Stay Secure

Security is a tricky affair: it’s difficult to establish, to maintain, and to verify. Take all the steps you can to keep your data and devices secure.

  • Backup, keeping a copy in your home and somewhere outside your home that you consider safe and are likely to be able to access in an emergency.
  • Secure, so that only you and those you trust can get access to your information and accounts.
  • Plan for routine recovery, such as when you’re away from your computer, but need to gain access to your information and accounts.
  • Plan for extreme recovery, such as when you are disabled and unable to communicate, or when you pass away.

Backup your Digital Devices

Use iCloud, Dropbox, or some other service to maintain a secure, automatic backup of your information away from your home or office.

If you’re making your own backups in your home or office, consider purchasing a hard drive that supports RAID 1 or greater. RAID 1 is a technology that presents itself to you as a single hard drive, but is actually multiple independent drives, each with a complete copy of your data. When you save a file to a RAID 1 device, a copy of the file is actually saved on each of two or more hard drives. When any one drive fails, your device will alert you to the failure so that you can replace it, but you still have the other drives’ backups to fall back on.

Install Ghostery

Now, let’s turn attention to staying secure in your web browsing habits. Ghostery blocks common trackers, analytics, and ads. Whenever I’m forced to turn off Ghostery for a given page, I’m reminded just how bad the Web has gotten.

Ghostery is my first install on a new system.

Install and use DuckDuckGo

No one should be tracking your search habits. DuckDuckGo is an alternative to using Google Search. DuckDuckGo makes a point, however, of not tracking your searches. There’s no database of your searches being built by them and you can easily clear your search and browsing history. You can use it in several ways:

Use a Password Manager

1Password, LastPass, and KeePass are all popular with pros and cons to each. Study a bit, watch some videos on how they’re used, and choose the model that best fits your needs, OS, and risk tolerance. As an example of a feature that may factor in your decision: some of the tools store your password vault in the cloud while others store the password vault locally on your computer. That has implications, should your computer fail or you not have access to the cloud.

These tools store arbitrary passwords created for you as you setup accounts on various services. When you visit a site, rather than having to know or type the password, there’s a keystroke you press to activate your password manager. You enter a “master password” that secures your password manager to unlock it. The tool then recognizes the URL of the site you’re visiting and types the site-specific password (and probably username) for you. As a bonus safety benefit, since the password manager is figuring out which password to provide based on the URL, you’re less susceptible to phishing attacks, where look-alike URLs are intended to fool you into entering your username and password into fake versions of popular websites.

This allows you to have complex, nonsensical, long passwords, unique to each service you use, and completely unknown to you.

Be sure that you maintain a current backup of your password vault somewhere other than on your computer and in your home, in case your computer fails or your home is damaged in a fire or flood. Be sure that backup location will be accessible to you, even when you don’t have access to your password vault.

Imagine, for example, that if you backup your password vault to a cloud service, such as Dropbox, when you need emergency access to the password vault, you (ironically) need to be able to login to Dropbox. Will you know the Dropbox password? Will you have your two-step verification (see below) device available to you?

Consider sharing your backup with the trusted family member or friend who you use as a backup two-step verification contact. They don’t need to know your master password… you could probably provide that, if you ever need to make use of it.

But in the extreme, consider estate planning: if you’re ever disabled and unable to communicate or when you die, will your caretakers or heirs have access to the digital passwords you’ve secured? You may want to leave your password vault’s master password on file with your attorney or in some secure, tamper-evident location (a sealed envelope in your or your friend’s fire-resistant safe, for example).

As I said, security is tricky!

Turn on Two-step Verification (Intermediate, but increasingly important)

First, consider how you login without two-step verification: you visit a site, enter a username and password and click the login button. Maybe you’re already using a password manager, so your password is unique to that site and complex. When you forget your password, you can reset it by having the site send a temporary password to the email address you gave them when you created the account, assuming you still have that email address active. But what if I took over your email address? Now I, an untrusted and unknown user, can submit password reset requests to all your critical accounts and, since I control your email, I’ll receive the temporary passwords. I can lock you out of all your accounts and you have no (easy) recourse. You can’t reset the passwords because you don’t know the new password and you won’t receive any temporary passwords because I control your email. Game, set, match.

Two-step verification (a.k.a. two-step authentication, two-factor authentication, or 2fa) is a method of security where you have to have two distinct pieces of information provided via two independent sources before being granted access. For example, when you try to login to your social media account, you enter a username and password (the first step). They then send a text message containing a one-time password (OTP) to the mobile phone number on record, which you’re asked to type into a form field on the site (the second step). The theory is that it’s unlikely that both your existing password and access to your mobile phone would be compromised at the same time. By sending you a one-time password “out of band” (i.e., via a service that’s separate from the service you’re trying to access), security is improved.

Note: your mobile phone can be spoofed. A dedicated attacker with the technical skills could clone your phone’s cellular network ID and thereby receive text messages that are otherwise intended for you. This way, they could even intercept your 2fa one-time passwords. Your security is only as good as your ability to control its parts. See the mention of Yubikey, below.

See the Electronic Frontier Foundation’s 12 Days of Two-Factor articles for details and links to the two-factor setup pages for various providers.

When you setup two-step verification, be sure to designate at least one trusted friend or family member as an alternative point of contact. Ideally, these would be some mix of people who aren’t likely to all be on travel with you at the same time and aren’t likely to be affected by the same regional crisis (e.g., flood).

Why? Well, consider the case where you setup 2fa with your spouse as your designee and they setup 2fa with you as their designee. Now, when you’re both on vacation and your luggage is lost or stolen or you don’t have your usual phone service available due to a regional crisis, you’re both affected: how will you receive the one-time password from your online service? One possible solution: have three people who can receive your OTP where all three are not likely to be traveling together or dislocated by the same crisis: you and at least two trusted friends who are located in different regions; you can all serve as the designees for one another, forming a ring of trusted recipients.

The designees serve as a redundant method for you to receive the second step one-time password, in case you don’t have access to your phone. Be sure your designee knows you’re designating them, before you set it up, since the service will usually send out an immediate one-time password message to your designee in order to verify that your designee is reachable and that you can get them to give you the one-time password. You likely will need to be communicating with your designee at the moment you designate them as a valid contact, so that they can provide you with the one-time password that’s sent to them, which you will then enter into your service’s verification page.

It may sound complex, and it is. But without a redundant, verified method for receiving the one-time password, should you ever lose access to your mobile phone (e.g., theft, damage, change of phone number, or international travel without your usual cell service), you’ll be locked out of your account. Since setting up a replacement phone, even on the same phone number, will likely require you to sign-in to your cloud accounts (e.g., iCloud so that your apps and data can be restored, Google Drive so that you have your password vault, etc.), you’re in a catch 22: how can you sign-in to those accounts, unless you have your phone to receive the one-time password?

Short version: designate at least two other trusted people to receive a one-time password on your behalf and verify them through your services’ setup pages. You’ll be glad you did.

Consider YubiKey or another Hardware 2fa Solution (Advanced)

YubiKey and similar devices provide a USB device, physically similar to a thumb drive, that serves as your second factor. As long as you maintain physical control of the YubiKey, your security is optimized. Since YubiKeys aren’t themselves connected to the network, they’re not susceptible to remote attacks.

If you lose your YubiKey, however, you’re in trouble. Many users of such devices create two or more working YubiKeys, stored in different locations, in case they lose one. Alternatively, you could make certain to have backup codes (provided by the online service being used) stored in a safe location.

Install and use a Virtual Private Network (VPN) (Intermediate)

This a slightly more advanced step to take, but if you are very security conscious, you might want to consider using a VPN service.

Is your Internet Service Provider (ISP) tracking your online behavior? Probably. That information is a valuable asset to them which they can turn around and sell to marketers. And in the United States, at least, the Federal Agency tasked with regulating media carriers, the FCC, recently revoked rules meant to protect consumers.

Are other people out on the net monitoring your online behaviors? Again, probably. They may or may not be targeting you, personally, but tracking individuals online is lucrative, both for marketing and for information theft.

How can you keep your online behavior more secure? Answer: use a Virtual Private Network or VPN.

In typical, unsecured network use, you sit at your computer and enter search terms or the address for a web page into your browser. That information leaves your computer, travels to your service provider, and from there passes through any number of additional servers before finally reaching your intended recipient site. The site then prepares a response to you and sends it back along a similar pathway: to their service provider, through various servers along the way, until it reaches your service provider and is finally routed to your computer.

Only microseconds have passed. But in that time, any of the systems your information passed through could have and likely did record parts of that information: your cable provider knows you accessed an ecommerce site, the ecommerce site knows you searched for “fluffy bunnies” to get there, and so on. Next time you visit that or any other site, maybe they opt to show you more fluffy bunny-related ads.

Ghostery and DuckDuckGo, discussed above, can help limit that persistent tracking of your behaviors. Still, the path of your network traffic and the patterns that traffic creates can be mapped.

Virtual Private Networks help to mask your network traffic patterns. They are an additional service you subscribe to that gives your traffic a waypoint: All requests leaving your computer become encrypted requests to your VPN provider—also known as an encrypted tunnel. Your internet provider only knows that you’re using a given VPN provider; they can’t see which sites you’re requesting or what search terms you’re using beyond that.

When you’re using a VPN, all of your traffic looks the same: you, to your ISP, to your VPN. From there, your request is routed to your intended recipient. Their response is sent back to your VPN, before being sent back to your ISP and on to you. And all of this happens over encrypted tunnels, so no one can monitor your network traffic.

A word of caution: no technology is perfect. It’s always possible that there’s a bug in the encryption schemes being used or compromises in the network that could expose your information. If you’re using tools such as VPNs and TOR (see below) to protect your life and liberty, be very careful and be sure you understand how to use them well:

A word of annoyance: because using a VPN masks your traffic, it also prevents sites from knowing where you’re located physically and who your internet provider is. This is great for your security, but bad news for sites that either want to or are legally required to limit access to content based on your location or service provider. Think NetFlix, YouTube, Comcast, Time Warner, certain governments, etc. In other words, sites and services that are built on protecting and enforcing copyright or enforcing government censorship on content.

Some services will be unavailable to you while you’re protecting your privacy; some hotels might block VPN traffic. In some countries, it even may be illegal to use VPNs. That should tell you something about how important your privacy is: governments and companies don’t want you to have it.

Install and use TOR (Advanced)

A layer beyond even VPNs is TOR: The Onion Router. TOR actively anonymizes your network traffic, further masking your online behaviors. TOR was originally developed with U.S. Government funding to create secure, stable networks.

You can use VPNs and TOR together, too, for added security.

A (repeated) word of caution: no technology is perfect. It’s always possible that there’s a bug in the encryption schemes being used or compromises in the network that could expose your information. For example, if you are connected to TOR, attempting to mask your identity and network traffic patterns, but login to your gmail account… well… you’ve just told someone who you are; so much for your anonymity. Generally, do not login to identifiable accounts while using TOR. If you’re using tools such as VPNs and TOR to protect your life and liberty, be very careful and be sure you understand how to use them well: