Information security is important. Yet lots of folks do things that diminish or even eliminate their personal or professional information security. In this article, I detail numerous information security best practices and the rationales behind them.

Passwords

Use Strong Passwords

Strong password design is tricky because people don’t understand the concept of entropy. So, rather than make specific suggestions about length or characters, or spend time emphasizing how you shouldn’t reuse passwords, I’m going to simply say: use LastPass.

LastPass

LastPass is a browser extension which remembers passwords and other forms for you. It generates strong passwords for you and saves them for you securely. When it’s time to log into one of your LastPass-guarded sites, all you have to do is click the LastPass icon in the password box on that site (protecting you from keyloggers). In other words, it makes having strong passwords easy. 

Tin Foil Hat Alternative: DIY Password Generator

Using LastPass is adequate for most people, but it isn’t open source. If you are a software developer and want to write your own password generator, here are some key considerations.

  • Your password generation method should have adequate entropy.
  • Your output (generated passwords) should conform to most sites’ password rules. If it doesn’t, you’ll end up manually modifying the output so that it does conform to said rules and you’ll have to remember the modifications.
  • Your input should be some easy to remember attribute of the account the password is being generated for.

No Browser-Remembered Passwords

Do not let Google Chrome or any other browser remember your passwords. Anyone who knows basic HTML can reveal your remembered password by changing the login form’s “type” attribute from “password” to “text”. It takes five seconds and makes you vulnerable to anyone who has physical access to your device.

No Biometrics (Yet)

Do not use biometric passwords until biometric recognition is good enough. At present, facial recognition can be beaten with a good photo and even fingerprint scanners aren’t foolproof.

Email

There are three very simple rules for email safety which will do more for you than most other items in this article.

  • Don’t respond with important information, ever.
  • Use browser-based email. Using Outlook or Thunderbird puts you at risk because nasty attachments come straight to your PC. If you use Gmail, Yahoo Mail, Hotmail, etc., you shift all that risk to Google/Yahoo/Microsoft’s servers instead. Just checking your email in a browser makes you far less likely to install a keylogger or some other nastiness.
  • Check the “From” address. If that account deletion warning from your bank seems strange, who is the sender? If your bank is XBank and the “From” address is accounts@xbank.com, you’re probably safe to respond. If it’s accounts@xbank.io or jerry47@randomail.net, then NO you don’t want to click that link.

Encrypt and Lock Your Devices

Encrypt + Lock = Good

Every device you own should be encrypted: your phone, your laptop, your desktop, your tablet, etc. It is trivially simple to remove the hard drive from a stolen device and plug it into another device. Did you think your files were protected by your log in password? Think again.

Encryption sounds difficult and scary, but it’s really not. Most Android phones and Apple phones and laptops have encryption options built into the operating system. You can encrypt your phone or MacBook from the settings menu. Windows devices aren’t much harder. Google “encrypt my xxxxx” to learn how to encrypt each of your devices.

That said, if you encrypt your devices but don’t lock them, you’re missing most of the benefits of encryption. What good is the encryption doing you if anyone can get into your files by just swiping up on your phone? Encryption and locking go hand in hand. Do both or reap the benefits of neither.

Tin Foil Hat Addendum: Hidden Volumes

If you’re in a situation in which you may be forced to decrypt your device, consider using a hidden volume. A hidden volume is a part of your hard drive which looks like empty space unless you decrypt the hard drive with the hidden volume password instead of the normal encryption password. Be careful though! Since the hidden volume looks like empty space even to the operating system (after you’ve decrypted the fake volume), it can easily be partially overwritten by saving files on the fake volume, and therefore irreparably corrupted.

Authentication

Two-Factor Authentication (2FA)

Using 2FA means that an attacker will have to both have your password and some secondary means of authentication (ideally a physical device like a cell phone) to access your account. It adds a little bit of hassle to your life because it also means that you have to have access to that secondary means of authentication when you want to log in, but the trade-off is more than worth it.

Tin Foil Hat Warning: Backup Codes Awareness

Some sites offer to give you one or more “backup codes”, in case you lose access to the account. (That is, you forget your password, lose your cell phone for phone 2FA, get locked out of the email you set as the password recovery email, etc.) Backup codes are great, but you should be aware of what an attacker would get if they got your backup codes. It’s different for different sites. Here are some examples.

  • Hotmail backup codes: let you reset the account password, change the recovery email, and access the account.
  • Gmail backup codes: even after entering a backup code, Gmail will still ask for another method of authentication before letting you in. If you do not provide one, Google will “review your request”.
  • Dropbox backup codes: can be used in place of a phone.

Security Questions

Let me first say as a website administrator, that security questions are the poor man’s 2FA. Security question answers are often easy to find in public records or elsewhere. If you must use them, use them with care.

Only You Should Know Your Answers

Try to select questions and answers which are not available in public records. Here are some bad questions.

  • Where did you go to high school?
  • What was your mother’s maiden name?
  • What was the make and model of your first car?

For contrast, here are some good arguably better questions.

  • What was the name of your first pet?
  • Where did you meet your significant other?
  • What is your favorite food?

No Quizzes

A great point about security questions, which was raised a few months back by journalist Brian Krebs: don’t answer personality (or other) quizzes online. You’re giving away information about yourself for free to potentially unscrupulous sources who may then try to use it to account-recovery or phish their way into your accounts.

No Repeat Questions

Another point to take into consideration is that phone service operators and website admins may have access to your answers in plain text. Therefore, you’ll want to vary your selection of questions across sites in order to minimize cross-site exposure by malevolent operators or site admins.

Tin Foil Hat Alternative: Don’t Know Your Own Answers

Some sites and services do not let you pick good questions. If you are a software developer, you can write a security answer generator for security question answers. The input would be the question itself, and the output, ideally, is a human-readable phrase, since some services have operators who will ask you the answers to your security questions over the phone in order to authenticate you.

Protection From Yourself: Single Points of Failure

This is a category that people often fail to consider completely. If your important stuff (read: bitcoin wallet, family photos, work documents) is on your laptop and you drop your laptop into the sea, your important stuff is now gone. You have failed to protect yourself from yourself.

You want to prevent the existence of any single point of failure in your setup. Any one account or device should be able to go without the whole system collapsing or being seriously damaged.

Redundancy

Any important files should be stored redundantly. You get some level of automatic redundancy from using services like Dropbox, Google Drive, or OneDrive, but with those services, there are a few points to keep in mind.

  • They might go away at any time. (Remember Google Reader? — yes I’m still bitter, so what?)
  • You sacrifice privacy by using them. This might be fine, or it might not, depending on what you’re storing.

Regardless, for an extra layer of redundancy, you should have backups of very important files on multiple external media.

Breadcrumb Trails

If any of your email/other accounts gets hijacked or you forget the password, you should be able to recover from it. This means that account recovery options on those accounts should be well explored and considered. You should leave yourself a bread crumb trail to get out of the lost accounts woods. And you should do full tests of those breadcrumb trails. Pretend like you actually got locked out of that important account and try to get back in.

Your Monkey Brain

Don’t create a system which is too hard for you to use. Twenty five character passwords are super secure (at present), but if you’re not going to be able to remember them, don’t use them. You also need to protect yourself from your own monkey brain’s inadequacy. It’s not a hard drive. It just forgets stuff sometimes.

Self-Defeating Platitudes

Also worth mentioning in this section are some self-defeating platitudes about security that you sometimes hear.

  • “No one would come after me.” You’re probably right that no other individual person is targeting you. The energy spent in targeting an individual is usually not worth the payoff. But it won’t be a person targeting you and you alone. It will be an algorithm targeting everyone with a wide net, and pulling in the suckers.
  • “Security is too hard and it’s just too much effort.” This essentially amounts to, “I can’t secure everything, so I’m going to secure nothing.” Grab the low-hanging fruit! Do the easy stuff instead of doing nothing at all. Incremental improvement for the win.

20th Century Security Techniques

Our world is increasingly digital, but a handful of older security practices bear mentioning here.

Carry Credit

Carrying cash or debit means that if you lose your wallet, get robbed, or get scammed, you’ve denied yourself the motherload of consumer protections built into almost every credit card. If you need to carry cash, carry just a little bit or put low withdrawal limits on your debit/bank card.

SSN LOL

Your social security number is effectively public information. If you think that it provides any level of account security, take a moment and think about the multitude of entities to whom you have provided it. That’s all I’m going to say about that.

Physical Security

Take a lesson from Battlestar Galactica: if it’s not digital, a hacker can’t touch it. You might want to keep some things offline: in your desk or a safe. Of course, if it’s not digital, it’s also not encrypted.

Honorable Mentions

Tin Foil Hat Credit Firewall: Freeze Your Credit

Equifax, TransUnion, and Experian all offer free credit un/freezing service. If you’re not planning on buying a car or a house, signing a new apartment contract, or opening new credit cards, what reason do you have not to freeze all three (and Innovis and ChexSystems while you’re at it)? If you are planning on doing something which involves credit checks, you can always temporarily unfreeze the relevant credit bureau.

Delete Securely

If you think that putting files in the Recycle Bin is the same as deleting… well, you’re probably not reading this article. But even actually-deleted files can be recovered. I once bought a laptop from a guy on Craigslist. The very first thing I did with it was undelete all of his files and look at his stuff.

This is why you should be using the digital equivalent of a file shredder on anything that you wouldn’t want someone to find. Eraser is one such program. Prevent Restore is another.

You might be asking, “isn’t this overkill if I’m encrypting my entire drive?” It is, but you don’t always have the option of encrypting the entire drive. For instance, you might be on a work computer.

Be Careful With Installers

After email, installers are the best way to get keylogged or otherwise hijacked. Even installers from some reputable companies will come loaded with crapware.

  • Whenever given the option, choose “Custom Install” and pay attention to what you’re clicking “Next” to.
  • Where you download something from matters. The same software might be wrapped in spyware when downloaded from one site and clean from another.
  • The more you get into the weeds with random third party programs, the more you put yourself at risk.

If you’re tech savvy enough, sandboxing and monitoring the installation is a good route when dealing with unknown new programs. For everyone else, just be cautious.

Reduce Your Digital Footprint

Whether or not you care about Big Brother or Big Data having all of your personal information, you probably don’t want random third parties having it. That means

  1. downloading old emails and data via services like Google Takeout,
  2. archiving it if it’s important to you,
  3. and then deleting it from website X if you’re not actively using it.

Even if website X is trustworthy, when they get compromised, you can bet that Random Blackhat and friends are not.

Tin Foil Hat Defense: Hiding Your Browsing

If you care about your ISP seeing all of your activity, you’ll want to hide it from them by using a VPN and Tor together. There are two ways to do this, Tor over VPN and VPN over Tor, and the differences and trade-offs are beyond the scope of this article. Regardless, if you don’t like targeted ads or are in a politically sensitive situation, masking your browsing activity is something you’ll want to do. Switching your computer’s name server to CloudFlare will also help in this respect as (at time of writing) they are the only DNS provider to use DNS over HTTPS.

Don’t use cloaking sites or free proxies! They may not all be bad, but trusting random strangers with the entirety of your web traffic is even worse than trusting your ISP.

Further Reading

We’ve covered lots in this article, but there is plenty more good material out there. Here’s some of it!

Krebs on Security

EFF Surveillance Self-Defense

Reddit /r/cybersecurity

privacytools.io

Have I Been Pwned

How to Encrypt Your: Mac | Android | PC

 

In the prior two articles in this series, I went over the basics of getting started with voice programming, and talked a little bit about the history and community of it. In this article, I’m going to go over best practices.

Let me preface with this. Your personal command set and phonetic design are going to depend on a variety of factors: accent, programming environment and languages, disability (if any), usage style (assistance versus total replacement), etc. The following is a list of guidelines based mostly on my experiences. Your mileage may vary.

Use Command Chains

If I could only impart one of these to you, it would be to use continuous command recognition/ command sequences. Get Dragonfly or Vocola and learn how to set it up. (Dragonfly. — Vocola.) Speaking chains of commands is much faster and smoother than speaking individual commands with pauses in between. If you’re not convinced yet, watch Tavis Rudd do it.

Phonetic Distinctness Trumps All

When selecting words as spoken triggers (specs) for actions, keep in mind that Dragon must understand you, and unless you’re a professional news anchor, your pronunciation is probably less than perfect.

  • James Stout points out the use of prefix and suffix words on his blog, Hands-Free Coding. Though they do add syllables to the spec, they make the spec more phonetically distinct. An example of a prefix word might be, adding “fun” to the beginning of the name of a function you commonly use. Doing so also gets you in the habit of saying “fun” when a function is coming up, which believe it or not, is often enough time to think of the rest of the name of the function, allowing for an easy mental slide.

  • Use what you can pronounce. Don’t be afraid to steal words or phonemes from books or even other spoken languages. I personally think Korean is very easy on the tongue with its total lack of adjacent unvoiced consonants. Maybe you like German, or French.
  • Single syllable specs are okay, but if they’re not distinct enough, Dragon may mistakenly hear them as parts of other commands (especially in command chains). As a rule of thumb, low number of syllables is alright, low number of phonemes isn’t.

The Frequency Bump

When you speak sentences into Dragon, it uses a frequency/proximity algorithm to determine whether you said “ice cream” or “I scream”, etc. However, it works differently for words registered as command specs. Spec words get a major frequency bump and are recognized much more easily than words in normal dictation. Take advantage of this and let Dragon do the heavy lifting. Let me give you an example of what I mean.

Dragonfly’s Dictation element and Vocola’s <_anything> allow you to create commands which take a chunk of spoken text as a parameter. The following Dragonfly command prints “hello N” where N is whatever comes after the word “for”.

I’m going to refer to these sorts of commands as free-form commands. Given a choice between setting up the following Function action with free-form dictation via the Dictation element, or a set of choices via the Choice element, the Choice element is the far superior um… choice.

In this example, if you set up <parameter> as a Dictation element, Dragon can potentially mishear either “foo” or “bar”. If you set up <parameter> as a Choice element instead, all of the options in the Choice element (in this case, “foo” and “bar”) get registered as command words just like the phrase “do some action” does, and are therefore far more likely to be heard correctly by Dragon.

Anchor Words and the Free-Form Problem

Let’s say we have a free-form command, like the one mentioned above, and another command with the spec “splitter”. In this hypothetical situation, let’s also say they are both part of the same command chain grammar.

Usually, I would use the “splitter” command to print out the split function, but this time I want to create a variable called “splitter”. If I say “variable splitter”, nothing will happen. This is because, when Dragon parses the command chain, first it recognizes “variable”, then before it can get any text to feed to the “variable”command, the next command (“splitter”) closes off the dictation. This has the effect of crashing the entire command chain.

There are a few ways around this. The first is to simply give up on using free-form commands or specs with common words in command chains. Not a great solution. The second way is to use anchor words.

In this modified version of the command, “elephant” is being used as an anchor word, a word that tells Dragon “free-form dictation is finished at this point”. So here, I can say, “variable splitter elephant” to produce the text “var splitter”.

Despite the effectiveness of the second workaround, I find myself getting annoyed at having to say some phonetically distinct anchor word all the time, and often use another method: pluralizing the free-form Dictation element, then speaking a command for the backspace character immediately after. For example, to produce the text “var splitter”, I could also say, “variable splitters clear”. (“Clear” is backspace in Caster.)

I am working on a better solution to this problem and will update this article when I finish it.

Reusable Parts

On the Yahoo VoiceCoder group site, Mark Lillibridge proposes two categories for voice programmers, what he calls Type I and Type II. Type I optimize strongly for a very specific programming environment. Type II create more generic commands intended to work in a wide variety of environments. Along with Ben Meyer of VoiceCode.io, I fall into the latter category. My job has me switching between editors and languages constantly, so I try to use lots of commands like the following.

I also try to standardize spoken syntax between programming languages. It does take extra mental effort to program by voice, so the less specialized commands you have to learn across the different environments you work in, the better.

What About You?

That’s all I’ve got. Have any best practices or techniques of your own? Leave them in the comments; I’d love to hear them!