Would you leave your car or house unlocked? Would you leave your wallet on a public sidewalk? You would not, but you might unwittingly do the digital equivalent.

Information security is important. Yet lots of folks do things which diminish theirs. In this article, I detail various information security concepts and best practices, and the rationales behind them.

Threat Modeling

An article about information security which doesn’t mention, or at least embody, the concept of threat modeling, is either amateur or remiss. Threat modeling simply means: figuring out which cybersecurity threats are relevant to you or your organization, the seriousness of the damage they could inflict, and what it would look like to protect against them.

Let’s look at two simple scenarios which might be part of a personal threat model.

Scenario 1: Meh

An email account that you only use for shady/spammy-looking sites gets compromised. This email account doesn’t even have your real information associated with it. Should you bother protecting it with methods which are so strong that they decrease usability? Probably not. You lose almost nothing if an attacker gains access to it.

Scenario 2: Serious

Your work email account gets compromised. Depending on what kinds of systems your work email is attached to, you might be looking at public embarrassment, identity theft, or even you being identified as the weak link in a larger phishing attack. It stands to reason then, that protecting your work email, even with methods which decrease usability, is probably worthwhile.

Security vs Usability

The idea is, there is always a trade-off between security and usability. You want to make it difficult for anyone except you to gain access to your accounts. Threat modeling helps you determine what that looks like and when it’s worth it.

The rest of this article assumes a sort of “common man’s” threat model.

Passwords

How to Use Strong Passwords

Strong password design is tricky because most people don’t understand the concept of entropy. Rather than make specific suggestions about length or characters, or spend time emphasizing how you shouldn’t reuse passwords, I’m going to make a simpler suggestion: use a password manager.

A password manager will (1) generate better passwords than you can think up, and (2) will be easier to use than your homegrown password system.

Don’t Use Biometrics (Yet)

Do not use biometric passwords until biometric recognition is accurate enough. At present, facial recognition can be beaten with a good photo and even fingerprint scanners aren’t foolproof.

Email

There are two simple rules for email safety which will do more for you than most other items in this article.

  • Don’t respond with sensitive information. There are a variety of reasons for this, the least of which is not that: even if the other party is making a legitimate request, you cannot guarantee that their email account won’t be compromised, exposing your information. Email is just not an appropriate format for this sort of exchange.
  • Check the “From” address. If that account deletion warning from your bank seems strange, who is the sender? If your bank is XBank and the “From” address is accounts@xbank.com, you’re probably safe to respond. If it’s accounts@xbank.io or jerry47@randomail.net, then NO you don’t want to click that link.

Both Encrypt and Lock Your Devices

Every device you own should be encrypted: your phone, your laptop, your desktop, your tablet, etc. It is trivially simple to remove the hard drive from a stolen device and plug it into another device. Did you think your files were protected by your login password? Think again.

Encryption sounds difficult and scary, but it’s really not. Most Android phones and Apple phones and laptops have encryption options built into the operating system. You can encrypt your phone or MacBook from the settings menu. Windows devices aren’t much harder. Search for “encrypt my xxxxx” to learn how to encrypt each of your devices.

That said, if you encrypt your devices but don’t lock them, you’re missing most of the benefits of encryption. What good is the encryption doing you if anyone can get into your files by just swiping up on your phone? Encryption and locking go hand in hand. Do both or reap the benefits of neither.

Authentication

Two-Factor Authentication (MFA/2FA)

Using 2FA means that an attacker will have to both have your password and some secondary means of authentication (ideally a physical device like a cell phone) to access your account. It adds a bit of hassle to your life (decreases usability) because it also means that you have to have access to that secondary means of authentication when you want to log in, but the trade-off is often worth it.

Text Message Security Codes

At present, the most common form of 2FA is the text message security code. You’ve almost certainly seen these: after entering your username and password on a site or app which has your cell phone number, a security code is texted to you. You enter the code and then you are granted access.

For most people, this method strikes a pretty good balance between security and usability. It should be noted however, that it is also the least secure 2FA method.

Physical Security Keys

Various companies make USB and Bluetooth security keys. These look like USB keys, but do not store data. Instead, they are used as a form of 2FA when logging into your accounts.

Basically, whenever you would otherwise have received a security code by text message, you plug the security key into a USB port, or hold it close to your phone, and that authenticates you. It’s easier than the text messages method, and more secure, since an attacker would need to acquire both your password and a physical object (the security key).

Unfortunately, the U2F protocol used by security keys is not widely supported. You can check here to see if your favorite site or app supports it yet.

Authenticator Apps

These apps work similarly to the text message security codes, except that they are entirely offline. Each account that you register with an authenticator app shows up in the app with a code that you can use to authenticate. These codes change every 60 seconds, and will even work in airplane mode.

Backup Codes: Awareness

Some sites offer to give you one or more “backup codes”, in case you lose access to the account. (That is, you forget your password, lose your cell phone for phone 2FA, get locked out of the email you set as the password recovery email, etc.) Backup codes are nice, but you should be aware of what an attacker would get if they acquired your backup codes. It’s different for different sites. Here are some examples.

  • Hotmail backup codes: let you reset the account password, change the recovery email, and access the account.
  • Gmail backup codes: even after entering a backup code, Gmail will still ask for another method of authentication before letting you in. If you do not provide one, Google will “review your request”.
  • Dropbox backup codes: can be used in place of a phone.

Security Questions

Security questions are the poor man’s 2FA: their answers are often easy to find in public records or elsewhere. If you must use them, use them with care.

Only You Should Know Your Answers

Try to select questions and answers which are not available in public records. Here are some bad questions.

  • Where did you go to high school?
  • What was your mother’s maiden name?
  • What was the make and model of your first car?

For contrast, here are some good arguably better questions.

  • What was the name of your first pet?
  • Where did you meet your significant other?
  • What is your favorite food?

No Quizzes

A great point about security questions, which was raised a while back by journalist Brian Krebs: don’t answer personality (or other) quizzes online. You’re giving away information about yourself for free to potentially unscrupulous sources who may then try to use it to account-recovery or phish their way into your accounts.

Single Points of Failure

Do you have only one email address? Only one bank account? One laptop with all of your family photos, tax records, and the manuscript of the book you’ve been writing for nine years? Consider the following.

One Email Address

What would happen if your email address got hijacked? What would you lose access to? What would an attacker gain access to? It might be worth having more than one email.

Another proactive measure which can somewhat mitigate the severity of a future email breach: you can periodically archive and delete old emails which include sensitive information, or all emails older than a few weeks/months/years.

One Bank Account

If an attacker gained access to your bank account, could they drain your whole life savings? Even splitting your assets across two accounts would cut that damage in half.

One Storage Device or Account

Are you carrying around a laptop with lots of sensitive information on it? Storage is cheap. Why not move your sensitive data to a USB stick that you keep somewhere safe instead of losing everything while you were in the restroom at Starbucks?

Prevention

You want to prevent the existence of any single point of failure in your setup. Any one account or device should be able to go without the whole system collapsing or being severely damaged.

Honorable Mentions

Carry Credit

Carrying cash or debit means that if you lose your wallet, get robbed, or get scammed, you’ve denied yourself the motherload of consumer protections built into almost every credit card. If you need to carry cash, carry just a little bit or put low withdrawal limits on your debit/bank card.

What Can Go Offline?

Take a lesson from Battlestar Galactica: if it’s not digital, a hacker can’t touch it. You might want to keep some things offline: in your desk or a safe. Of course, if it’s not digital, it’s also usually not encrypted.

Freeze Your Credit

Equifax, TransUnion, and Experian all offer free credit un/freezing service. If you’re not planning on buying a car or a house, signing a new apartment contract, or opening new credit cards, what reason do you have not to freeze all three (and Innovis and ChexSystems while you’re at it)? If you are planning on doing something which involves credit checks, you can always temporarily unfreeze the relevant credit bureau.

Be Careful With Installers

On laptops/desktops, installers are the best way to get keylogged or otherwise hijacked. Even installers from some reputable companies will come loaded with crapware.

  • Whenever given the option, choose “Custom Install” and pay attention to what you’re clicking “Next” to.
  • Where you download something from matters. The same software might be wrapped in spyware when downloaded from one site and clean from another.
  • The more you get into the weeds with random third party programs, the more you put yourself at risk.

If you’re tech savvy enough, sandboxing and monitoring the installation is a good route when dealing with unknown new programs. For everyone else, just be cautious.

Further Reading

We’ve covered lots in this article, but there is plenty more good material out there. Here’s some of it!

Krebs on Security

EFF Surveillance Self-Defense

Reddit /r/cybersecurity

privacytools.io

Have I Been Pwned

How to Encrypt Your: Mac | Android | PC

 

In the prior two articles in this series, I went over the basics of getting started with voice programming, and talked a little bit about the history and community of it. In this article, I’m going to go over best practices.

Let me preface with this. Your personal command set and phonetic design are going to depend on a variety of factors: accent, programming environment and languages, disability (if any), usage style (assistance versus total replacement), etc. The following is a list of guidelines based mostly on my experiences. Your mileage may vary.

Use Command Chains

If I could only impart one of these to you, it would be to use continuous command recognition/ command sequences. Get Dragonfly or Vocola and learn how to set it up. (Dragonfly. — Vocola.) Speaking chains of commands is much faster and smoother than speaking individual commands with pauses in between. If you’re not convinced yet, watch Tavis Rudd do it.

Phonetic Distinctness Trumps All

When selecting words as spoken triggers (specs) for actions, keep in mind that Dragon must understand you, and unless you’re a professional news anchor, your pronunciation is probably less than perfect.

  • James Stout points out the use of prefix and suffix words on his blog, Hands-Free Coding. Though they do add syllables to the spec, they make the spec more phonetically distinct. An example of a prefix word might be, adding “fun” to the beginning of the name of a function you commonly use. Doing so also gets you in the habit of saying “fun” when a function is coming up, which believe it or not, is often enough time to think of the rest of the name of the function, allowing for an easy mental slide.

  • Use what you can pronounce. Don’t be afraid to steal words or phonemes from books or even other spoken languages. I personally think Korean is very easy on the tongue with its total lack of adjacent unvoiced consonants. Maybe you like German, or French.
  • Single syllable specs are okay, but if they’re not distinct enough, Dragon may mistakenly hear them as parts of other commands (especially in command chains). As a rule of thumb, low number of syllables is alright, low number of phonemes isn’t.

The Frequency Bump

When you speak sentences into Dragon, it uses a frequency/proximity algorithm to determine whether you said “ice cream” or “I scream”, etc. However, it works differently for words registered as command specs. Spec words get a major frequency bump and are recognized much more easily than words in normal dictation. Take advantage of this and let Dragon do the heavy lifting. Let me give you an example of what I mean.

Dragonfly’s Dictation element and Vocola’s <_anything> allow you to create commands which take a chunk of spoken text as a parameter. The following Dragonfly command prints “hello N” where N is whatever comes after the word “for”.

I’m going to refer to these sorts of commands as free-form commands. Given a choice between setting up the following Function action with free-form dictation via the Dictation element, or a set of choices via the Choice element, the Choice element is the far superior um… choice.

In this example, if you set up <parameter> as a Dictation element, Dragon can potentially mishear either “foo” or “bar”. If you set up <parameter> as a Choice element instead, all of the options in the Choice element (in this case, “foo” and “bar”) get registered as command words just like the phrase “do some action” does, and are therefore far more likely to be heard correctly by Dragon.

Anchor Words and the Free-Form Problem

Let’s say we have a free-form command, like the one mentioned above, and another command with the spec “splitter”. In this hypothetical situation, let’s also say they are both part of the same command chain grammar.

Usually, I would use the “splitter” command to print out the split function, but this time I want to create a variable called “splitter”. If I say “variable splitter”, nothing will happen. This is because, when Dragon parses the command chain, first it recognizes “variable”, then before it can get any text to feed to the “variable”command, the next command (“splitter”) closes off the dictation. This has the effect of crashing the entire command chain.

There are a few ways around this. The first is to simply give up on using free-form commands or specs with common words in command chains. Not a great solution. The second way is to use anchor words.

In this modified version of the command, “elephant” is being used as an anchor word, a word that tells Dragon “free-form dictation is finished at this point”. So here, I can say, “variable splitter elephant” to produce the text “var splitter”.

Despite the effectiveness of the second workaround, I find myself getting annoyed at having to say some phonetically distinct anchor word all the time, and often use another method: pluralizing the free-form Dictation element, then speaking a command for the backspace character immediately after. For example, to produce the text “var splitter”, I could also say, “variable splitters clear”. (“Clear” is backspace in Caster.)

I am working on a better solution to this problem and will update this article when I finish it.

Reusable Parts

On the Yahoo VoiceCoder group site, Mark Lillibridge proposes two categories for voice programmers, what he calls Type I and Type II. Type I optimize strongly for a very specific programming environment. Type II create more generic commands intended to work in a wide variety of environments. Along with Ben Meyer of VoiceCode.io, I fall into the latter category. My job has me switching between editors and languages constantly, so I try to use lots of commands like the following.

I also try to standardize spoken syntax between programming languages. It does take extra mental effort to program by voice, so the less specialized commands you have to learn across the different environments you work in, the better.

What About You?

That’s all I’ve got. Have any best practices or techniques of your own? Leave them in the comments; I’d love to hear them!