail
show linked URL
- yes: alpine, Thunderbird, gmail

Phones and Tablets - OS

Full and free distro
- Librem 5 (Purism booth in Expo Hall)
Freedom respecting forks
- Replicant
- Lineage OS

Phones and Tablets - security

password or passpattern
encrypt filesytems
regular backups

Phones and Tablets - apps

Snowden
- Introspection Engine
- Haven - detects movement
check all package permissions before installing
- flashlight apps do not need Internet access
F-Droid
Firefox and TOR browsers
VPN

Cameras and Microphones

hardware switch
- physical cover for camera works
- need internal physical switch for microphones
  - listening in
  - sonic trackers

WiFi

WiFi is not secure

this has been a public service announcement

Data Sharing and Storage

Nextcloud - private cloud
Freedom Box
SSH

IoT

most IoT can’t be audited
most IoT phones home
should be intrAnet of things
put on a seperate network segment
block by default for that network segment
use a proxy for IoT device access, both ways
last year SCaLE had a good, depressing talk about IoT

Messaging

Signal
jmp.chat
Nextcloud
Matrix

Terms

Man-in-the-Middle (MitM)
end-to-end encryption

Anti-Social Media

https://www.theverge.com/2018/3/20/17140422/facebook-personal-data-deletion-how-to-cambridge-analytica-privacy-scandal-trump-campaign

In a few short days, the stories have called into question the entirety of Facebook’s ad platform, the data collection practices of its API-using third-party services, and the company’s commitment to user privacy and the policing of its platform.

MPM

Um, no. There was already no question that Facebook is a propaganda machine :)
Just because you’re paranoid doesn’t mean Facebook, Cambridge Analytica and Equifax aren’t using your data against you

Federated Social Media

ActivityPub
Mastodon - microblogging
glitch.social - Mastodon fork
Pleroma - microblogging
PixelFed - image sharing
Plume - blogging engine
PeerTube - video streaming
GNU social - microblogging
pump.io - microblogging
Diaspora - microblogging

Data Liberation

It’s your data
Can you get a copy of it?
Is the exported data format well documented?

Backups and DR

Cloud all the things!

Data Escrow

an arrangement where something of value is held in trust by a trusted 3rd party

Safekeeping Data

KeePassXC
cloud
Nextcloud
old versions

When Compromised

full backup
reinstall!!!
change passwords

Contacting Hans

Thank you!

https://floss.social/@FLOX_advocate
- FLOX advocate
https://mastodon.social/@lufthans
- Mastodon
https://fediverse.blog/~/LuftHans
- Plume
LuftHans on Freenode, usually in #LibreLounge, #PLUGaz and #LOPSA
- IRC

FLOSS SCaLE Sponsors and Participants

Purism - booth and speaker
Turris from NIC.CZ - talk
Think Penguin - booth

Resources

EFF’s Surveillance Self-Defence guide