
Digital Security for the 2017 Lawyer - walterbell
https://www.cameronhuff.com/blog/bc-courthouse-libraries-presentation/index.html
======
tptacek
This is a better list:

[https://techsolidarity.org/resources/basic_security.htm](https://techsolidarity.org/resources/basic_security.htm)

We've used this as the basis for training we're doing with NGOs, the press,
and some legal groups.

~~~
duckmysick
Interesting list, thanks for posting. I'm curious about the rationale of
several points on this list. Why shouldn't you use an Android phone but at the
same time Chromebooks are recommended? I'm also surprised about uninstalling
any antivirus products except for Windows Defender. I understand some
companies are moving to CrowdStrike/Carbon Black, but what about individual
users or smaller companies.

Also, is there a similar list for small companies focused on remote working?

~~~
tptacek
Because Chromebooks are more secure than Windows, Linux, or Mac laptops, but
Android is markedly less secure than iOS. This isn't about which is our
favorite company; it's about what the best options are for ordinary users.

If you know exactly what you're doing, and you're using a Google phone, you
might be able to get approximately the same security out of an Android device
as an iOS device. But ordinary users have no chance.

~~~
notspanishflu
Thank you for the list.

Can you help me to understand the validity of this statement [0]?

> When used with the best practices for web security, the Chromebook is secure
> against most direct attacks on the local hardware and the Chrome browser,
> but its dependence on a web-based backend where US courts have already ruled
> there's less of an expectation of privacy is something no amount of end-
> point security is going to fix.

[0] [https://arstechnica.com/information-
technology/2013/09/why-t...](https://arstechnica.com/information-
technology/2013/09/why-the-nsa-loves-googles-chromebook/)

~~~
tptacek
Files stored on cloud services have less legal protection in the US than files
stored locally. Not "no" protection, but less.

~~~
notspanishflu
But that translates to zero effective protection if the US government is
interested in what a journalist is writing with his/her Chromebook.

~~~
evgen
While what you present is a possible extreme end result it is highly unlikely,
and the level of attention would have to be far above just being 'interested'
in the work of the journalist. The US government does not care about the work
of 99.9999% of the journalists out there and if you are in the group that they
care about you know it and are probably going to be using a less user-friendly
but more secure process. Contra claims by the tinfoil crowd, Google is not in
the habit of giving up info without fighting against the request so this
option provides very strong protection for almost all of the potential
audience for this.

~~~
notspanishflu
Google is not in the habit but NSA is, as Snowden told us.

~~~
notspanishflu
I would like to know why some people downvoted this comment.

Is my statement false? Please, explain why you think so.

I expect an intelligent interaction here in HN.

~~~
willstrafach
For US Persons anyway, they cannot get such data without a warrant, you are
mistaken (I did not downvote you btw, as your interpretation is semi-common).

~~~
notspanishflu
They cannot get the data without a warrant but NSA did it in spite of
everything [0].

What we don't know for sure is if they're still doing it after being caught.

[0] [https://www.washingtonpost.com/world/national-
security/nsa-i...](https://www.washingtonpost.com/world/national-security/nsa-
infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-
say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html)

------
cryptarch
It seems like a decent list of recommendations to me.

If you follow all recommendations you're way ahead of the curve compared to
what I've seen, but I've mostly seen small IT shops.

I do recall passworded ZIPs being easy to crack, that might be better replaced
with a PGP-based alternative.

~~~
tptacek
It's dangerous to rely on password-protected ZIPs. The default ZIP
implementations use an 1990s amateur cipher that cryptographers have been
cracking for sport for decades. There's a ZIP standard for authenticated AES,
but you have to use a high-quality ZIP implementation (like 7z) to get it, and
most people don't have special ZIP software installed.

Don't use password-protected ZIPs.

~~~
unstatusthequo
Apparently you haven't had to crack any recently. As an attorney with infosec
certification, I can tell you that in my world, AES ZIPs are just as
practically impossible to crack as you'd guess.

~~~
tptacek
You're not reading what I wrote carefully enough. I'm not suggesting that AES-
encrypted ZIPs are especially easy to crack. I'm saying that on most
platforms, AES-encrypted ZIPs aren't what you get: you get ZIP 2.0 encryption.

------
a3camero
I'm the author of that presentation (and surprised to see it on HN this
morning!). What would you add to this or change? I may do a follow-up to it.

And if you like the slides, there will be a free video of the actual
presentation online soon.

~~~
marvion
Please, please, please always mention basic security as well! I recently got a
free server off craigslist to learn more about server hardware. Turns out the
Server contains ALL company data from a small law office.

\- pictures of the office opening party

\- clients addresses

\- employee contracts + data

\- written warnings to employees

\- ALL communication to/from clients

\- INCLUDING stuff like stalking Protective Orders

Additionally, one CEO saved data from his other company on the server. His
company dealt with medical stuff. The company was eventually sold for an
undisclosed amount of money - but the server also contains correspondence to
investors and board of directors....

The data is almost 10 years old, but some employees are still in business.
Please always teach basic security when talking to anyone who handles 3rd
party data. Lawyers must be aware of the value of their data. No victim of
stalking wants to have their case correspondence public.

Instead of learning more about server hardware, I'll probably use this data to
learn more about data/document analysis and use it as a simple example when
talking about the boring topic of computer/data security.

~~~
a3camero
That's a pretty egregious example but I'm sure that's not the only time that's
happened with a law office server. This is a really good example to add for
future presentations - thanks!

