Online security

Tags: English, technology, hacks
Created on Wed, 20 Oct 2021

Last week I wrote about a hypothetical Facebook messenger and Whatsapp breach which would give the world access to everyone's chats - including yours, your friends', your parents, everyone you know or don't - indexable, searchable by everyone. A truly privacy is over type of situation. I argued that this is what people really cared about - a personal hit, not bombs and terrorists or some unknown John in a three-letter agency reading your chats. Someone you know - or everyone you know - reading your personal communications with other people.

Scale it down

Alright, maybe leaking all of Facebook's chat would require literal trucks and months of unmonitored leakage due to the sheer amount of data. Text is not so big - the whole of English Wikipedia is merely 20 GB which can be stored in a 32GB ~10$ microSD card with storage to spare. More difficult would be the multimedia - images, audio, clips. If we are talking just about the content of text messages (which would be a non-trivial amount of communication, except maybe the more and more frequent voice-messages on many platforms) with the right tools and access, these can be exfiltrated compressed similarly to how Ed Snowden did it with the NSA.

But let's scale it down from "worldwide breach" - say it just happens to you. Who could target you? Ex-boy/girl-friends frequently have access to your password or physical phone(s) and computer(s) for some critical time right after the limbo separation. Roommates or party invitees, some of whom may not like you. Forgotten phones in a bar. What if all your chats get exported and shared publicly, easily searchable? Do you have anything to hide then?

Parents tech support

A few paragraphs one the side - I want to explain that these stuff may be technical but to implement them and use them you don't have to be tech savvy. It will be a little inconvenience (few minutes to an hour) while you set them up but then not much will change for your day to day life.

Last time I visited my parents I did the normal tech support games. I'm proud that since I left Bulgaria about 10 years ago my parents have been running a Xubuntu flavor of Linux without almost any issues on multiple different laptops that they changed over the years. Never dealt with anti-viruses or viruses, random slow-downs or driver updates. Almost any screw ups have been my own. One time after a remote access support I was able to screw up the update on the machine and resulted in the bootloader not being able to find the OS. My parents are not too tech-savvy but this resulted in my biggest achievement to date: be able to get my mom through a grub rescue console over a video chat. So I don't know - maybe they are secret hackers after all :)

So I checked everything with the OS is all right, update packages, no randomly installed software (although with Linux that would be super difficult - yet, just to be sure) and was fairly happy. But while doing that there were tons of annoying notifications from Facebook and news websites that kept popping up on the right. I asked my parents and they said they don't pay attention but decided to be a good citizen and remove all those XXI-st century toolbars.

But the bulk of the support was on passwords. Chrome has become more and more aggressive towards password management - which is good. (It has also become extremely easy to allow all websites to run service workers and so random notifications were popping up so I had to remove all of them and dissalow new ones). It reds-out passwords on non-https websites but almost none of them are anymore on non-https - which is also nice, yey let's encrypt. It also prompts you to use the password manager. I took the leap - but I wanted to lock it a lot. So I set them up with pretty much best practices these days. If my parents can do it, you can do it! What are these?

What can be done?

There are many more ways to stay secure and protect your privacy these days, depending on your use case. There is no absolute security without usability, it's always a tradeoff but following the above 3-4 things should greatly help you stay safe online these days.

Pobody is nerfect, it can happen to all of us. That's why best these days is so called defense in depth - even if some part gets breached, there should be other controls that stop it. In a similar way to multiple physical doors for security. For example, I (almost) got pwnd by a friend that used my computer at home, logged in one of my firefox profiles which I used for some websites and thus synced some of mine and all of her passwords for months before realizing it.

That's a scenario that is too concrete, yet I implemented some more guards for similar situations. You don't have to go that far - using these simple rules above will get you a long way to being pwnd by someone who doesn't like. In this increasingly (some may say distopic) electronic world, a little privacy can go a long way. Do it if you can, it doesn't cost much!