Information security is important. Yet lots of folks do things that diminish or even eliminate their personal or professional information security. In this article, I detail numerous information security best practices and the rationales behind them.

Passwords

Use Strong Passwords

Strong password design is tricky because people don’t understand the concept of entropy. So, rather than make specific suggestions about length or characters, or spend time emphasizing how you shouldn’t reuse passwords, I’m going to simply say: use LastPass.

LastPass

LastPass is a browser extension which remembers passwords and other forms for you. It generates strong passwords for you and saves them for you securely. When it’s time to log into one of your LastPass-guarded sites, all you have to do is click the LastPass icon in the password box on that site (protecting you from keyloggers). In other words, it makes having strong passwords easy. 

Tin Foil Hat Alternative: DIY Password Generator

Using LastPass is adequate for most people, but it isn’t open source. If you are a software developer and want to write your own password generator, here are some key considerations.

  • Your password generation method should have adequate entropy.
  • Your output (generated passwords) should conform to most sites’ password rules. If it doesn’t, you’ll end up manually modifying the output so that it does conform to said rules and you’ll have to remember the modifications.
  • Your input should be some easy to remember attribute of the account the password is being generated for.

No Browser-Remembered Passwords

Do not let Google Chrome or any other browser remember your passwords. Anyone who knows basic HTML can reveal your remembered password by changing the login form’s “type” attribute from “password” to “text”. It takes five seconds and makes you vulnerable to anyone who has physical access to your device.

No Biometrics (Yet)

Do not use biometric passwords until biometric recognition is good enough. At present, facial recognition can be beaten with a good photo and even fingerprint scanners aren’t foolproof.

Email

There are three very simple rules for email safety which will do more for you than most other items in this article.

  • Don’t respond with important information, ever.
  • Use browser-based email. Using Outlook or Thunderbird puts you at risk because nasty attachments come straight to your PC. If you use Gmail, Yahoo Mail, Hotmail, etc., you shift all that risk to Google/Yahoo/Microsoft’s servers instead. Just checking your email in a browser makes you far less likely to install a keylogger or some other nastiness.
  • Check the “From” address. If that account deletion warning from your bank seems strange, who is the sender? If your bank is XBank and the “From” address is accounts@xbank.com, you’re probably safe to respond. If it’s accounts@xbank.io or jerry47@randomail.net, then NO you don’t want to click that link.

Encrypt and Lock Your Devices

Encrypt + Lock = Good

Every device you own should be encrypted: your phone, your laptop, your desktop, your tablet, etc. It is trivially simple to remove the hard drive from a stolen device and plug it into another device. Did you think your files were protected by your log in password? Think again.

Encryption sounds difficult and scary, but it’s really not. Most Android phones and Apple phones and laptops have encryption options built into the operating system. You can encrypt your phone or MacBook from the settings menu. Windows devices aren’t much harder. Google “encrypt my xxxxx” to learn how to encrypt each of your devices.

That said, if you encrypt your devices but don’t lock them, you’re missing most of the benefits of encryption. What good is the encryption doing you if anyone can get into your files by just swiping up on your phone? Encryption and locking go hand in hand. Do both or reap the benefits of neither.

Tin Foil Hat Addendum: Hidden Volumes

If you’re in a situation in which you may be forced to decrypt your device, consider using a hidden volume. A hidden volume is a part of your hard drive which looks like empty space unless you decrypt the hard drive with the hidden volume password instead of the normal encryption password. Be careful though! Since the hidden volume looks like empty space even to the operating system (after you’ve decrypted the fake volume), it can easily be partially overwritten by saving files on the fake volume, and therefore irreparably corrupted.

Authentication

Two-Factor Authentication (2FA)

Using 2FA means that an attacker will have to both have your password and some secondary means of authentication (ideally a physical device like a cell phone) to access your account. It adds a little bit of hassle to your life because it also means that you have to have access to that secondary means of authentication when you want to log in, but the trade-off is more than worth it.

Tin Foil Hat Warning: Backup Codes Awareness

Some sites offer to give you one or more “backup codes”, in case you lose access to the account. (That is, you forget your password, lose your cell phone for phone 2FA, get locked out of the email you set as the password recovery email, etc.) Backup codes are great, but you should be aware of what an attacker would get if they got your backup codes. It’s different for different sites. Here are some examples.

  • Hotmail backup codes: let you reset the account password, change the recovery email, and access the account.
  • Gmail backup codes: even after entering a backup code, Gmail will still ask for another method of authentication before letting you in. If you do not provide one, Google will “review your request”.
  • Dropbox backup codes: can be used in place of a phone.

Security Questions

Let me first say as a website administrator, that security questions are the poor man’s 2FA. Security question answers are often easy to find in public records or elsewhere. If you must use them, use them with care.

Only You Should Know Your Answers

Try to select questions and answers which are not available in public records. Here are some bad questions.

  • Where did you go to high school?
  • What was your mother’s maiden name?
  • What was the make and model of your first car?

For contrast, here are some good arguably better questions.

  • What was the name of your first pet?
  • Where did you meet your significant other?
  • What is your favorite food?

No Quizzes

A great point about security questions, which was raised a few months back by journalist Brian Krebs: don’t answer personality (or other) quizzes online. You’re giving away information about yourself for free to potentially unscrupulous sources who may then try to use it to account-recovery or phish their way into your accounts.

No Repeat Questions

Another point to take into consideration is that phone service operators and website admins may have access to your answers in plain text. Therefore, you’ll want to vary your selection of questions across sites in order to minimize cross-site exposure by malevolent operators or site admins.

Tin Foil Hat Alternative: Don’t Know Your Own Answers

Some sites and services do not let you pick good questions. If you are a software developer, you can write a security answer generator for security question answers. The input would be the question itself, and the output, ideally, is a human-readable phrase, since some services have operators who will ask you the answers to your security questions over the phone in order to authenticate you.

Protection From Yourself: Single Points of Failure

This is a category that people often fail to consider completely. If your important stuff (read: bitcoin wallet, family photos, work documents) is on your laptop and you drop your laptop into the sea, your important stuff is now gone. You have failed to protect yourself from yourself.

You want to prevent the existence of any single point of failure in your setup. Any one account or device should be able to go without the whole system collapsing or being seriously damaged.

Redundancy

Any important files should be stored redundantly. You get some level of automatic redundancy from using services like Dropbox, Google Drive, or OneDrive, but with those services, there are a few points to keep in mind.

  • They might go away at any time. (Remember Google Reader? — yes I’m still bitter, so what?)
  • You sacrifice privacy by using them. This might be fine, or it might not, depending on what you’re storing.

Regardless, for an extra layer of redundancy, you should have backups of very important files on multiple external media.

Breadcrumb Trails

If any of your email/other accounts gets hijacked or you forget the password, you should be able to recover from it. This means that account recovery options on those accounts should be well explored and considered. You should leave yourself a bread crumb trail to get out of the lost accounts woods. And you should do full tests of those breadcrumb trails. Pretend like you actually got locked out of that important account and try to get back in.

Your Monkey Brain

Don’t create a system which is too hard for you to use. Twenty five character passwords are super secure (at present), but if you’re not going to be able to remember them, don’t use them. You also need to protect yourself from your own monkey brain’s inadequacy. It’s not a hard drive. It just forgets stuff sometimes.

Self-Defeating Platitudes

Also worth mentioning in this section are some self-defeating platitudes about security that you sometimes hear.

  • “No one would come after me.” You’re probably right that no other individual person is targeting you. The energy spent in targeting an individual is usually not worth the payoff. But it won’t be a person targeting you and you alone. It will be an algorithm targeting everyone with a wide net, and pulling in the suckers.
  • “Security is too hard and it’s just too much effort.” This essentially amounts to, “I can’t secure everything, so I’m going to secure nothing.” Grab the low-hanging fruit! Do the easy stuff instead of doing nothing at all. Incremental improvement for the win.

20th Century Security Techniques

Our world is increasingly digital, but a handful of older security practices bear mentioning here.

Carry Credit

Carrying cash or debit means that if you lose your wallet, get robbed, or get scammed, you’ve denied yourself the motherload of consumer protections built into almost every credit card. If you need to carry cash, carry just a little bit or put low withdrawal limits on your debit/bank card.

SSN LOL

Your social security number is effectively public information. If you think that it provides any level of account security, take a moment and think about the multitude of entities to whom you have provided it. That’s all I’m going to say about that.

Physical Security

Take a lesson from Battlestar Galactica: if it’s not digital, a hacker can’t touch it. You might want to keep some things offline: in your desk or a safe. Of course, if it’s not digital, it’s also not encrypted.

Honorable Mentions

Tin Foil Hat Credit Firewall: Freeze Your Credit

Equifax, TransUnion, and Experian all offer free credit un/freezing service. If you’re not planning on buying a car or a house, signing a new apartment contract, or opening new credit cards, what reason do you have not to freeze all three (and Innovis and ChexSystems while you’re at it)? If you are planning on doing something which involves credit checks, you can always temporarily unfreeze the relevant credit bureau.

Delete Securely

If you think that putting files in the Recycle Bin is the same as deleting… well, you’re probably not reading this article. But even actually-deleted files can be recovered. I once bought a laptop from a guy on Craigslist. The very first thing I did with it was undelete all of his files and look at his stuff.

This is why you should be using the digital equivalent of a file shredder on anything that you wouldn’t want someone to find. Eraser is one such program. Prevent Restore is another.

You might be asking, “isn’t this overkill if I’m encrypting my entire drive?” It is, but you don’t always have the option of encrypting the entire drive. For instance, you might be on a work computer.

Be Careful With Installers

After email, installers are the best way to get keylogged or otherwise hijacked. Even installers from some reputable companies will come loaded with crapware.

  • Whenever given the option, choose “Custom Install” and pay attention to what you’re clicking “Next” to.
  • Where you download something from matters. The same software might be wrapped in spyware when downloaded from one site and clean from another.
  • The more you get into the weeds with random third party programs, the more you put yourself at risk.

If you’re tech savvy enough, sandboxing and monitoring the installation is a good route when dealing with unknown new programs. For everyone else, just be cautious.

Reduce Your Digital Footprint

Whether or not you care about Big Brother or Big Data having all of your personal information, you probably don’t want random third parties having it. That means

  1. downloading old emails and data via services like Google Takeout,
  2. archiving it if it’s important to you,
  3. and then deleting it from website X if you’re not actively using it.

Even if website X is trustworthy, when they get compromised, you can bet that Random Blackhat and friends are not.

Tin Foil Hat Defense: Hiding Your Browsing

If you care about your ISP seeing all of your activity, you’ll want to hide it from them by using a VPN and Tor together. There are two ways to do this, Tor over VPN and VPN over Tor, and the differences and trade-offs are beyond the scope of this article. Regardless, if you don’t like targeted ads or are in a politically sensitive situation, masking your browsing activity is something you’ll want to do. Switching your computer’s name server to CloudFlare will also help in this respect as (at time of writing) they are the only DNS provider to use DNS over HTTPS.

Don’t use cloaking sites or free proxies! They may not all be bad, but trusting random strangers with the entirety of your web traffic is even worse than trusting your ISP.

Further Reading

We’ve covered lots in this article, but there is plenty more good material out there. Here’s some of it!

Krebs on Security

EFF Surveillance Self-Defense

Reddit /r/cybersecurity

privacytools.io

Have I Been Pwned

How to Encrypt Your: Mac | Android | PC

 

In 2013, my carpal tunnel was beginning to become unbearable. Every day, I would come home with wrists burning and fingertips tingling. In an effort to alleviate my symptoms, I started to try alternate input hardware. In this article, I will describe my experiences with some of these alternate setups.

The “Minority Report” Setup

Using CamSpace and the finger of a glove which I had colored bright green, I put together a sort of ghetto Minority Report interface. Cool as it was, there were two major problems. The first was that it was annoying to hold my hand up in front of the camera constantly. The second is that it was really sensitive to changes in lighting and angle of my hand.

Optical Finger Mouse

My thought with this one was that maybe I could casually wave my hand over the desk rather than gripping a mouse. It didn’t work out that way. The parts are rather cheap, and just like the older generation of optical mice, the laser has to sit flat on the table, preferably on a mousepad, preferably which is dark-colored and not reflective.

One Finger Mouse

This one promises to free your hand from the desk altogether, and it does, but unless you have child sized hands, you’re going to strain your thumb trying to reach the trackball (and use it in general). Furthermore, the trackball gets dirty easily and starts sticking, requiring further thumb effort.

Evoluent VerticalMouse

The Evoluent was actually pretty good. It’s probably the best version of a wired old-style mouse that will ever exist. It did allow me to stop pronating my wrist. I ultimately rejected it because (like all mice), it sat far off to the side of my keyboard, requiring me to reach out quite far in order to move the cursor from left to right on the screen.

Kensington Expert Mouse

I decided to try a ball mouse. Looking around on Amazon, the Kensington Expert Mouse seemed to get consistently good reviews, so it was the one I ordered. I thought it would be ridiculously difficult to use, but it wasn’t. (I played all three Mass Effect games with it.) It did cause me to pronate my wrist some, but the pronation was far less than any other mouse except for the Evoluent. Since a ball mouse requires a smaller surface area, I also didn’t have to reach for it. While not perfect, I found it to be easier on my hands than all of the other mice I’d tried. I own two now, in case one breaks. Another bonus is that you can hold it in two hands like a Dreamcast controller, in handshake position, which is about as ergonomic as it gets.

Ergo Touchpad

This thing seemed like it had a lot of potential. If I could mount it anywhere, I could figure out a position which didn’t hurt my hands. I got pretty creative, but in the end, the Ergo Touchpad made both my wrist and my fingers hurt (as opposed to just my wrists).

EyeTech EyeOn

While technically impressive, the problem with eye tracking seems to be human eyes. The EyeOn tracked my eye movements very accurately, but human eyes flicker all over the place instead of settling on their targets like mice do. It’s possible that they might fix that in the software eventually, but as of late 2013, it was pretty unusable.

Webcam Eye Tracking Software

I tried a few different eye tracking software packages too. None of them worked as well as the EyeTech did, which is to say, they were all pretty horrible.

Leap Motion

When I saw the video for the Leap Motion, I got excited. When I tried it, I lost that excitement. It’s a nice toy, nothing more.

Dell E2014T Touch Screen LED-Lit Monitor

Initially I dismissed the possibility of using a touchscreen monitor because I figured reaching for it wouldn’t work, and I still think so, if you’re sitting down. However, because I later wanted a set up in which I could switch between standing and sitting, I purchased the E2014T to use while standing up, and for that it works quite well. My one complaint is that if you don’t touch the screen for a few minutes, it seems to fall asleep and the next few times you touch the screen, it is unresponsive. I often find myself tapping the screen until I see the little tap recognition animation and then going on to do the real tap. Still, it gives my thumbs a break from the trackball.

Microsoft Natural Keyboard Elite

The other ergonomic keyboards I tried, with the exception of the Kinesis, aren’t even worth mentioning here. In terms of comfort, the Natural Keyboard Elite was just the best. I have two now. The wrist pad is at just the right height. The angle of the keys is pretty good. Using it all day still hurt my wrists, but much less than other keyboards.

Kinesis Freestyle

Though all the standard setups for it (even with the accessory set) were less comfortable than the Natural Keyboard Elite, what I like about the Kinesis is that it gives you the ability to experiment.  With a little DIY spirit, anyone should be able to make it into a better keyboard than anything else available, because it’s not one-size-fits-all like the rest of them.

Dragon NaturallySpeaking

What’s better than a comfortable keyboard? No keyboard at all. Though Dragon does have a bit of a learning curve, I’ve found it to be completely worth it and wholeheartedly recommend it as a keyboard alternative. Even for programmers, there are (free) Dragon add-ons which enable programming by voice, including VoiceCode, Aenea, and (my project) Caster.

Concluding Remarks

So what did I ultimately choose? My current setup has Dragon NaturallySpeaking instead of a keyboard, the touchscreen monitor for standing, and the trackball for sitting. I haven’t had anything remotely resembling a standard setup in about 18 months. The result is that the burning and tingling have gone away completely, and all that remains of my carpal tunnel is occasional stiffness and soreness from extended use of the trackball. This is a better recovery* than I hoped for, but I think there’s still a lot of room for innovation. Come on hardware hackers, give me an opportunity to give you my money.

* It’s also worth mentioning here that after using the Natural Elite / Kensington combo for a while, I went to see a physical therapist. She had me wear night splints and did an ergonomic evaluation/ correction of my sitting posture at work. Those two things alone reduced my symptoms by about 60%.